The rapid growth of the eCommerce industry has introduced new security threats, with credit card information stealing and carding attacks being among the most damaging to both online businesses and their customers.
Studies have shown that by 2024 online payment fraud will cost eCommerce businesses over $25 billion in losses annually. It’s clear that the old approaches to cyber security are no longer effective, and you can not rely on outdated technology to protect your eCommerce business.
In this guide, iThemes is taking a deep dive into carding attacks, explaining why bot-driven payment fraud is on the rise and what you can do today to reduce its impact on your online store. You will also learn how to check whether your eCommerce store is free of any malicious code stealing your customers’ card details and how to keep your customers’ shopping experience secure.
Why is Ecommerce a Prime Target for Hackers?
Ecommerce has always been a prime target for cyber attacks due to a large amount of sensitive information each online store needs to collect and process. This includes customers’ personal information, credit and debit card details, and any other critical data required for purchasing goods and services online.
The need to store sensitive information requires business owners to employ a wide range of security measures to offer a secure shipping experience. However, it’s becoming increasingly difficult to withstand the ever-evolving bot-driven cyber attacks that often span across thousands of websites.
From small online stores to large international marketplaces, all businesses have to suffer the consequences of data breaches. And as hackers simply do not choose what website to break into, the importance of cyber security can not be overstated, especially when it comes to eCommerce.
Online Payment Fraud: From Stealing Card Information to Carding Attacks
Of all cyber security threats, payment fraud is especially prevalent in the eCommerce industry. Totally disrupting a safe shopping experience, stealing credit card details inflicts extensive damage on both the buyer and the seller, resulting in financial loss and reputational damage.
Online payment fraud can be defined as the type of criminal activity that involves stealing critical payment information with the purpose of selling it on the black market or making unauthorized transactions.
Most of the time, after credit card details are exposed as a result of a data breach, this information is sold on the so-called deep web. This helps the cyber criminal avoid being tracked down while still making a profit off the illegal activity.
As the validity of the stolen credit card information has to be determined before attempting any larger transactions, criminals then perform what’s known as carding attacks.
How Do Hackers Steal Credit Card Information
Credit or debit card details can be exposed to a criminal at any stage of payment processing. This includes stealing payment information from a store’s checkout page or obtaining it by impersonating a trusted service using a phishing page.
What makes online payment fraud so successful is the wide range of malicious activities facilitating data breaches. The right combination of social engineering and system vulnerabilities exploited is the key to getting unauthorized access to critical payment information.
What is a Carding Attack?
To verify the stolen payment information, criminals employ automated card testing, also known as carding attacks or credit card stuffing. This is the next step a criminal would take after stealing credit or debit card details or purchasing them from a specialized carding forum.
A carding attack is an automated, or bot-driven, cyber attack performed with the purpose of validation of stolen credit card information. Carding attacks are carried out against payment processing systems used by online stores.
It is important to note that eCommerce websites targeted by carding attacks are chosen at random, and are not necessarily used to steal payment information from. This highlights the fact that online payment fraud in general, and carding attacks in particular, inflict damage on all key eCommerce players, including merchants, buyers, and payment processing systems.
How Do Carding Attacks Work?
Carding attacks are highly automated. A criminal deploys a bot, or a network of bots also known as a botnet. The network of bots will perform numerous parallel attempts to validate stolen payment information and obtain any missing details, such as CVV codes or expiration dates.
This can take place in one of two main forms:
- Authorizations. Card authorizations help the criminal verify the card details without being discovered. Authorizations won’t show up on cardholder statements, thus making it less likely for the rightful card owner to notice and report the fraudulent activity.
- Transactions. Attackers can also make small payments in order to validate the stolen credentials. That is why businesses that facilitate small-value purchases make the perfect victims of this type of carding attack.
As credit card information is often stolen in bulk, it may take thousands of validation attempts to identify valid payment information. Carding attacks are highly distributed, with bots targeting a large number of eCommerce websites at once.
Bots help simplify and speed up the process and avoid being detected by the targeted websites’ security solutions, including web application firewalls and fraud detection systems. Having a whole network of compromised computers helps rapidly change the origin IP address to bypass the existing firewall rules.
Top 3 Negative Consequences of Carding Attacks for Your Ecommerce Business
Payment fraud and carding attacks are an unavoidable part of digital commerce that negatively impacts the industry and the whole payment ecosystem. While it seems like stealing credit card details takes its toll on the buyers, merchants and payment processors suffer from financial loss and extensive reputational damage.
According to recent studies, eCommerce businesses lose an extra $4 per each $1 of fraudulent transactions, and this number is expected to rise in the coming years. Carding has many negative impacts, which accumulate over time if no substantial security measures are not implemented in a timely manner.
The most damaging consequences include:
- Reputational damage. High decline rates caused by carding attacks inflicts serious damage on the reputation of your business with your customers and payment processors. Low reputation makes all transactions appear riskier and results in an increased decline rate for legitimate payments.
