What Is Carding?
Carding is a general fraudster term for using stolen credit and debit card data for personal gain – which can be selling the data, using them to buy goods, or using them to power further fraud.
It should be noted that while stolen cards can be used to make direct purchases, many use them to buy prepaid cards and/or gift cards instead, which they then will use or sell for immediate profit, to hide their tracks. In fact, the term “carding” is also sometimes used to describe such “gift carding” in particular.
Cybercriminals of various skill levels may also attempt to sell (or buy) big batches of stolen credit card information for profit.
According to the Federal Trade Commission’s Consumer Sentinel Data Book for 2020, credit cards are by far the most frequent payment method used for fraud in the US, amounting to a total of USD 149m lost.
Consumers reported nearly 400,000 cases of credit card fraud, 44% more than the previous year, while debit card fraud was on the rise year on year, at +32% compared to 2019.
How Do They Steal Cards? How Does Carding Work?
Unfortunately, fraudsters have access to a growing number of methods with which to obtain other people’s details. Methods to steal card information include card cloning/skimming, RFID skimming, phishing, public Wi-Fi, spyware, data breaches, BIN attack etc. More specifically:
Phishing: Most people will already be familiar with phishing, where fraudsters pose as legitimate companies via email, SMS or phone to get people to submit their details voluntarily often on fake websites. This is a type of social engineering attack.
Fake ads: One trend we’ve seen develop in the last few years is to create fake job posts and gather information through online application forms and videos.
Skimming: Credit card skimmers are also on the rise, and FICO estimated a 70% increase in compromised credit cards between 2016 and 2017. These malicious card readers are installed to “skim” the physical card information and send it back to criminal servers and can particularly be found at gas stations and ATMs.
Zero-day vulnerabilities: Abusing zero-day vulnerabilities in ecommerce platforms continue to be the major source of credit card theft. In these cases, the fraudster exploits a bug in the ecommerce system before the developer has the opportunity to create a patch fix.
Malware: Point of Sale (PoS) malware is also something to watch out for, and so are other viruses, trojans, and malicious software found on tablets, phones, and personal computers of merchants and shoppers alike.
Data breaches: Data breaches, which show no sign of slowing down, can also contain credit card information along with personal details. This data usually ends up on the darknet where fraudsters are able to purchase it.
After acquiring the data, the thief will typically compile long lists and proceed to:
- Sell them on the dark web or encrypted platforms such as Telegram, for profit
- Conduct testing to see which ones are still “live”
- Use them to buy costly items to then resell
- Use them to buy cryptocurrency to resell, as investment or as untraceable payment to fund further fraud
- Use them to buy prepaid cards or gift cards to sell
- Use them to fund further nefarious activity, including other scams
How Much Is a Stolen Credit Card Worth?
As high as $134 or as low as $17 per individual card details – it depends on where you look, and prices are going down.
While an investigation by The Guardian identified batches of stolen card details at approximately £98/$134 per card back in 2015, a more recent report from September 2021 found they fetched £13/$17 each. Interestingly, the priciest type is Mastercard, with Discover a close second, at 6.47 and 6.27 cents per dollar respectively.
Typically, each stolen credit card entry will include the following information, which is sufficient to use it for card-not-present (CNP) transactions such as online payments and telephone orders:
- credit card number
- expiry date
- CVV code
- name on card
- full cardholder address
3 Examples of Carding
Stolen debit and credit card activity has been observed in virtually every sector. For instance:
- In the iGaming industry: Gambling scams targeting gambling providers
- In hospitality: Hotel guests attempting payments with multiple cards
- In trading and forex: Scammers buying cryptocurrencies with stolen cards
Some fraudsters have devised sector-specific methods, based on the particularities of each, but there are more general practices too.
Industries that have been highlighted as more susceptible to card fraud in recent years include airlines, banking and finance, manufacturing, healthcare and education.
How to Prevent Carding Fraud – as a Consumer
Consumers are advised to take extra steps to boost their security when using their payment cards, online and offline, including:
- monitoring all card statements and following up on any suspicious charges
- being mindful of cards’ physical location
- reading up on online payment best practices and pitfalls (e.g. https, phishing)
- enabling MFA and/or 2FA wherever possible
- asking card issuers about opt-in safeguards to boost security
- freezing or canceling a card ASAP if issues arise
How to Detect Carding – as a Company
Safeguards and best practices to detect and block carding attempts include:
- Digital footprint analysis to flag suspicious accounts
- Whitebox machine learning to assist manual review efforts
- Data enrichment to inform risk models
- Educating customers and staff
- KYC process – light or heavy (or combined)
Vigilance is required on the part of ecommerce companies, banks, payment gateway operators, service providers and practically any organization that handles card payments.
No matter whether the direct victim is the business or the consumer, fraud can take its toll on reputation, time spent resolving the issue, staff morale, and even lead to fines if the security is deemed inadequate.
What’s more, someone will ultimately incur the financial loss, and who it’s going to be depends on several factors.
Sometimes, the thief will take the time to check if each card is live or dead before trafficking or using it. It is at this stage that they are most vulnerable.
Fraudsters have devised and discovered various tools and methods to employ in their carding practices, many of which are lawful when used for other purposes. These include RDPs, MAC address changers, cleanup tools such as CCleaner, etc.
On the other hand, tools and methods like those listed above can help detect thieves’ attempts. For instance, digital footprint analysis will look at the email address or phone number to see if it’s associated with the cardholder’s social media account, whereas data enrichment will source information about the cardholder from around the web to assign them a risk score.
New and diverse carding tools, the surge in online and contactless payments, as well as encrypted messaging protocols being more accessible than ever to the wider public have all led to a rise in carding.
Nilson Report estimates worldwide card fraud to be soaring, to the tune of USD 32.04bn in 2021, projected to reach USD 38.50bn by 2027. Depending on how the cards fall, these losses can be incurred by the card issuer, payment processor, merchant/shop where the payment was made or the consumer themselves.
Lastly, for individuals and professionals alike, it is good to bear in mind that there is a wealth of information a bank identification number (BIN) can reveal. You can try this out using SEON’s module below:
We’ve put together a complete guide to credit card fraud to help you understand how it occurs, how to detect it, and how our software works to prevent it
Find out more
FTC.gov: Consumer Sentinel Network Dat Book 2020
Infosec Institute: All about carding (for noobs only) [updated 2021]
The Guardian: Stolen credit card details available for £1 each online
Comparitech: Dark web prices for stolen PayPal accounts up, credit cards down: report
Nilson Report: Charts & Graphs Archive
Contact Us for a Demo
Feel free to reach out to us for a demo!