Carding

What Is Carding?

Carding is a form of credit card fraud in which a stolen credit card is used to charge prepaid cards or purchase gift cards. Carding typically involves the holder of the stolen card or card information purchasing store-branded gift cards, which can then be sold to others or used to purchase other goods that can be sold for cash. Credit card thieves who are involved in this type of fraud are called “carders.”

The United States is a significant target for credit card fraud because it is a large market in which credit card and debit card use is common, and because the types of cards that are used in the United States either contain only a magnetic stripe or employ a chip and signature technology, rather than the chip and personal identification number (PIN) technology found in most of Europe.

Key Takeways

  • Carding is a form of credit card fraud in which a stolen credit card is used to charge prepaid cards.
  • Card forums are online shopping venues for stolen credit and debit card information and criminal techniques.
  • Carding is a third-party attack on an individual's financial information.
  • Card forums are online shopping venues for stolen credit and debit card information and criminal techniques.
  • Newer technologies like CVVs, CAPTCHA, and multifactor authentication have been effective against carders.

How Carding Works

Carding typically starts with a hacker gaining access to a store’s or website’s credit card processing system, with the hacker obtaining a list of credit or debit cards that were recently used to make a purchase. Hackers might exploit weaknesses in the security software and technology intended to protect credit card accounts. They might also procure credit card information by using scanners to copy the coding from the magnetic strips.

Credit card information might also be compromised by accessing the account holder’s other personal information, such as bank accounts the hacker has already gained entry to, targeting the information at its source. The hacker then sells the list of credit or debit card numbers to a third party—a carder—who uses the stolen information to purchase a gift card.

Most credit card companies offer cardholders protection from charges made if a credit or debit card is reported stolen, but by the time the cards are canceled, the carder has often already made a purchase. The gift cards are used to purchase high-value goods, such as cell phones, televisions, and computers, as those goods do not require registration and can be resold later. If the carder purchases a gift card for an electronics retailer, such as Amazon, they may use a third party to receive the goods and then ship them to other locations. This limits the carder’s risk of drawing attention. The carder may also sell the goods on websites offering a degree of anonymity.

Because credit cards are often canceled quickly after being lost, a major part of carding involves testing the stolen card information to see if it still works. This may involve submitting card-not-present purchase requests on the Internet.

Special Considerations

There is a special language and special websites used by credit card fraudsters. Some of these are discussed below.

Carding Forum

Carding forums are websites used for the exchange of information and tech skills about the illicit traade in stolen credit cards or debit card account information. Fraudsters use these sites to buy and sell their illegally gained information. New protective efforts like PINs and chips have made it more difficult to use stolen cards in point of sale transactions, but card-not-present sales remain the mainstay of card thieves and are much discussed on carding forums.

Fullz

Fullz is a slang term for "full information" and is used by criminals who steal credit card information. It refers to the information package containing a person's real name, address, and form of identification. The information is used for identity theft and financial fraud. The person whose "fullz" is sold is not a party to the transactions.

Credit Card Dump

A credit card dump occurs when a criminal makes an unauthorized digital copy of a credit card. It is performed by physically copying information from the card or hacking the issuer's payments network. Although the technique is not new, its scale has expanded tremendously in recent years, with some attacks including millions of victims.

How Companies Prevent Carding Fraud

Companies are implementing various techniques to stay ahead of the carders. Some of the more interesting recent changes include requiring more information from the user that is not as easily available to the carder.

Address Verification System (AVS)

An AVS system compares the billing address supplied at checkout in an online purchse to the address of record at the credit card company. The results are immediately returned to the seller with a full match, address match, ZIP code match, and no match at all. A properly functioning AVS system can stop no match transactions if the card is reported lost or stolen. For the address only or ZIP only matches, the seller has discretion to accept or not. AVS is currently used in the United States, Canada, and the United Kingdom.

IP Geolocation Check

An IP geolocation system compares the IP location of the user's computer to the bill address entered on the checkout page. If they don't match, fraud may be indicated. There are legit reasons, such as travel, for a failure to match up, but they generally warrant further investigation.

