How to prevent carding attacks from snowballing into substantial losses

Carding attacks are on the rise. Learn how PayPal can help your business defend against the consequences that could damage your business.

As more people spend money online, fraudsters look for new ways to perpetrate financial attacks—and merchants are paying the price. In a new report by PayPal produced by the Ponemon Institute, organizations indicate an average loss of $4.5 million per year due to fraudulent transactions, with 65 percent noting their number one challenge is the increasing sophistication of fraudsters.

In a world where data breaches have become the norm, with nearly 165 million records exposed across 1400 breaches in the U.S. last year,¹ fraudsters have unprecedented access to an endless supply of information. As fraudsters seek to monetize freshly breached data that’s available for purchase on the dark web, merchants struggle to fight evolving fraud while balancing customer experience.

Carding attacks on the rise

One attack vector that continues to present challenges for merchants is carding. When fraudsters gain access to stolen credentials resulting from data breaches, they do not know which credentials are still active and valid. Credit card credentials can quickly be canceled in the event of a breach; therefore, fraudsters need a way to determine which credentials are still valid and can then be resold at a higher price on the dark web or used to make larger purchases. To do this, fraudsters use automated scripts to test numerous compromised credit, debit, and prepaid card credentials on a merchant’s eCommerce site through a series of low-value purchases in an effort to evade detection. The automated process enables fraudsters to efficiently test and validate large volumes of credentials within a short time, and even launch carding attacks across multiple eCommerce sites at once.

No merchant is immune to carding attacks. Merchants of all kinds can be targeted, including financial services, food delivery platforms, rideshare apps, and major online retailers, who have reported seeing a 26% increase in online fraud in 2020².

The weighty consequences that could damage your business

For most merchants, the costs of carding attacks are extensive, and may include:

• Chargebacks: Once a customer reports fraudulent activity on their card to their bank, the bank reverses the charge, which costs the merchant in lost revenue.
• Fees: The merchant may suffer fees associated with chargebacks and other fraud reversal costs, including additional fees from credit card partners as part of their service agreement. Networks also have the authority to block a transaction if excessive carding originates from a merchant’s site, which can impact the good transactions being processed on their site.
• Product Loss: If a fraudster was successful in purchasing product, it’s unlikely the merchant will get that product back once the fraud is detected.
• Fraud Monitoring Programs: Card networks may require a remediation plan or additional fees if a merchant’s fraud rates are above specified thresholds. Additionally, the merchant may be banned from the card network.
• Operational Costs: Depending on the size of the carding attack, merchants may need to bolster customer support and outreach, or fortify their IT team, to rebound from the attack.
• Reputational Damage: Merchants can suffer damage to their reputation as customers who have negative experiences flock to social media and review sites. Consumer complaints about e-commerce fraud have skyrocketed in recent years, reaching an all-time high of over 2 million in 2020^*, which has damaged trust and loyalty for affected merchants.

Key points of protection

Fraudsters may be getting more sophisticated, but that doesn’t mean merchants have no course of action against them. Merchants can protect themselves from carding attacks by employing the following tactics:

• Monitoring: Keep an eye out for red flags such as inconsistencies in billing and shipping information, abnormal spending patterns including rapid-fire or out-of-character purchases, strange e-mail addresses, and even buyers’ physical locations. You can also use tools designed to trace customer IP addresses, which can alert you to those that originate in countries where fraudulent activity is rampant.
• Verifications: Verification checks, such as Address Verification System (AVS) and Card Verification Value (CVV), confirm that the address information or CVV included with a transaction matches what the issuing bank has on file for the associated card. This ensures that only authorized card users are able to make purchases from you.
• Velocity Checks: By checking the number or speed of payments made within a certain time period, you may be able to identify a carding attack. For example, if you see multiple purchases from the same customer within seconds or minutes, this could be a sign that a fraudster is attempting to test stolen credit card numbers by launching a brute force attack. You can use fraud solutions to monitor by specific attributes or values to protect yourself or limit the number of times that a customer can attempt to complete an order.
• Software Updates: Make sure your software is up to date as fraudsters are constantly looking to exploit vulnerabilities in software programs and operating systems. Keeping your shopping cart software current with the latest security patches can help defend against scripted attacks. Shopping cart software used to build sites can become obsolete, leaving you at risk if you don’t migrate to the new version as soon as it’s available.

The PayPal advantage against carding attacks

You don’t have to go it alone in protecting your business from carding attacks though. PayPal has years of expertise and experience in combatting these attacks. Leveraging decades of intelligence gleaned from our two-sided network of 360 million active consumers and more than 30 million merchants, we have unique insights to help detect fraudsters. This cross-border visibility gained from processing over 15 billion transactions per year across more than 200 markets helps us create accurate solutions for a wide variety of merchants, no matter where they’re headquartered.

Upholding PayPal’s commitment to democratizing access to critical tools and resources that help businesses combat evolving fraud, we’ve developed a PayPal managed carding prevention feature that helps merchants minimize carding attacks and the costs associated with them. This helps merchants avoid the substantial up-front investment needed to create these controls and personalize them to their specific needs.

The carding prevention feature is enabled by default for all PayPal and select Braintree merchants and is based on advanced machine learning and data science capabilities to identify emerging trends and provide real-time updates. The carding prevention feature functions in addition to any existing fraud solutions that may be employed by the merchant and helps with early detection of carding attacks.

With PayPal’s ability to gain insight across multiple merchants, PayPal’s carding prevention feature identifies high levels of declines and invalid information. Our machine learning platform consumes over 400 data points to proactively determine the carding risk associated with a transaction. If significant risk is detected, the module prevents the card transaction from being sent to the processor.

What we do

Using this approach, PayPal’s carding prevention feature has mitigated a significant amount of early carding attempts, and our merchants have noted a significant reduction in carding traffic.

PayPal's carding module helps merchants detect sophisticated carding attacks that are unlikely to be caught by traditional risk management tools. As an example of how the module works, PayPal was able to significantly reduce a partner’s carding attack based on a pattern where thousands of carding attempts were made over a short period of time using different IP addresses. Similarly, when a merchant had been experiencing consistent attacks, PayPal’s carding prevention feature helped them detect and block hundreds of thousands of carding attempts.

PayPal’s carding module is powered by ML algorithms, which scan through every aspect of card processing data and connects with similar transactions in real time to differentiate good versus bad transactions. This helps ensure that only bad transactions are stopped, while good transactions continue to be processed. Our carding module also identifies BOTs that spread across different sites. We then work with merchants to help them secure their sites.

The carding prevention feature is also resulting in PayPal receiving significantly fewer escalations from card networks. In addition, acquirers confirm that there has been a significant reduction in carding attacks after PayPal implemented the carding feature.

To learn more about how PayPal helps merchants detect and block fraudulent activity, visit our manage risk page.