How to Prevent Carding Attacks?

How to Prevent Carding Attacks?

According to The Nilson Report, the total global card loss will exceed $35 billion by the end of the year. As the number of cardholders increases, so does the amount lost to fraudulent transactions. In 2019, for every $100 sale, almost $7 was lost to fraud. The losses stemmed from different card-related frauds including counterfeiting, Card-Not-Present (CNP) transactions, but also lost or stolen cards.

Like many cyber frauds, card fraud can be avoided with the help of IP Geolocation. Here we discuss how in more detail.

What is Carding?

Carding is a term describing the illicit use of payment cards, regardless of type—credit or debit—by unauthorized users or carders to buy a product or pay for a service. Carders obtain payment card information in various manners: either by stealing credit card credentials from the users themselves or by buying so-called fullz files on the Dark Web.

Fullz is the hacker term for a package containing the full set of Personally Identifiable Information (PII) that cyber thieves can use to commit fraud. Carding may require the stolen cardholder's name, birthdate, complete address, social security number, account number, Card Verification Value (CVV), and other data. A fullz file typically sold for $4-10 in 2019 on the Dark Web.

How Do Cybercriminals Perform Carding?

Hackers use various tactics and tools to steal victims' payment card credentials. Here are four of the most common carding strategies:

1. Carding Forums and Underground Markets

As highlighted earlier, the Dark Web contains many carding forums and underground markets. These are illegal websites where cybercriminals buy and sell fullz files, exploits, and malware. Bad guys also share ways to steal financial details. You can also test stolen card information on these sites.

2. Malware Attacks

Spyware designed to record keystrokes and steal usernames and passwords saved in browsers helps carders to obtain the information they need to commit card fraud.

3. Phishing Campaigns

Carders typically send victims phishing emails supposedly from their credit card issuers to trick them into sharing their personal and payment card information. Nowadays, cyber thieves also use other phishing mediums, including phone calls (via the so-called vishing), text messages (smishing), social media direct messages, and even postal mail.

4. Skimming Attacks

Card skimmers are small, hard-to-spot devices that thieves install on legitimate payment card readers or Point-of-Sale (PoS) systems. When cardholders slide their cards on compromised PoS devices, the card skimmer reads and sends their card information to the criminals.

How to Protect My Organization and Customers from Carding

Apart from educating end-users or customers on carding and its dangers, online shops can do more for fraud protection. Integrating an IP geolocation API into payment gateways can reduce instances of fraud. IP geolocation solution integration can:

1. Matching a User's Current Location to His/Her Billing Address

Research reveals that Card-Not-Present (CNP) fraud is more likely to occur than Point-of-Sale (PoS) fraud. Most carders also prefer to buy products or pay for services with stolen payment cards online rather than in person. That reduces their chances of getting caught red-handed.

But there is a way to spot CNP fraud as it happens with the help of IP geolocation. Remember that any person's physical or billing address should match his/her IP address somewhat. Any online shop owner or administrator can catch a fraudster by checking if his/her IP geolocation during the transaction matches the registered shopper's records.

For example, imagine that a supposed regular U.S-based Amazon shopper buy a laptop with his/her credit card. While he/she gave the right credentials, the shop owner or administrator can still do an additional check to ensure the transaction is legitimate. If the shopper lives in Texas and your network logs reveals his/her usual IP address as 104.54.218.122 but the current transaction is coming from 93.31.211.2, the shop owner or administrator should flag it as suspicious. Indeed, our IP Geolocation API query for 93.31.211.2 reveals the user is from Île-de-France in France:

{
  "connection" : {
    "asn" : 15557,
    "domain" : "sfr.net",
    "organization" : "SFR SA",
    "route" : "93.0.0.0/11",
    "type" : "isp"
  },
  "location" : {
    "country" : {
      "code" : "FR",
      "name" : "France"
    },
    "region" : {
      "code" : "FR-IDF",
      "name" : "Île-de-France"
    },
    "city" : "Drancy",
    "postal" : "93700",
    "latitude" : 48.9247,
    "longitude" : 2.44485
  },
  "time_zone" : {
    "id" : "Europe/Paris",
    "abbreviation" : "CET",
    "current_time" : "2020-08-05T10:07:28+02:00",
    "name" : "Central European Standard Time",
    "offset" : 7200,
    "in_daylight_saving" : true
  }
}

With the help of IP geolocation, business owners can stop a potentially fraudulent transaction as it happens. Unless the cardholder is currently traveling to France, which can be confirmed via a text message or a phone call, the shopper pretending to be legit won't be able to charge an unauthorized payment with a stolen card.

