Carding

What Is Carding?

Carding refers to the unauthorized use of stolen credit or debit card information for illicit activities, such as purchasing goods, acquiring prepaid or gift cards for resale or facilitating further fraudulent schemes. Cybercriminals often trade large volumes of compromised card data on dark web forums or encrypted messaging platforms like Telegram. A common tactic involves using stolen cards to buy gift cards or cryptocurrency, which can then be laundered or sold for untraceable profits.

In 2024 alone, there were 449,032 reports of credit card-related identity theft, making it the most prevalent form of identity theft reported that year. Overall, consumers reported losing over $12.5 billion to fraud in 2024, marking a 25% increase from the previous year. These figures underscore the escalating threat of carding and the importance of robust security measures for both consumers and businesses.

How Do They Steal Cards? How Does Carding Work?

Fraudsters employ various techniques to steal credit and debit card information, including:

• Card cloning/skimming: Using physical skimmers at ATMs or point-of-sale terminals to copy card data or RFID skimming for contactless cards.
• Phishing: Impersonating trusted entities via email, SMS or phone to trick victims into sharing card details.
• BIN attacks: Systematically generating and testing card numbers using valid Bank Identification Numbers (BINs).
• Data breaches: Exploiting security vulnerabilities to access massive amounts of card data which is then sold on the dark web.
• Malware and Spyware: Infecting devices to capture keystrokes, clone digital wallets or monitor user activity.
• Zero-day exploits: Leveraging undisclosed software vulnerabilities in eCommerce platforms before they are patched.
• Fake Ads and Job Scams: Collecting credit card details through deceptive online forms.
• Public Wi-Fi Attacks: Intercepting sensitive data on unsecured networks.
  

Once obtained, stolen card data can be sold, tested for validity or used to purchase goods, gift cards or cryptocurrency, often to fund further fraud. And the impact is clear: in 2024, the Federal Trade Commission reported 458,538 cases of credit card fraud in the U.S., reflecting a 7% increase from the previous year.

How Much Is a Stolen Credit Card Worth?

As high as $134 or as low as $17 per individual card details – it depends on where you look, and pricesThe value of stolen credit card data on the dark web varies based on factors like account balance, card type and associated information. As of 2024, basic credit card details with a balance up to $1,000 typically sell for around $70, while those with balances up to $5,000 can fetch approximately $110. 

Cloned physical cards with PINs, such as Mastercard, Visa or American Express, are generally priced between $20 and $25. 

Each stolen credit card entry often includes sufficient information for card-not-present (CNP) transactions, such as online purchases or telephone orders. This typically comprises the card number, expiration date, CVV code, cardholder’s name and billing address.

4 Examples of Carding

StStolen debit and credit card activity is rampant across numerous sectors. Fraudsters adapt their tactics based on the industry’s unique characteristics. Some examples include:

• iGaming: Fraudsters often use stolen credit cards to make large deposits and claim bonuses, especially in online casinos and betting platforms. Once the bonus is claimed, they may withdraw funds, leaving the operator with a chargeback risk.
  
• Fintech & Financial Services: Fraudulent users leverage stolen cards for account funding, making rapid withdrawals or exchanges, particularly in crypto trading platforms or digital wallets. These sectors are prime targets due to their high-value transactions and limited fraud detection systems in place.
  
• Retail: In the retail sector, fraudsters often use stolen card details to make online purchases of high-demand, resellable products. Retailers face challenges when card-not-present transactions are used, as they lack physical verification of the cardholder.
  
• Payments: In this sector, criminals test stolen card data through small-value transactions before scaling up to larger fraud or selling the verified data. This is where payment gateway fraud detection becomes critical, helping providers spot and block suspicious activity early in the transaction flow.

Fraud prevention strategies are critical for all of these sectors, but industries like iGaming, fintech and retail are especially vulnerable due to their high volume of digital transactions and quick payment processing.

How to Prevent Carding Fraud – as a Consumer

Consumers can take several steps to enhance their card security, both online and offline:

• Regularly monitor card statements for any suspicious charges
• Keep track of your card’s physical location at all times
• Be aware of online payment best practices (e.g., ensuring sites use HTTPS, recognizing phishing attempts)
• Enable Multi-Factor Authentication (MFA) or Two-Factor Authentication (2FA) when possible
• Inquire about opt-in security features with your card issuer
• Freeze or cancel your card immediately if fraud is suspected

How to Detect Carding – as a Company 

To detect and block carding attempts, companies can leverage a variety of fraud detection techniques, including:

• Card BIN lookup: This feature verifies the card’s validity, identifies the issuing bank and determines its country of origin, helping assess transaction risk.
  
• Digital footprint analysis: Checking a shopper’s online presence through their email address or phone number can reveal red flags. A lack of a digital footprint or discrepancies can indicate a need for further investigation.
  
• IP analysis: Analyzing customer connections, including IP address checks, helps detect harmful behaviors like VPN or Tor usage and suspicious DNS activities.
  
• Device intelligence: Leveraging device data, such as device type, OS and browser information, helps detect unusual behavior and mitigate fraud attempts during transactions.
  
• AI-powered detection: Whitebox machine learning can assist in manual review efforts by continuously learning from transaction data and identifying emerging fraud patterns.
  
• Custom and industry-specific risk rules: Default risk rules tailored to sectors like retail, fintech and payments, along with custom risk rules, help businesses automate and refine fraud detection to fit their specific needs.
  
• KYC verification: Employing both light and heavy KYC checks or combining both approaches can effectively detect fraudulent activity at various stages of the transaction process.

Vigilance is key for any organization handling card payments, from eCommerce businesses to payment processors. Fraud can impact the business, consumer and staff morale and even lead to fines if security measures are deemed inadequate. Staying proactive with robust detection methods and adaptive risk management is essential to safeguarding both revenue and reputation.

Sources

• FTC.gov: Consumer Sentinel Network Dat Book 2020
• Infosec Institute: All about carding (for noobs only) [updated 2021]
• The Guardian: Stolen credit card details available for £1 each online
• Comparitech: Dark web prices for stolen PayPal accounts up, credit cards down: report