Carding is the illegal practice of obtaining, trafficking or using credit card information without authorisation – often to purchase gift cards or prepaid cards. Carding contributes to identity theft, financial losses for individuals and businesses, and a wide range of other cybercrimes.

Credit card fraud losses worldwide are projected to reach $43 billion by 2026. To combat carding, organisations employ security measures such as tokenisation, encryption, multifactor authentication, and anti-fraud monitoring systems. This guide will cover what businesses should know about carding, including how it works and how to protect themselves.

What’s in this article?

• How carding works
  
• How businesses can protect themselves against carding
  
• How the dark web enables carding
  
• How carding impacts businesses and customers
  
• A brief history of carding
  
• How Stripe Radar can help
  

How carding works

Stealing card information

The process of carding begins with card thieves, known as “carders,” who steal credit card information through phishing, skimming, conducting data breaches, or keylogging.

Here are some common ways carders can steal card information:

• Phishing: Carders use deceptive emails, websites or messages to trick individuals into revealing their credit card information. To achieve this, carders often impersonate legitimate companies or services.

• Skimming: Carders install devices called skimmers on cash machines, petrol pumps or point-of-sale (POS) terminals to capture credit card information from physical cards.

• Hacking: Cybercriminals use malware, ransomware or unauthorised access to infiltrate computer systems or databases and steal credit card information.

• Keylogging: Software or hardware records keystrokes on a victim's device to capture credit card information and other sensitive data.

• SQL injection: Carders insert malicious SQL code into a website’s database to extract sensitive information, including credit card details.

• Shoulder surfing: Fraudulent actors watch people entering their credit card information at cash points or checkout counters and steal the information.

• Formjacking: Carders compromise online forms on legitimate websites to capture users' credit card information.

• Fake apps and websites: Fraudulent actors create fake applications or websites that look legitimate, tricking users into providing their credit card information.

• Brute force attacks: Cybercriminals use automated software to guess credit card numbers, often by trying different combinations of numbers until they find valid ones.

When carders steal credit card information, they often sell it on underground marketplaces where buyers can purchase card numbers, expiry dates, card verification value (CVV) codes and billing addresses for the stolen cards.

Testing card validity

After buying stolen credit card information, fraudulent actors use carding bots to validate the information. These bots automate the process of making small transactions on e-commerce websites to test if the card is active, and they can be used without triggering fraud alerts.

Performing fraudulent transactions

After validating a card’s legitimacy, fraudulent actors use the information to make unauthorised purchases. They often target high-value items or gift cards, which can be resold for cash or used for personal purposes. Carding bots allow fraudulent actors to automate and scale this process, targeting multiple websites and making many transactions in a short period of time.

Evading detection

Carders use a range of tools and tactics to evade detection while committing fraud. They often rely on proxies and VPNs to hide their true locations, making it harder for e-commerce platforms to flag suspicious activity. Carders also use randomised bots to mimic human behaviour and bypass fraud detection, while distributed bot networks spread out activity to avoid drawing attention. Additionally, carders quickly convert stolen goods into cash by reselling them online or through local networks, further complicating efforts to trace their actions.

How businesses can protect themselves against carding

Sophisticated fraud detection systems use artificial intelligence to identify unusual purchasing patterns and behaviours. Here are ways that businesses can use these technologies and other practices to protect themselves.

• Address verification system (AVS): AVS compares the billing address provided by the user to the one on file with the card issuer. It’s a basic but effective fraud prevention tool.

• Behavioural analytics: Analyse user behaviour on your platform to identify anomalies, such as rapid transactions, repeated attempts with different card numbers or unusual geolocation patterns.

• Dynamic risk scoring and MFA: Assign risk scores to transactions based on multiple factors, including device fingerprinting, IP address, IP geolocation, and historical data. Higher-risk transactions can trigger multi-factor authentication (MFA).

• Card verification value (CVV): Requiring customers to enter their CVV helps confirm that the buyer physically possesses the card, reducing risk of unauthorised use from stolen card numbers alone.

• Tokenisation: Convert sensitive credit card information into secure tokens for internal use, minimising the exposure of raw card data and reducing the risk of theft.

• End-to-end encryption: Encrypt sensitive information from the point of capture to storage and processing, reducing the risk of interception and unauthorised access.

• Secure data storage: Store credit card information in encrypted databases with restricted access. Implement role-based access control (RBAC) and ensure that only authorised staff can access sensitive data.

• Real-time transaction monitoring: Monitor transactions in real time to identify potentially fraudulent activity. Send automated alerts to security teams for immediate investigation.

• Incident response teams: Establish dedicated incident response teams with clear protocols for handling carding incidents.

• Threat intelligence sharing: Participate in threat intelligence sharing programmes to stay informed about emerging carding trends and techniques.

• Collaboration with law enforcement: Build relationships with law enforcement agencies specialising in cybercrime to assist with investigations and take-downs of carding operations.

• CAPTCHA alternatives: Use advanced CAPTCHA solutions or alternatives such as reCAPTCHA v3 that require no user interaction but can detect bot-like behaviour.

• Rate limiting and throttling: Implement rate limiting or velocity checks to restrict the number of transactions or attempts from a single IP address or user within a specific time frame.