- Financial loss. When the cardholder notices and reports the fraudulent transactions, chargebacks are the primary tool used to resolve payment disputes. As a consequence of payment fraud, chargebacks pose a major threat to revenue and business sustainability. Card testing can also often result in additional processing fees and product loss.
- Infrastructure strain. Card testing leads to an increased number of web requests that can overburden your server infrastructure and disrupt legitimate activity.
Payment fraud inevitably leads to revenue loss and disrupts the normal functioning of the eCommerce industry, which is why dealing with it has turned into a collaborative effort of merchants and payment processing systems.
How to Detect a Carding Attack?
Detecting a carding attack is possible by using a combination of server-side monitoring and specialized metrics tracking, such as failed payment authorization rates.
As with any other kind of a bot-driven cyber attack, you will see an unexpectedly large number of requests from certain IP addresses that will give out the automated nature of the attack. You may notice your website responding slower than usual and see that the server hosting it is under elevated load, with your web server queueing HTTP requests.
Purchase and Payment Processing Indicators
During a carding attack and even after it has been mitigated, you may see the following signs that your online store is suffering from card testing:
- A significant increase in the number of failed payment authorizations.
- Increased chargebacks.
- High shopping cart abandonment rates.
- Lower than average shopping cart sizes.
- A large number of failed payment attempts from the same IP address, IP range, or user account.
Mitigate a Carding Attack in 3 Steps
Successful carding attack mitigation includes three main steps: malicious bot traffic identification, implementation of more aggressive firewall rules and rate limiting, and blocking any residual fraudulent web requests. The mitigation process involves timely response to incidents reported by monitoring systems and hardening the website’s security to shield your store from any malicious activity.
Step 1. Identify Malicious Bot Traffic
If you suspect that a carding attack is actively targeting your business at a certain point, analyze the traffic coming to your website. It may be best to seek your hosting provider’s assistance in that matter. A system administrator can quickly identify fraudulent activity by conducting an analysis of the log files your web server keeps.
If you are using a content delivery network with a built-in web application firewall (for example, Cloudflare WAF), it will also keep logs that will help you identify malicious bot traffic coming to your website. The main goal here is to find certain patterns – where the attack is coming from and what IP ranges are involved.
Step 2. Enforce More Aggressive Firewall Rules and Rate Limiting
To successfully mitigate an ongoing carding attack, harden the system’s overall security. It can include putting more strict firewall rules in place and rate limiting, which would result in quicker response to any abnormal activity.
Using Cloudflare to Mitigate a Carding Attack
Cloudflare also allows you to block web requests based on IP reputation scores, which are collected from Project Honey Pot. Set the Security Level to High from the Security > Settings page of your Cloudflare dashboard to block all requests with a Threat Score higher than 0.
It is important to note that aggressive firewall rules and rate limiting will also almost inevitably lead to blocking legitimate web traffic. That is why these measures should only be used when your online store is under an attack and be disabled shortly after a successful mitigation.
Step 3. Block Malicious Bot Traffic Manually
A great combination of manual mitigation and using automated tools yields great results in dealing with malicious bot traffic. With all the benefits, fraud detection systems are not ideal, and human input may be highly beneficial.
After the initial traffic analysis, you should identify the IP addresses or IP ranges the attack is carried out from. Check their location and abuse, or reputation, score, to block the malicious bots.
If you have already enabled additional security measures offered by your CDN, the majority of malicious traffic will be filtered out before it can hit the origin server that hosts your website. So monitoring the incoming web traffic on the server will help you make sure no malicious requests are coming through.
Three Main Aspects Of Keeping Your Ecommerce Website Secure From Carding Attacks and Payment Fraud
ECommerce security is multidimensional and should be approached as a system. Rather than finding specific solutions to secure your online store from a certain kind of an attack, you need to ensure adequate protection against the driving force behind most modern cyber attacks – malicious bots and botnets.
You need to put a system in place that would successfully identify malicious actors and prevent any kind of fraudulent activity from happening in the first place. This way, keeping your eCommerce business secure from payment fraud and carding attacks involves three main aspects:
- Adequate application layer security.
- Advanced web traffic analysis and bot management.
- Order and payment restrictions.
Application Layer Security
Each eCommerce website needs to implement robust application layer security solutions that will filter out any suspicious web traffic before it can make it to your online store. Ideally, this should include a combination of cloud-based and host-based web application firewalls.
Managed rulesets and custom rules will analyze each HTTP request coming to your website, including the source IP address, its location, user agent, and a number of other aspects and compare it to the list of rules configured. Any suspicious web traffic will immediately be blocked, not giving malicious bots any chance.
You can install and deploy a number of managed rulesets provided by security vendors and create your own rules, more curated to your eCommerce business. The main goal is to present a strong first line of defense.
Protect your WooCommerce Store with iThemes Security Pro and BackupBuddy
As a robust application-layer security solution for WordPress, iThemes Security Pro has been providing top notch security experience for WooCommerce stores for years. With more than 50 ways of protecting the critical areas of your website, iThemes Security Pro can significantly reduce the attack surface and battle malicious bot traffic.
