Card Cracking

What Is Card Cracking?

Card cracking is when fraudsters attempt to figure out card details through illicit means. The criminal methods involved depend on which of the two types of card cracking apply: ecommerce or consumer-targeted.

In the former, fraudsters get partial card details and use bots on ecommerce sites to test missing info combinations, aiming to unlock each card’s details for misuse. In the latter, scammers exploit ads, tricking individuals seeking quick money into sharing account info. Fake checks are deposited, and funds are withdrawn before checks bounce.

Card cracking is a form of card testing that uses only partial credentials. Card testing itself is a broader term, as it also encompasses stolen physical cards and those with complete details.

In this piece, we focus on card cracking in relation to ecommerce.

How Does Card Cracking Work?

Card cracking works by fraudsters using bots to try to find missing card details methodically. They test the cards on different ecommerce sites until they find the right combination of details to make a card usable. Fraudsters go through the following series of steps to achieve this:

1. Obtaining partial card details: This is usually done on the dark web, where fraudsters can obtain stolen card details at scale. In fact, the number of partial credit card details on the dark web is in the millions.
2. Using bots to try to crack the cards: The credit card details could be missing part of the Permanent Account Number (PAN – the long card number, usually 10 digits long), the expiry date, or a combination of these. Fraudsters use bots for brute force attacks that try to fill in the blanks at scale.
3. Testing the cards with small purchases: The bots test the various combinations of the given card details by attempting to make small – and therefore hard-to-detect – purchases on ecommerce sites.
4. Making larger purchases: For any cards where the bots succeed in their cracking efforts (i.e. when they find the right combination of details to render a credit card usable), the fraudster can then proceed to make larger purchases for as long as they can get away with doing so. This is often until the cardholder or card issuer realizes something is amiss and blocks the credit card.
5. Selling complete card details: In some instances, fraudsters don’t use the cracked credit cards themselves but sell them to other illicit individuals instead.

With fraudsters using bots to work through these steps and carry out card cracking at scale, those who have to bear the cost of this type of fraud need to be on their guard.

Who Are the Victims of Card Cracking?

Merchants and card issuers are usually the victims of card cracking in terms of bearing the financial cost, just as they are in most credit card fraud cases. This is one reason that merchants and card issuers work hard to ensure they have robust credit card fraud prevention and detection measures in place.

Card issuing banks take the initial hit, as they have to reimburse the cardholder for payments made by the fraudsters. They also have to cover the cost of issuing new credit cards to replace compromised ones, as well as the time that staff spend on all associated processes.

Banks often attempt to recover their losses from merchants. Decisions over liability usually come down to whether the merchant’s technology was less secure than the card issuer’s – or vice versa. Even when they aren’t liable for the fraudsters’ expenditure, merchants must bear the cost of investigating and sorting out card cracking fraud cases.

Credit card cracking can also bring a lot of trouble to the targeted cardholders. Aside from taking time to rectify, illicit spending can also take the cardholder over their credit card limit and lead to them having missed payments. Such pitfalls can damage the cardholder’s credit rating and cause further distress.

The silver lining for consumers is that they are not usually responsible for the financial loss associated with their card being cracked. Legislation such as the Fair Credit Billing Act (FCBA), along with similar rules in other countries, aims to limit the financial impact of such fraud on consumers (it is limited to $50 in respect of the FCBA, for example).

The Consequences of Card Cracking

These can be both short-term and long-term for the victims. For merchants and card issuing banks, the consequences include:

• loss of funds – due to having to reimburse the cardholder
• loss of staff time – through the necessary investigations and customer liaison
• potential reputational damage – particularly if the loss of the partial card details originated from a data breach related to the bank or merchant

For individual cardholders, the consequences include stress, lost time, and potential damage to their creditworthiness. The latter can pile on even more stress, particularly if the cardholder is in the middle of a mortgage application or other financial situation where they will immediately suffer from the impact of a plummeting credit score.

When we look ahead and consider that the global network cards (Visa, Mastercard, UnionPay, American Express, JCB, and Discover/Diners Club) are together projected to generate, according to Nilson, 891.20 billion transactions in 2027, the scale of the potential for card fraud becomes clear. This will be an increase of 42.3% compared to 2022.

This means plenty of opportunities for fraudsters, and that there is much to do for those seeking to protect their businesses from card cracking.

How to Protect Yourself and Prevent Card Cracking 

Ecommerce merchants and banks are not alone in their fight against card cracking and its consequences. The steps they can take to protect themselves include the following.

1. Verify Addresses and CVV Numbers

Fraudsters using cracked cards are unlikely to have the cardholder’s Card Verification Value (CVV) number or be using their billing address for deliveries. Merchants who require CVV numbers and address verification before purchases can go ahead are thus in a strong position to fend off the use of cracked cards.

2. Use Geolocation Data

Merchants can use technology to see where customers are making transactions from. Automated solutions can trigger red flags based on locations that contradict the cardholder’s most recent spending habits, transaction history, and more.

3. Understand Fraudsters’ Profiles

By gathering data such as IP addresses, geolocation, software and hardware configurations, browser configurations, and so on, merchants can watch out for details associated with fraud attacks that they have already experienced. This enables them to block certain interactions, such as purchases from an IP address associated with a previous instance of fraud.

Protect Your Accounts with the Right Solution

There are powerful fraud-fighting software and tools on the market. Some of the most effective are systems that use customizable risk rules and risk scoring, real-time transaction monitoring, and machine learning that suggests rules based on the merchant’s historical data.

Such systems provide a level of granularity and flexibility that enables merchants to finetune their fraud-fighting efforts and protect their businesses. SEON, for example, provides in-depth device fingerprinting to enable merchants to develop comprehensive profiles, fully transparent and customizable risk rules, flexible risk scoring, and real-time transaction monitoring.

The result is powerful protection against a wide range of fraud, including everything from credit card cracking and gift card fraud attempts to account takeover attacks and multi-accounting.

Related Terms

Related Articles

Sources