Australia Post’s Inside Australian Online Shopping 2021 report highlights a 26.9% YOY growth in online purchases for the 12 months to 31 July 2021. To give an idea of scale, in FY20, just 16.3% of all retail sales were made online (at $52.1Bn online goods spend), outperforming pre-pandemic predictions of 12-13%.
And most of these transactions will be made using credit cards. So for cybercriminals using 'carding' to target web applications that process credit card information, the pickings are rich. But if your business depends on online credit card payments to boost your bottom line, the consequences can be dire.
Even more heart-breaking is the targeting of the not-for-profit sector. The use of simple online forms, carefully designed to minimize the barriers to donating, also makes it easier for cybercriminals to launch carding attacks. So if your organization is a charity dependent on the goodwill of philanthropists, your ability to do good can be significantly impacted by the cost of fraud, and reputation damage.
Carding. What is it, why (and how) does it work, and who is behind it?
Carding, aka card verification or credit card stuffing, is a process cybercriminals use to determine if they can use the stolen credit card numbers they possess. Once a card's details are verified (and it becomes a 'success' card), criminals often use the card to purchase prepaid gift cards.
How does it work?
It all begins with the exploitable weaknesses in the security software and technology intended to protect credit card accounts. Typically, a hacker will gain access to your online credit card processing system and steal a list of cards (debit or credit) recently used to make a purchase. The list is then on-sold to a third party – called a 'carder' – who uses the card to purchase gift cards which they can use to buy high-value and easy to resell items like cell phones, computers, TVs, and more.
Cybercriminals use carding bots (software programmed to automate tasks over the internet) to authorize stolen credit card credentials. The bots visit your donation or eCommerce website and initiate multiple, rapid transactions. The dollar amount is usually nominal – small purchases are less likely to be noticed by your customer. If the transaction goes through, it's bingo for the criminal, and the card can be used or on-sold as a 'success' card.
Carding bots have a range of proven validation tactics, from using single or multiple cards repeatedly in quick succession for low or identical dollar amounts. Or trying out multiple cards with the same information (like the cardholder's name and billing address) from the same IP address, or with different billing addresses but the same bank ID number. A bot will attempt to validate a card thousands of times on your web application until it yields the desired authorized credit card details.
Be warned. Credit card theft is no longer random and opportunistic.
Instead, it's a highly organized cybercrime activity. To the extent that criminals use underground websites and forums to sell lists of stolen credit card data, and even share advice on validation techniques.
Who hangs out on these forums? Members range from individuals wanting to use stolen card data to buy goods or on-sell 'success' cards, to organized criminal gangs who bulk-buy card details (usually with cryptocurrency) and resell them on the dark web. It's big business, with millions of card details available to potential buyers.
Who's the biggest loser with carding?
The short answer? Businesses and not-for-profit organizations. You stand to lose not only financially but reputationally. Customers and donors are quick to lay blame, and equally fast to change loyalties.
While cardholders are also obvious losers, they also have the best chance of getting their money back. Once a card owner or credit card processor spots and disputes a fraudulent transaction, merchants typically reverse the charge (called a chargeback) and refund the customer's money. While that takes care of your customer's financial loss, it doesn't solve the damage to your reputation.
Research shows that 29% of customers who experience credit card fraud when buying from your website will blame you, and 49% won't return to your site.
The result? Your organization – whether you're a retailer, charity, hospitality, or travel business – not only ends up paying the cost of the fraud but potentially loses revenue from existing and future customers.
But it doesn't end there. While the purchase value may be minimal, the credit card processor can charge you a refund fee. For example, PayPal's non-refundable chargeback fee is US$20 per transaction. As you can imagine, if your business or not-for-profit falls victim to a carding attack, it doesn't take long to run up tens of thousands of dollars in annual chargeback fees. Add to this a loss of reputation, and it's a slippery financial slope.
As well as undermining customer trust – a carding attack on your web apps impacts their ability to meet stringent compliance requirements like the Payment Card Industry Data Security Standard (PCI DSS).
Credit card processors are also big on the losing list. It's critical (legally and reputationally) to protect the highly sensitive data they collect for every transaction they process. They are under constant pressure to provide customer support if carding attacks impact your business and rigorously monitor and deal with suspicious behavior. The fall-out of fraudulent transactions is significant damage to their brand.
Spot the bot in action
How can you tell if carding bots are targeting your website payment processing application? Here are some of the giveaway signs:
- An increase in chargebacks
- A significant number of low-value purchases, or abandoned shopping carts containing low-value items
- A high number of declined credit card transactions
- Multiple failed attempts to pay from the same user, IP address, etc. (as the bot tries different configurations to hit that 'bingo' moment)
How can you protect your web applications against carding attacks?
If you accept online credit card payments (and in this day and age, who doesn't?), how can you reduce your vulnerability to carding bot attacks?
Improve web application security
CAPTCHAs are a common way to introduce a layer of protection to the payment process. However, your users regard them as the most disruptive and off-putting of all security mechanisms. Not only will some customers switch websites to avoid using them, but CAPTCHAs only offer protection from the most basic bots. They can't discriminate between a genuine user and a bot and require both to solve the puzzle or tick the box to pass go.
Rate limiting does what the name suggests. It limits the number of times that a user – or bot – can repeat the same action on a website. However, it can't distinguish between a good bot (think Google's search engine crawler) and a bad bot.
Another strategy requires login or session validation, where your customer must provide a user name and password before moving on to payment. However, bots can also create new accounts so they can test stolen credit card numbers.
Geo-fencing is a further option. This allows or denies access to your site from specific geographic regions. For example, you may only wish to provide products or services to customers in Australia or Oceania and block those from Romania or Russia. However, this works on the assumption that hackers aren't 'spoofing' their location.
While applying the above layers of protection may seem logical, tightening up customer-facing eCommerce practices to reduce credit card fraud can also backfire on you. For example, excessively complicated and stringent checkout processes can result in higher decline rates for credit cards, leading to a poor customer experience, abandoned shopping carts, and even a change of buyer loyalty.
Stop the carding bot in its tracks
RedShield can help your business to reduce instances of fraud and maintain business-critical PCI DSS accreditations with prefabricated web application shields. Shields introduce multiple layers of security against carding attacks, including:
- Geofencing
Limiting access to your application to specific geographic regions. - Rate-limiting
Limiting requests from an IP to a pre-arranged number of requests per minute. - CAPTCHA
Injecting a CAPTCHA challenge into the page using either reCAPTCHA or hCAPTCHA. Unlike other solutions, the CAPTCHA shield will appear to end-users as native to your application, removing friction from user experience. - Credit Card Fraud Protection
Introducing another layer of protection by submitting card details to a preconfigured third-party credit card reputation assessment device. If a card is 'good', our solution adds a validation layer to the transaction, whereas if it's 'bad', the transaction is stopped in its tracks. Unlike other solutions, we handle the application logic associated with 'bad' cards and configure it to your preference. For example, we can use custom logic to escalate actions to stop the 'bad' transactions from going through to completion by emptying the shopping cart, forcing the user to log out, or suspending the account. We also log this data, so you can see these 'bad' transactions and analyze them.
Not only do web application shields improve your security, they minimize the impact on your (legitimate) customer experience, so they don't need to jump through hoops to do business with you.
As a result, you'll experience fewer incidents and failed transactions, contributing to greater customer confidence and reduced demand on customer services to manage fraud issues.