Card Verification Value (CVV)

A card verification value (CVV) code is a three or four digit number on a credit card that adds an extra layer of security for making purchases when the buyer is not physically present. Since it is on the card itself, it verifies that the person making a phone or online purchase actually has a physical copy of the card.

If your card number is stolen, a thief without the CVV will have difficulty using it. The CVV can be stored in the card's magnetic strip or in the card's chip. The seller submits the CVV with all other data as part of the transaction authorization request. The issuer can approve, refer, or decline transactions that fail CVV validation, depending on the issuer's procedures.

Multifactor Authentication (MFA)

Multifactor authentication is a security technology that requires more than one method of authenticaion from independent credentials to verify a user's login or other transaction. It can use two or more independent information bits, coming from the user's knowledge (e.g., a password), the user's possession (e.g., authenticator token), or what the user is (biometric data). Using MFA creates a layered process making it more difficult for an unauthorized person to access his or her target, because the attacker probably won't hack all of the layers. MFA originally used only two factors, but more factors are no longer uncommon.

CAPTCHA

CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a security measure of the challenge-response authentication type. It protects users from password decryption by asking the user to complete a test that proves the test taker is human and not a computer attempting to break into the account.

CAPTCHA uses a random series of numbers and letters in a distorted image and requires the user to list them in order. All of the number/letter systems have been defeated by hackers at one point or another. As a result, alternative versions now use anomaly spotting systems (find the squares with ships) which are easy for humans but less so for computers.

Velocity Checks

Velocity checks look at the number of transactions attempted by the same card or site visitor within a given number of seconds or minutes of one another. Typically, users do not make multiple payments in quick succession, especially payments so rapid as to be beyond the capacity of a human being. Velocity can be monitored by dollar amount, user IP address, billing address, Bank Identification Number (BIN), and device.

Examples of Carding

Carding generally involves the purchase of gift cards which are then used to purchase gift cards which can then be spent on relatively difficult to trace goods. Often the goods are then re-sold online or elsewhere. The information gained in carding is also use for indentity theft and money laundering.

Resale of the Information

One of the easiest ways to make use of the information obtained in carding is to resell it to others who will then use it in various illicit schemes.

Money Laundering

In 2004, a popular carding forum and an online payment system often used by carders were found to have become a bank and transfer system allowing money laundering and the processing of criminal funds. Pressured to flip, the individuals running the payment site gave up a lot of criminal names and activities but were eventually themselves convicted of money laundering.

The Bottom Line

In the long run, carding can only be prevented if cardholders and those who accept cards aggressively take advantage of every available method to prevent carding. Sellers should be require as many prevention aids as they can practically afford, while cardholders should keep an eye out for physical signs of tampering any time they use a card in an ATM or gap pump.

Carding FAQs

What Is a Carding Attack?

A carding attack is an attempt to place rapid multiple fraudulent orders on a online site. It can usually be recognized by a sharp sudden spike in orders being placed, usually with the same shipping address. Often the customer information given will be clearly fraudulent.

How Can You Protect Yourself from Carding?

You can protect yourself as a seller from carding by using one or more of the newly developed fraud prevention methods like CAPTCHA and CVV requirements. Individuals should be careful with their cards and be on the lookout for signs of tampering when using ATMs and gas pumps.

How Do Criminals Steal Credit Card Information?

Fraudsters steal credit card information in various ways. They use skimmers, which steal credit and debit card information from ATMs and gas pumps in which they have been installed. They also gain information through phishing scams, site compromises, or even by purchasing the information on carder forums.

What Is a Credit Card Skimmer?

A credit card skimmer is a fraudulent instrument or device placed inside a legitimate reader, such as an automated teller machine or a gas pump to copy the data off cards used in that ATM or pump.

What Is the Punishment for Carding?

In most states, using a stolen credit or debit card for transactions in an amount over the misdemeanor limit is a felony. In addition to potential restitution, convicted carders can face up to 15 years in prison and fines of up to $25,000. If the carding is connected to money laundering, the potential penalties escalate sharply.

Take the Next Step to Invest
×
The offers that appear in this table are from partnerships from which Investopedia receives compensation. This compensation may impact how and where listings appear. Investopedia does not include all offers available in the marketplace.
Service
Name
Description