• Device fingerprinting: Identify unique device characteristics to detect automated bot activity. This can help prevent carding bots from testing large numbers of stolen credit card details.

• Fraud alerts and notifications: Send alerts to customers when suspicious activity is detected, allowing them to confirm or deny transactions quickly.

• Customer education: Educate customers about carding risks and best practices for protecting their credit card information. This can help reduce the likelihood of successful phishing or social engineering attacks.

How the dark web enables carding

The dark web supports anonymous transactions that are challenging for law enforcement to trace or disrupt. Most payments use cryptocurrencies such as bitcoin, which mask the identities of buyers and sellers.

Marketplaces rely on encryption, hidden services, and distributed infrastructure to protect users and stay online despite takedown efforts. Even when sites are shut down, dynamic communities such as carding forums often reappear under new names, making them hard to eliminate completely.

Dark web marketplaces are central platforms for trading illegal goods and services, particularly related to financial fraud. They offer stolen credit card data, often organised by specific details like type or country, as well as carding tools such as bots and malware that help automate fraud. These marketplaces also provide related services such as credit card validation, cash-out assistance, and fake ID creation.

Dark web communities are knowledge hubs where experienced carders share techniques, guides, and advice with newcomers. These platforms also enable networking and collaboration, allowing users to coordinate more sophisticated fraud operations.

How carding impacts businesses and customers

Business effects

• Financial losses: When fraudulent transactions occur, businesses often bear the cost of chargebacks and refunds. This can impact their bottom line, especially for small- and medium-sized enterprises (SMEs).

• Reputational damage: Carding incidents can damage a business's reputation. Customers who experience fraud on a company's platform may lose their trust in the business and leave negative reviews.

• Operational costs: To combat carding, businesses must invest in security measures, fraud detection systems and customer support to handle fraud-related issues. These costs can be substantial.

• Increased scrutiny: High rates of fraud can lead to increased scrutiny from payment processors – potentially resulting in higher fees, more stringent requirements or even termination of merchant accounts.

• Regulatory compliance risks: Businesses are required to comply with regulations such as the Payment Card Industry Data Security Standard (PCI DSS). Failure to maintain compliance due to carding incidents can result in fines and legal repercussions.

Customer effects

• Compromised accounts: Customers whose credit card information is stolen may find unauthorised charges on their accounts. They must then spend time and effort working with their banks and credit card companies to reverse fraudulent charges and restore their accounts, which can be a lengthy and frustrating process.

• Identity theft: Carding can lead to broader identity theft, in which fraudulent actors use stolen credit card information to open new accounts, apply for loans or commit other forms of fraud.

• Emotional distress: Discovering unauthorised charges and dealing with the aftermath of carding can cause customers emotional distress and anxiety.

• Credit score impact: In some cases, carding-related fraud can affect a customer’s credit score, especially if fraud leads to missed payments or defaults.

A brief history of carding

Early days and the rise of the internet

Initially, carding mainly involved physical methods to obtain credit card information. Fraudulent actors would steal wallets or purses to gain access to credit cards, or place devices on ATMs or POS terminals that captured card information during swipes. The existence of skimmers was reported around 2002.

As the internet grew, carding moved online, leading to new techniques, such as phishing and hacking into company databases to steal large volumes of credit card information. While phishing has been around since the 1990s, it became more common in the early 2000s as the internet became more popular.

New technologies emerge

Automation and advanced software have led to more sophisticated carding techniques. Carding bots have automated the card testing and validation process, allowing fraudulent actors to scale their operations and commit fraud faster. Carders have also started to use distributed networks of bots to test large volumes of stolen credit card data, reducing their risk of detection by spreading activity across multiple locations and IP addresses.

As carding became more sophisticated, security measures evolved, too. Chip and PIN technology became standard in the 2010s to make physical card cloning more difficult, forcing carders to rely more on online methods. E-commerce platforms began implementing machine learning and AI-based fraud detection systems to identify suspicious patterns and transactions. CAPTCHAs and multi-factor authentication were introduced to prevent automated bots from exploiting online systems.

Carders continue to adapt to new security measures and technologies with their own innovations. New techniques include formjacking, synthetic identity fraud (creating fake identities using stolen data to open credit accounts), and account takeovers (using stolen card information to gain unauthorised access to existing accounts).

How Stripe Radar can help

Stripe Radar uses AI models trained to detect and prevent fraud, using data from the global Stripe network. It continuously updates these models based on the latest fraud trends, protecting your business as fraud evolves.

Stripe also offers Radar for Fraud Teams, which allows users to add custom rules addressing fraud scenarios specific to their businesses and access advanced fraud insights.

Radar can help your business:

• Prevent fraud losses: Stripe processes over $1 trillion in payments annually. This scale uniquely enables Radar to accurately detect and prevent fraud, saving you money.
  
• Increase revenue: Radar’s AI models are trained on actual dispute data, customer information, browsing data, and more. This enables Radar to identify risky transactions and reduce false positives, boosting your revenue.
  
• Save time: Radar is built into Stripe and requires zero lines of code to set up. You can also monitor your fraud performance, write rules, and more in a single platform, increasing efficiency.
  

Learn more about Stripe Radar, or get started today.