Carding refers to the process of acquiring a credit card or bank account info, or some other personal information for own benefits or needs. This info is then either used to purchase goods online or the info is sold online for a desirable price. Such people who use these details for their own benefits are termed as ‘carders’.
Methods of Acquisition
There are quite a few ways to obtain personal information, some of which are mentioned below:
Some carders use what is called ‘distributed guessing attack’ which involves submitting numbers in huge amounts to a number of e-commerce websites at once in order to find a valid card number.
Carders may also use an electronic device called ‘skimmer’ that stores a huge number of card numbers at once.
It is also possible to obtain personal information using a fake payment website or injecting malware on a payment website in order to steal the details.
What comes after acquiring personal information?
After successfully acquiring personal information, a carder can do either of the following with the data for their profit:
Use the payment information to order goods or purchase services online for their own benefits
Purchase online balances or gift cards for other websites before the owner notices the data breach to secure as much amount as possible
Sell the data to willing buyers on the darknet in exchange for money or other means according to their needs
Some people act as resellers and buy bundles of personal information and put it on sale for those willing to buy it. It is funny that the widest use for carded personal information in the US is by teens to order pizzas for free.
Ways to prevent getting Carded
Using CAPTCHA :
The filling of a CAPTCHA requires manual input, thus forcing the attacker to enter the whole bundle of data manually, which is a tedious task and successfully makes the website considerably less prone to carding activities
Using Address Verification System (AVS) :
AVS is a system that is used in the USA, UK, and Canada that compares the billing address to the shipping address and sends the corresponding alphabet to the owner of the card. The alphabet sent to the owner is Y if both the billing and shipping info match completely, A if only address matches, Z if only zip code matches and N if nothing matches. Such a system alerts the owner easily through the means of a letter and prevents carding activities.
Velocity Checks:
Velocity under these topics refers to the number of transactions attempted in a certain time period, such as several payment attempts made by the same person in the last few minutes or seconds. It is certainly not usual for a person to make a number of transactions in a short period of time, especially if the time gaps are inhumanly short.
-Kevam Patel
CSE
ITM University