2. Keeping a Closer Eye on Card Transactions Made from High-Risk Locales

A study revealed that card fraud is particularly prevalent in Brazil, followed by Mexico and Russia. These nations were identified in 2016 based on chargeback computation rates. Brazil, which topped the list, had a chargeback rate of 3.6%, which meant that around four out of every 100 transactions made from the country are fraudulent.

Given a list of high-risk countries, online businesses can make it a point to pay closer attention to card users from the identified countries. We know that we can locate every user's country via his/her IP address. E-commerce owners and administrators can, for instance, require card users in high-risk locales to use Multi-Factor Authentication (MFA).

Given that, a Brazil-based IP address such as 152.232.0.2 should, at the very least, trigger an alert for further authentication on the part of an online shop that implements IP geolocation-based security. The shop owner or administrator can ask the cardholder to provide additional proof of identification or authentication to prevent fraud:

{
  "connection" : {
    "asn" : 7738,
    "domain" : "oi.com.br",
    "organization" : "Telemar Norte Leste S.A.",
    "route" : "152.232.0.0/18",
    "type" : "isp"
  },
  "location" : {
    "country" : {
      "code" : "BR",
      "name" : "Brazil"
    },
    "region" : {
      "code" : "BR-SP",
      "name" : "São Paulo"
    },
    "city" : "São Paulo",
    "postal" : "01000",
    "latitude" : -23.63005,
    "longitude" : -46.63215
  },
  "time_zone" : {
    "id" : "America/Sao_Paulo",
    "abbreviation" : "BRT",
    "current_time" : "2020-08-05T05:12:07-03:00",
    "name" : "Brasilia Standard Time",
    "offset" : -10800,
    "in_daylight_saving" : false
  }
}

3. Watching Out for Known Card Fraud Indicators of Compromise (IoCs)

It is a common practice for organizations, to publicize IoCs attacks in the news, blog posts, and even databases. Sharing this information allows businesses and individuals alike to steer clear of threats that can put them at risk of financial and data theft.

At Ipregistry, we also return threat information when you request details about IP addresses. This information can help businesses, including online shop owners, to block all potential threat sources from gaining access to their networks.

Let's illustrate this with the IP address 218.92.0.171. It has been reported for malicious activity 34740 times on AbuseIPDB. The confidence of abuse is very high. Note how the details from the Ipregistry Geolocation and Threat API match those given on the AbuseIPDB page for the IP address (field security.is_threat):

{
  "connection" : {
    "asn" : 4134,
    "domain" : null,
    "organization" : null,
    "route" : "218.92.0.0/16",
    "type" : "business"
  },
  "location" : {
    "country" : {
      "code" : "CN",
      "name" : "China"
    },
    "region" : {
      "code" : "CN-JS",
      "name" : "Jiangsu Sheng"
    },
    "city" : "Xinpu",
    "postal" : null,
    "latitude" : 34.59979,
    "longitude" : 119.15943
  },
  "security" : {
    "is_bogon" : false,
    "is_cloud_provider" : false,
    "is_tor" : false,
    "is_tor_exit" : false,
    "is_proxy" : false,
    "is_anonymous" : false,
    "is_abuser" : false,
    "is_attacker" : true,
    "is_threat" : true
  }
}

Using this information e-commerce solutions can allow an IP geolocation-enhanced payment gateway to block any suspicious transactions.

Carding significantly compromises not only cardholders but also online shop owners. E-commerce businesses not only stand to lose their customers' trust but also profits that otherwise go to chargeback payments and in cases where litigation occurs, settlements. Digital entrepreneurs won't have to suffer if they add an IP geolocation solution to their payment gateway security stack.

Get started with 100,000 free lookups: sign up