Carding as described by Wikipedia, Carding is a term used for a process to verify the validity of stolen card data. The thief presents the card information on a website that has real-time transaction processing. If the card is processed successfully, the thief knows that the card is still good. The specific item purchased is immaterial, and the thief does not need to purchase an actual product; a web site subscription or charitable donation would be sufficient. The purchase is usually for a small monetary amount, both to avoid using the card’s credit limit, and also to avoid attracting the card issuer’s attention. A website known to be susceptible to carding is known as a cardable website.
This happened to a site recently and I wanted to list out the counter-measures used to enforce better security against this type of credit card fraud.
- Add stricter credit card checks. These included, limiting countries that could use the form, flag transactions that looked suspicious, made sure address verification was turned on. We were seeing proxy servers used in Pakistan and other countries. It is an easy thing to setup and just helps detour these type of attacks.
- Added ReCaptcha to our website. Of course, this is just another tool in our tool belt but I was really hesitant on using it because, well, who likes these things, right?! I guess for prevention of future programmable attacks, it is worth adding. To note, it is important to activate SSL as their are ways to getting around this type of security.
- Disallowed more then 3 transactions in a day from taking place. This includes the recorded ip address OR the same name. This covers situations like: 1) They used a card from different proxy servers but using the same name or possibly 2) used different name from the same proxy server.
- Specified a minimum amount that someone could give through the form. In this case it is a donation page. So they could donate any amount. Most carding is done with small amounts to just test the card. Once a minimum amount was specified it is just another detractor from a thief using your page as a testing ground.
- Add a blacklist of ip address. Once you do know the proxy servers the thief’s are using you can create a blacklist as well.
- Always record the IP address.
Some pretty simple and straight forward measures that someone can take if they are running into this issue. This isn’t an exhaustive list but easy to add onto your site for a bit more security.