Combining the power of iThemes Security Pro with BackupBuddy, an award winning WordPress plugin for data protection and recovery, allows you to keep your customers’ information regularly backed up and security stored at a remote location. One-click restorations and flexible backup schedules ensure your store is always there for your customers.
Advanced Web Traffic Analysis and Bot Management
Most malicious bot traffic can be quickly and effectively identified and blocked by web application firewalls based on the IP location, reputation score, and a number of other factors. However, hackers are constantly improving bot-driven attacks, creating bots that can successfully impersonate legitimate customers.
This is why you need advanced web traffic analysis and bot management systems that will tell bots and humans apart. Traditional CAPTCHAs were the first step to challenging bot traffic, but are now gradually becoming a thing of the past.
Since then, companies have come up with innovative solutions that promise to have little to no impact on the user experience, while still providing robust protection against malicious bots. Bot management and fraud detection systems analyze user behavior and track any anomalies in web traffic.
One of the advanced solutions you can implement today is Cloudflare Turnstile, even without using Cloudflare CDN on your eCommerce website. The system will run a number of non-interactive challenges that will gather information about the visitor’s environment and behavior.
Bot management systems will gather signals and compare the visitor’s behavior to what is usually shown by legitimate eCommerce customers. This will help block malicious actors that were able to bypass the initial checks – web application firewall rules.
Order and Payment Restrictions
Another aspect of protection against payment fraud and carding attacks includes the implementation of specific purchase and payment policies that will put restrictions on purchasers’ behavior, for example:
- Increasing the minimum order size.
- Requiring registration for making a purchase.
- Limiting the number of user accounts created from a single IP address.
- Limiting the number of credit/debit cards that can be added by a user or used to make a purchase.
- Limiting the number of failed payment authorizations by an IP or user account during a certain period.
This also includes completely outsourcing all aspects of payments to processors equipped to address carding attacks. One of the most popular payment processors – Stripe – employs advanced fraud detection to prevent fraudulent payments.
Payment processors also implement Address Verification (AVS). AVS performs checks to determine whether the provided address matches the billing address on file with the card issuer.
Other Ways to Protect your Ecommerce Website and Provide a Secure Shopping Experience
Keeping your eCommerce website protected from various security threats helps too offer a more convenient and safe shopping experience. This includes a wide variety of measures, and we are listing one of the most important of them below.
- Choose PCI-compliant hosting. All businesses that accept, process, store, or transmit credit card information must maintain a secure environment by subjecting to a set of strict security standards, known by PCI DSS. PCI-compliant hosting helps merchants comply with the Payment Card Industry Data Security Standard. Liquid Web and Nexcess offer PCI-compliant hosting infrastructure optimized for WooCommerce.
- Configure automatic SSL/TLS certificate renewal. Make sure all traffic exchanged between your store and customers is encrypted, which is especially important for eCommerce. To avoid any disruption to a secure shopping experience, do not let your SSL/TLS certificate expire.
- Enforce multi-factor or passwordless authentication. Passwords are broken. Using password-based authentication on your eCommerce store exposes it to major security threats. Multi-factor authentication helps you keep hackers away, significantly reducing the possibility of a data breach. If you want to go further, iThemes can help you ditch passwords altogether.
Say Goodbye to Passwords with iThemes Security Pro
Analyzing the latest vulnerabilities WordPress websites are affected by, iThemes has been working on making the platform more secure and reliable for all business owners, especially when it comes to eCommerce. The future is passwordless, and iThemes is bringing passkeys to WordPress authentication.
Bring the cutting edge technology to your online business by enabling passwordless authentication on your WordPress website. Now supported by all major browsers and operating systems, biometric logins can soon become a new authentication standard.
If you run multiple WordPress websites or WooCommerce stores, iThemes Sync Pro can become your personal website assistant. Take advantage of managing all aspects of website administration from one central dashboard, with advanced uptime monitoring and one-click updates.
Payment fraud and carding attacks cost the eCommerce businesses billions of dollars a year, bringing disruption to the whole industry and payment ecosystem. With ever evolving bot-driven cyber attacks, no business is safe from financial loss and reputational damage that follow.
Protecting your business from payment fraud and ensuring a safe shopping experience for your customers requires taking a proactive approach towards your website security. Web application firewalls and fraud detection systems can help you successfully identify and block malicious web traffic before it can cause harm on your eCommerce website and its visitors.
Kiki has a bachelor’s degree in information systems management and more than two years of experience in Linux and WordPress. She currently works as a security specialist for Liquid Web and Nexcess. Before that, Kiki was part of the Liquid Web Managed Hosting support team where she helped hundreds of WordPress website owners and learned what technical issues they often encounter. Her passion for writing allows her to share her knowledge and experience to help people. Apart from tech, Kiki enjoys learning about space and listening to true crime podcasts.