Preventing Carding Attack

Owned by Jonathan Tew
Last updated: May 12, 2021 by Josh YorkVersion comment
2 min read

What is a Carding Attack?

Carding is a financial attack where individual take stolen credit cards or pre-paid cards and test them for validity before selling them to other people. The industry referrers to people that perform these attacks as “carders”. Most people will cancel their credit card quickly after losing their wallet so the testing aspect of carding is one of the most important things for a thief to do.

More details on carding can be found in this Investopedia article.

The Problem with Carding Attacks

The major problem with allowing a carding attack against your site is the per-transaction fees that your financial institution charges when a credit card transaction is attempted. An ounce of prevention is far easier than having to work with your financial institution after suffering a carding attack.

Some payment processors, such as PayPal, have their own mitigation systems in place to prevent carding attacks, but it often amounts to temporarily shutting down your payment processing until the attack passes or can be mitigated upstream. This can cause a merchant to suffer the loss of real sales if not addressed quickly.

Blocking a Carding Attack

The simplest way to block a carding attack is to limit the number of transaction attempts allowed per IP address using the Fraud Prevention system. First navigate to Configuration → Checkout → Fraud Prevention

Scroll down to the IP/Subnet Rules section of the page as shown below.

We recommend that you configure daily and weekly attempt thresholds by IP. The rules would be:

  • If daily attempted transaction count for IP address exceed 5 then Flag For Review.

  • If weekly attempted transaction count for IP address exceed 10 then Flag For Review.

If you choose Flag For Review, the transactions will go to Accounts Receivable with notes about the fraud rule being tripped. Merchants can review those transactions in case some are legitimate.

If you choose Decline, the carder will be told all the transaction attempts were declined without being given the valuable feedback that the decline came from the financial institution.

Exempting IP Address

If you have a call center that is placing a lot of orders for customers by driving your checkout, make sure you exempt their IP address using the exemption filters available at the top of the fraud prevention section.