What Is Credential Stuffing (Carding)?

Front-end carding, or credential stuffing, is a cyber attack that tests multiple credit cards against a merchant until a fraudster finds one that works.

Credential Stuffing

It’s time to put on our serious face as we explore an issue that has reared its ugly head in the payments industry. Credential Stuffing, or Carding, has been a problem for years, but lately, it has become all too frequent.

We often say knowledge is power when protecting your business. Understanding how Carding works is a great place to start. For this particular type of fraud, there are security measures you can take to deter fraudsters from pulling a fast one on your business.

As fraudsters continually find new ways to test stolen credit card information, businesses must stay proactive in protecting their business from these types of brute-force attacks.


What Is Carding?

The strategy behind Carding is simple. Fraudsters obtain a massive list of cardholder information and proceed to “stuff” those credentials into the checkout form.

Attackers aren’t manually entering in credit cards one at a time. Instead, they create an automated script that can test multiple (we’re talking thousands or more) cards in a short time. One of the worst data breaches in recent history included 2.2 billion records.


Why Should You Care?

If you accept payments online, you are at risk since you will never have the physical card to validate.

While most websites have protections in place to block floods of activity, attackers have tools to bounce their requests around the web, making it look like they are coming from different IP addresses or browsers.

Once they get approval, they can use that winning card anywhere. And you can bet they are going to spend as much as possible.


What Can You Do?

There are a handful of practical methods that you can use to protect your business from Carding.

  • CAPTCHAs: You might recognize these as those simple math or word based problems at the end of a payment form. While these vary in complexity, they are basically just an extra step that a human would have no problem filling out but would stop a bot or script from going that extra step.
  • Verified by Visa/Mastercard: Visa and Mastercard provide free tools that authorizes the card before it is processed. They also shift the liability to themselves for fraudulent transactions when businesses use these tools. Stopping fraud and avoiding liability is a win-win.
  • Forcing Manual Entry: Browser are quick to auto-fill fields now, even payment forms. Making the manual entry of specific fields (like the credit card number) in your payment form can help make it more resistant to scripts.
  • Enable Risk Thresholds: This one is unique to Bambora. We can determine the risk by monitoring different variables within a transaction. Learn more about Risk Thresholds here.

From a fraudster’s perspective, Carding is a simple technique. Often they have another script looking for Checkout forms that don’t have extra security measures in place. Ensuring your Checkout is secured, and staying vigilant will keep your business safe and secure from this type of fraud.

For more in-depth information on how to prevent Carding, please visit our documentation.