Credit card cracking is one of the fastest-growing types of fraud globally and accounts for around 16 percent of e-commerce fraud.
Card cracking (also known as carding) happens when fraudsters look to exploit the systems of e-commerce businesses to gather credit card information. Fraudsters may have obtained partial card information beforehand, or they can be starting from scratch.
Confusingly, there is another definition for card cracking, which is where fraudsters lure in victims with the promise of money, get them to reveal their bank details, and steal from them.
This article deals with card cracking in e-commerce businesses, not with individuals.
What is card cracking?
Card cracking is when fraudsters test credit card details on e-commerce businesses. They are either checking the details that they have work or trying different combinations of partial information, hoping to find out the information they don't already know.
Fraudsters usually purchase batches of credit card details from the dark web and test many of these credit cards quickly. Then, if they can't crack one card, they move on to another one.
For example, they may have a credit card number but not its expiration date. So it's a process of elimination, running through the possibilities until they guess the correct expiration.
Who uses card cracking?
The people behind card cracking are fraudsters. They're looking to obtain credit card information illegally, and they're willing to use it without permission.
There are two main reasons behind a carding hack:
- To purchase items with stolen credit card information
- To gather and validate complete credit card details to sell them to someone else
Card cracking usually involves attempting to make small purchases with the credit card details they have. If a transaction gets declined, fraudsters will try again with a different combination of information. This process is often automated so that fraudsters can check many combinations in a short time.
What are the steps involved in card cracking?
Fraudsters acquire stolen card information
Consumers save their credit card details across many services online, including their browsers. Auto-fill functions, in particular, make it easy for repeat customers who don't want to enter their credit card details each time they complete a purchase.
Fraudsters don’t have to be elite hackers to gain access to credit card details though. There are a range of ways a bad actor can obtain credit card information, including:
- Purchasing data on the dark web
- Stealing credit cards or wallets
- Getting information from a data leak
- Skimming credit cards from a physical terminal
As mentioned, the card information they gather can be complete or incomplete. A fraudster has already cracked a credit card and can skip the next few steps if it's complete. However, if it's incomplete, it only takes the following two steps to figure out the rest of the information they need.
Forcing their way through the payment process
Once the fraudster has partial credit card information, they attempt to find the rest of the details. They do this by what's known as brute-forcing the data using automated card cracking programs or bots.
For example, they can brute-force CVV numbers of a credit card by setting up a bot to rapidly test all possible three-digit number combinations until they get the right one. They may need to do this for the expiry date or credit card number if they don't have those complete details.
Going through this process manually would be exhaustive and time-consuming, but using technology does it a fraction of the time.
Include card owner details
If the fraudster can complete cardholder data, they then have access to complete sets of credentials that enable them to use stolen credit cards at will.
These card owner details generally come with the credit card information they purchased, as it's difficult to verify details such as the cardholder's name. This is certainly something that automated testing bots can do. This is an instance where a bot would repeatedly try different combinations of potential details until the transaction is successfully completed.
Once they have those details, they generally look to use the card to steal as much money as possible. They know the victim could realize what's happened very soon, so they look to capitalize on their card cracking efforts.
4 ways to protect against card cracking
Include AVS and CVV tracking in the payment process
AVS and CVV confirmation are two steps to prevent two critical elements of card cracking fraud: the delivery address being mismatches from the billing address and not verifying that the physical card is present with the purchaser.
AVS stands for Address Verification System and allows you to check that the billing address of the purchase matches the address on file from the credit card issuer. If the two do not match, it is recommended to decline the purchase.
CVV is short for Credit Verification Value and is the three-digit code on the back of the credit card. If the fraudster doesn't have the physical card and they don't have bots to conduct rapid testing of possible combinations, they're not likely to be able to complete this step.
Monitor small transactions from unlikely locations
It's unrealistic to monitor all small transactions and suspect each one of fraud. However, the fraudsters who often engage in cracking cards tend to be in countries you may not regularly receive purchases from. This may include countries in Africa, Eastern Europe, or South East Asia, but it ultimately depends on your business and if you market globally.
You can certainly be open to selling to customers in other countries, but at the very least, it warrants putting in a little bit of extra effort to make sure that it's a legitimate transaction.
Build a blocklist to stop regular fraudsters
Fraudsters are hard to catch. Unfortunately, that simple fact means that simply stopping a fraudulent transaction doesn't mean the people behind it won't try again even on the same day.
The best way to protect your business from a known scam is to identify locations or even individuals behind them and block them.
For example, you can build a profile of fraudulent characteristics and block users who match these profiles. In addition, you can identify locations with a high tendency for fraud attempts and even specific IP addresses that have attempted card cracking before.
Rather than risk someone succeeding with another attempt at fraud, this is a safe way of protecting your business from known criminals.
Use fraud prevention tools
- Fraud prevention at payment processing (e.g. Stripe Radar)
- Device identification (FingerprintJS Pro) - you can block returning fraudulent visitorIDs as well as monitor ID velocity to find bots (if someone attempts purchases multiple times in a short window)
- Bot Detection (BotD) - bots should never be able to make purchases! Use our open source library to identify them when they attempt to test CCs and block the purchase.
You can minimize card cracking and more types of payment fraud by utilizing FingerprintJS’ 99.5% accurate device fingerprinting. Learn more about how we can identify & help prevent costly payment fraud.
Now that you know how card cracking works, how it damages businesses, and how to prevent it, you can do something about it. However, it's not enough to know - the only way you'll prevent your business from being a victim is actually to implement what you know.