As the United States advances in technology, internet bot activity – good and bad – is growing. Bot traffic affects many verticals, including gambling, social media, concert and sporting event ticketing, and e-commerce websites.
The fraud landscape continues to change with advanced bots that make committing crimes easier for fraudsters. According to the 2021 Imperva Bad Bot Report, 25.6% of all internet traffic on e-commerce websites in the prior year consisted of bad bots.
It's essential for small and midsize business (SMB) owners with e-commerce storefronts to understand the threats and damage bot activity can yield. Here's a look at bot-driven credit card testing fraud, how these attacks work, and how you can protect your business and customers from this e-commerce pitfall.
What is carding?
Credit card testing fraud – also known as carding and card cracking – is when cybercriminals make a small online purchase to test whether a stolen credit card number is valid.
Credit card testing often goes unnoticed by fraud-detection solutions and is usually discovered only when it's too late. Without proper measurements in place, credit card testing fraud can be costly and damaging to both SMBs and cardholders.
How do fraudsters get a person's credit card number?
In the age of data, security breaches and hacks into companies, data centers and credit card agencies give hackers abundant access to credit card numbers. Typically, hackers will sell a bulk list of stolen card numbers on the darknet where a buyer – the fraudster – is lurking.
A fraudster can purchase lists of credit cards recently stolen, or up to a year old. As time passes, the list's resale value depreciates. Many cardholders and banks take preemptive measures to shut down credit cards if a breach impacts them, but a small, unauthorized purchase may go unnoticed.
How does a carding attack work?
Malicious fraudsters can potentially abuse any user-related function on your company's website, such as enabling payments.
Once the scammer purchases a list of stolen credit card numbers, they test the stolen credit card to see which ones are valid by making small transactions on unsuspecting e-commerce sites.
Fraudsters can enable bots to do this work efficiently. A bot can automatically submit orders on multiple websites to check credit card validity much faster than a fraudster inputting card numbers one by one.
The fraudster's end goal is to find valid credit cards they can use to make large online purchases or sell the list of validated credit cards to other cybercriminals.
Example of a carding attack
In 2019, a carding bot called the Canary Bot targeted a top e-commerce platform. Mimicking a real shopper, the bot added products to an online shopping cart, set shipping information and completed the sale on multiple businesses within the platform.
The bot was discovered because its pattern was different from that of human shoppers. For example, activity increased before the holiday shopping season, which isn't typical since people usually save and wait for sales. The bot's transactions also didn't follow the usual human shopping time patterns; instead, the transactions happened randomly throughout the day.
What are the ramifications for SMBs?
Bot-driven credit card testing hurts your SMB with chargebacks, shipped goods that are never recovered, lost revenue from a fraudulent sale and damage to your e-commerce brand reputation. Additionally, operational costs rise while customer service support calls take up precious time. If your business unintentionally allowed fraudsters to enter the networks, it's likely other cybercriminals will follow.
How to identify credit card fraud
Luckily, you can spot red flags when carding attacks occur. Here are some things to look for:
- Unusually high shopping cart abandonment rates and chargebacks
- Small shopping carts sales
- High proportion of declined payments
- Disproportionate use of the payment step in the shopping cart
- Multiple payments from the same customer within seconds or minutes
- Too many transactions with the same bank identification number (BIN), which is the first six digits of every credit and debit card
- Multiple declined transactions from the same user, IP address or session
How to protect your business from credit card frauds
If you're a small business owner, follow these tips:
- Scrutinize historical operational trends. An increase in customer support calls and chargebacks could mean card testers are targeting you. Also, look for spikes in the number of declined transactions. When fraudsters test older stolen credit card lists, there will be many declines.
- Install automated blocking software. Most engineering teams can put in simple blocking software for high-velocity attacks, but more sophisticated attacks need specialized software. Some vendors specialize in this type of real-time fraud detection. Make sure your solution can quickly adjust to changing attack patterns and deliver obfuscation strategies to make it harder for fraudsters to complete a sale.
- Partner with a secure payment processor. The best credit card processing services have strong fraud and risk management engines with bot protection. Integrating with the right partner allows you to collect payments and focus on your business with peace of mind.
- Utilize device fingerprinting. This technology combines data from the user's browser and device to identify a source. Since carding involves multiple attempts, and the fraudsters only have limited devices at their disposal, fingerprinting can identify the source of carding attacks and shut them down.
- Familiarize yourself with purchasing patterns. Human behavior and purchase habits conform to specific patterns, including which URLs are accessed, mouse movements and site engagement. When behavior deviates, it's a red flag that a bot may be involved.
- Analyze your traffic. There are certain technical and behavioral patterns common to bots and specific IPs where they tend to originate. By keeping a keen eye on your traffic patterns, you may be able to nip a carding attack in the bud.
- Use AVS responses. The address verification system (AVS) matches the billing address input at checkout with the address on file with the credit card company. If it doesn't match, the credit card company will still let the transaction go through, but you can set safeguards or use other fraud prevention tools to research the matter.
- Require card security codes. When companies store credit card information, they can't store the CSV or CVV codes, and cybercriminals will typically not have this information. By requiring the code at checkout, you can ward off criminals.
- Challenge your purchasers. You are probably aware of the many "prove you're not a robot" challenges that proliferate online, from checking a box to typing in a captcha to identifying squares in an image with a specific item. These measures will prevent bots from proceeding.
Jennifer Dublino contributed to the writing and research in this article.