GlobalPayments: Carding Fraud – are you at risk?

The COVID-19 pandemic has forced businesses to adapt to contact-free ways to take payments, including eCommerce solutions. At the same time, the payments industry has seen a dramatic increase in the number of attempted fraud attacks by opportunistic and often organised criminals – the risk is very real and can have serious financial implications for businesses that have not taken the necessary steps to protect themselves. An example of fraudulent attacks is called carding.

Carding isn’t just a way of physically stealing card details. Attacks can instead be generated by malicious software programmes. For example, a common approach would be to carry out a ‘BIN attack’ on a known card number:

  • All credit cards are identified by the six-digit BIN (Bank Identification Number) range at the start of the card number, which identifies the card type and the bank which issued the card
  • If a criminal has a known ‘valid’ card with an expiry date, they can use an algorithm to generate other, potentially valid card details by randomising the last digits of the number
  • Any card number generated is likely to carry the same expiry date as the valid card due to them being issued at roughly the same time
  • Card numbers generated in this way then need to be tested for validity
  • This process is known as carding. Fraudsters pick a target website with the least amount of security or validation steps to get to the payments page, and process transactions on this payment page for a small amount on the card
  • If the transaction authorises, then the fraudster will know this card number is valid and can be used elsewhere
  • This is often done at scale with very sophisticated software and algorithms, with sometimes hundreds of thousands of attempts in a very short period of time

We know that businesses who have no additional security checks in place are far more exposed to financial risks as a result of carding.

Global Payments processes millions of transactions every day for businesses all around the world – all with varying transaction volumes so what may seem like fraud to one business may not be to another. With this in mind, it’s solely the responsibility of businesses to make sure they have the necessary control measures in place to prevent fraudulent activity.

This means we’re unable to reverse carding transaction charges if businesses haven’t taken the appropriate measures to protect against carding, and given the scale and sophistication of these attacks, these charges can run into tens of thousands. We also need to point out that even if a transaction is declined this is still considered a transaction and will be chargeable.

What Can You Do To Reduce The Risk of Carding?

There are many ways you can protect your business from criminal carding activity. You should consider combining a number of the options below in order to build an effective barrier against these kinds of attacks.

  1. Use a Captcha on your Website – Having a good captcha on your website could also interrupt a fraudster’s carding attempts on your website. A captcha is a computer program, or system intended to distinguish real human beings from software impersonations.
  2. Require LoginCarding attacks are typically aimed at targets providing the simplest and most straightforward payment processes. Adding in simple steps, like the need to login, or create a new user account – before making a payment – can often be enough to dissuade would-be attackers. This can also be combined with rules that limit the number of payment attempts a single user can make, or how many new payment methods a user can add and together this can create effective barriers to carding.
  3. 3D Secure – Similarly to a captcha, 3D Secure can also disrupt a malicious software programme, by generating an extra authentication step in the authorisation process. Authenticated payments have the added bonus of providing you with a liability shift for fraud related chargebacks. While 3D Secure on it’s own can’t and doesn’t eliminate carding attacks entirely, it can reduce the incidence of fraud. Use of 3D Secure is also a requirement of Strong Customer Authentication and implementing it today will allow you to be ready and compliant for these new rules. To find out more about our 3D Secure solution click here.
  4. Fraud Management Products – Our Fraud Management products help identify suspicious transactions, by running a series of rules configured by you with our support, at the time a transaction is authorised. The rules will then automatically pass, hold or block transactions. We have a number of rules today which can be used to set limits on things like the number of new cards a single customer can use. We are also actively working to increase the range of rules available to tackle this type of fraud. Look out for details of these new rules in future communications.

Any Questions?

If you’re worried about any of this, email