Carding: What is it and how can you avoid it?
Carding is a type of fraud in which a thief steals credit card numbers, makes sure they work, and then uses them to buy prepaid gift cards. The fraudster may sell the prepaid cards or use them to purchase other goods which, in turn, can be resold for cash.
This information stolen includes data such as cardholder names, credit card numbers, expiration dates, CVV numbers (three-digit security code on the back of the card), and zip codes. Card numbers can be stolen through various techniques including electronic skimming (e-skimming), physical skimming, or malware attacks. Once card numbers are stolen, the data is distributed (usually for a price) online. These data dumps, many times known as FULLZ, can contain thousands or millions of card numbers to either be sold in bulk or individually.
Inside a Carding Forum
A carding forum or carding website is an illegal site used to share stolen credit card data, and discuss techniques for obtaining credit card data, validating it and using it for criminal activity.
These forums are used by individuals who want to use stolen card information to illicitly purchase goods, or by criminal groups who seek to purchase credit card details in bulk to sell them on the dark web.
Carding forums are often hidden using TOR routing, and payments made for stolen credit card data are performed using cryptocurrency to avoid tracking by the authorities. Forum users typically hide their identities.
Forums are a source of credit card data for carding, and can also be used to share the results of carding – for example to sell success credit cards to other criminals.
How a Carding Attack Works
A carding attack typically follows these steps:
- An attacker obtains a list of stolen credit card numbers, either from a criminal marketplace or by compromising a website or payment channel. Their quality is often unknown.
- The attacker deploys a bot to perform small purchases on multiple payment sites. Each attempt tests a card number against a merchant’s payment processes to identify valid card details.
- Credit card validation is attempted thousands of times until it yields validated credit card details.
- Successful card numbers are organized into a separate list and used for other criminal activity, or sold to organized crime rings.
- Carding fraud often goes undetected by the cardholder until it is too late when their funds are spent or transferred without their consent.
How can you avoid carding?
Here are some tips on how you can avoid this type of cybercrime.
- Use anti-spyware and malware-blocker software: Fraudsters who want to steal your credit card number through malware have to trick you into downloading infected software first. For instance, they may offer free game downloads that contain spyware, viruses, and other unwanted programs. Using anti-spyware and malware-blocker programs help keep your devices safe by identifying infected software programs and removing them.
- Promptly run software updates: Software updates generally improve the performance and security of your device. You can either set automatic security updates on your devices or accept your operating system’s software updates as they come up. It’s also a good idea to download software only from well-known, trusted sources.
- Know the signs of a phishing attempt: When you get a message from an unknown source, don’t click on links, download attachments, or respond to those messages. If it’s a scammer, they’re trying to get you to download malware or get you to share personal information, such as your credit card details. If you’re worried about an account, contact the company through its official website or by phone.
- Sign up for credit card notifications: Most credit card issuers offer customized alerts that can help you flag fraudulent charges. For instance, you may be able to get a text message each time your card has been used, a foreign transaction is made, or your balance has crossed a certain threshold. You may be able to catch a fraudulent charge as soon as the carder tries to test your credit card number. After reporting the fraud to your card issuer, it will cancel the transaction and give you a new card with a new account number.