Credit card cracking, one of the fastest-growing types of fraud globally, accounts for approximately 16 percent of e-commerce fraud.

Card cracking, also known as carding, occurs when fraudsters exploit e-commerce systems to obtain credit card information. They may already have partial card information or they may be starting from zero.

Interestingly, there is another type of card cracking, where fraudsters trick victims with the promise of money, coax them into revealing their bank details, and then steal from them.

This article focuses on card cracking in the context of e-commerce businesses, not individuals.

What is credit card cracking?

Credit card cracking is a fraudulent activity where culprits test credit card details on e-commerce platforms. Typically, they either validate the already procured details or attempt various combinations of partial information to uncover the rest.

These fraudsters often buy batches of credit card details from the dark web and rapidly test them. If they fail to crack a card, they simply move on to the next.

For instance, they might possess a credit card number but lack its expiration date. Hence, it becomes a process of elimination as they run through potential dates until they correctly guess the expiration.

Why does card cracking happen?

Those involved in card cracking are fraudsters seeking to illicitly acquire credit card information and use it without authorization.

There are two primary motives for a carding hack:

• To buy items using stolen credit card data
• To collect and verify full credit card details for resale

Typically, card cracking involves making small purchases using the obtained credit card details. If a transaction is denied, the fraudsters will attempt a different combination of information. This process is usually automated, allowing them to test numerous combinations quickly.

How are credit cards cracked?

1. Fraudsters acquire stolen card information.

Consumers often save their credit card details on various online services, including browsers. Auto-fill functions make it convenient for repeat customers, eliminating the need to input their credit card details for each purchase.

However, fraudsters don't need advanced hacking skills to access these details. They can acquire credit card information through various methods, such as:

• Buying data from the dark web
• Stealing credit cards or wallets
• Gaining access to information from data leaks
• Skimming credit cards from physical terminals

The card information obtained might be complete or incomplete. If it's complete and accurate, the fraudster can already use the credit card and bypass the next few steps. Otherwise, they only need to complete two more steps to gather the remaining necessary information.

2. Using bots to brute-force the payment process.

Once fraudsters acquire partial credit card information, they attempt to obtain the remaining details. They typically do this through a method known as brute-forcing, using automated card-cracking programs or bots.

For instance, they can brute-force the CVV numbers of a credit card. They set up a bot to quickly test all possible three-digit combinations until finding the correct one. This method could also be used to determine the expiry date or credit card number if these details are still needed.

While manually performing this process would be exhaustive and time-consuming, using technology significantly reduces the time required.

3. Capture complete card owner details.

If fraudsters obtain complete cardholder data, they gain access to the credentials needed to use stolen credit cards freely.

This cardholder information generally accompanies the credit card data they acquire. Verifying details like the cardholder's name requires more effort, but it's a task that automated testing bots can handle. For instance, a bot may attempt various combinations of potential information until a transaction is successful.

Once they secure these details, fraudsters use the card to steal as much money as they can. They are aware that the victim may soon discover the theft, so they aim to maximize their gains from the card-cracking operation.

4 ways to protect against credit card cracking

Include AVS and CVV tracking in the payment process

AVS and CVV confirmation are two measures used to combat critical elements of card cracking fraud: the mismatch between the delivery and billing addresses, and the absence of physical card verification.

• AVS, or Address Verification System, allows you to confirm if the billing address provided during the purchase matches the one registered with the credit card issuer. If there's a mismatch, you might want to decline the transaction.
• CVV, standing for Credit Verification Value, is the three-digit code found on the back of the credit card. If the fraudster lacks the physical card and doesn't have bots for rapid testing of possible combinations, they'll likely fail to complete this step.

Monitor small transactions from unlikely locations

Monitoring all small transactions for fraud is impractical. Often, fraudsters involved in card cracking operation are based in countries from where you may not frequently receive purchases, like African, Eastern European, or Southeast Asian nations. However, this largely depends on your business and its global reach.

While you can certainly be open to selling to customers in other countries, it's worth investing extra effort to verify the legitimacy of the transactions.

Build a blocklist to stop regular fraudsters

Fraudsters can be elusive. This unfortunate reality means that halting a fraudulent transaction doesn't guarantee that the culprits won't make another attempt, even within the same day. The most effective way to safeguard your business from a known scam is to pinpoint the locations or individuals involved and block them.

For instance, you can formulate a profile based on fraudulent traits and block users who fit these profiles. You can also identify locations prone to fraud attempts and specific IP addresses previously involved in card cracking.

Furthermore, device intelligence platforms like Fingerprint provide IP blocklist matching. This feature is part of their comprehensive system designed to help businesses swiftly identify and prevent repeated fraudulent attempts.

Rather than risk someone succeeding with another attempt at fraud, this is a safe way of protecting your business from known criminals.

Use fraud prevention tools

• Implement fraud prevention during payment processing, for instance, with Stripe Radar.
• Use device identification (Fingerprint Pro). This allows you to block returning fraudulent visitor IDs and monitor ID velocity to identify bots, especially when multiple purchase attempts are made in a brief period.
• Utilize Bot Detection. Bots should never be allowed to make purchases. Use our Smart Signals to identify them when they attempt to test credit cards and block the purchase.

By utilizing Fingerprint's highly accurate device fingerprinting, you can significantly reduce card cracking and payment fraud. Learn more about how we can identify and help prevent costly payment fraud.

Conclusion

Card cracking, being a prevalent issue, can potentially cause substantial financial damage to businesses. Therefore, understanding its operations, its impact, and how to prevent it, is crucial for any business. However, it's important to remember that knowledge alone isn't sufficient. Protection from card cracking doesn't only lie in understanding the threat but more significantly, in implementing this knowledge.

• Learn more about Fingerprint for eCommerce and Fintech
• See our payment fraud protection in action in this tutorial