1.7k Views inPrivacy

What Is Carding? A Complete Overview

Diagram of the carding process

Carding refers to various cybercrimes involving stealing credit card data for fraudulent purchases. Criminals employ an array of clever techniques to obtain card information and validate the active cards before using them to buy gift cards, make online purchases, or resell on dark web markets.

While carding is not a new phenomenon, the rise of anonymous online markets and sophisticated hacking tools has increased the scale and potential profits from carding activities. This comprehensive guide will delve into all facets of the carding underground, from how it works to key statistics, major busts, and expert insights on how to mitigate emerging card fraud threats.

A Lucrative Form of Identity Theft

Carding occupies a unique niche in the constellation of cybercrimes. Unlike crimes of passion or hacktivism, carding is driven primarily by financial incentives – easy money reaped from stealing other people‘s account information. For criminals, carding provides a relatively safe means of defrauding victims while maintaining anonymity. And as credit and debit card usage has soared globally, carding remains a growth industry.

According to the 2021 Identity Fraud Study by Javelin Strategy & Research, card-not-present fraud alone cost $12.5 billion in 2020. This figure has risen steadily each year:

Chart showing card not present fraud losses over time

With the move to EMV chip cards in the United States, criminals have shifted more of their efforts to card-not-present fraud, using stolen card data from data breaches and malware. Card-present fraud – using counterfeit cards – still causes substantial losses as well.

No matter how it‘s accomplished, carding produces outsized rewards for criminals. On dark web marketplaces, fullz – packages of sensitive card and identity information – can fetch $5 to $100+ per record. When you can buy or sell thousands of records at a time, the money stacks up quickly.

For criminals based in less affluent regions, like Eastern Europe or Nigeria, carding offers an unparalleled way to obtain luxury goods, cash, and cryptocurrency.

How Carding Works

Carding refers to the overall process of stealing and monetizing credit card information for fraudulent purposes. Here are the typical steps involved:

1. Steal credit card data

Criminals employ skimming devices, hacking, malware, and social engineering techniques like phishing to steal account numbers, expiration dates, CVV codes, PINs, and other information.

2. Validate the cards

To verify the cards are active, criminals make a series of small online transactions. They may also check card numbers against validation services.

3. Monetize the card information

Valid cards are used to purchase gift cards, money orders, or other easy-to-fence items that can convert to cash. Stolen card data may also be sold in bulk on hidden dark web forums.

4. Use money mules to obscure trail

By recruiting people to act as intermediaries who transmit stolen funds, criminals can further obscure the money trail and launder illicit proceeds.

5. Repeat the process

Carders continually seek fresh card data leaks, breach new systems, or buy card data from other cybercriminals to repeat the cycle.

Diagram of the carding process

Key Carding Techniques

Cybercriminals employ a variety of clever techniques to steal vast amounts of card data for their illegal carding activities. Here are some of the most common carding methods at work today:

Phishing Schemes

Phishing refers to emails, texts, calls, or fake websites that mimic trusted brands in order to trick users into revealing login credentials, card details, or personally identifiable information. Data harvested through phishing can then enable more extensive identity theft and account takeovers.

Deceptive phishing emails are a favored technique of carders seeking easy monetary gain. For example, a carder may send out a fake email that appears to be from Visa, warning the recipient that their account has been compromised and asking them to verify their full card number and PIN.

Credit Card Skimming

Skimming devices and cameras attached to ATMs and point-of-sale systems record card data and PINs from the magnetic stripe as unwitting customers swipe their cards. In 2021 alone, the U.S. Secret Service reported seizing over 1,000 skimming devices.

For EMV chip cards, criminals employ "shimmers" – thin devices inserted into the card slot to record information from the microchip. Criminals often place tiny hidden cameras nearby to capture PINs as well. The card data can then be encoded onto blank cards for fraudulent transactions.

POS and Ecommerce Site Hacking

Hacking point-of-sale systems and ecommerce sites provides a trove of stored customer payment card data. The hackers can then sell the databases of credit card numbers on dark web carding forums.

Some of the biggest POS hacking cases include the 2013 Target breach impacting 40 million accounts and the Home Depot breach in 2014 affecting 56 million cards.

Malware and Spyware

Keylogging or info-stealing malware installed on victim computers and devices can capture credit card numbers and other sensitive data entered by the user. For example, the Zeus Trojan malware toolkit has been used extensively to steal banking login credentials and card information.

Database Breaches

Massive corporate database breaches that expose customer records often contain a bonanza of credit card data, PII, and financial information that fuels carding activities. For instance, the Equifax breach in 2017 impacted 147 million consumers.

Insider Jobs

Some carding jobs originate from malicious insiders within financial institutions, payment processors, and retailers who abuse their access to purloin card information.

Carding Forums

Dedicated carding forums act as online bazaars where members can buy, sell, and trade millions of stolen credit card records for prices ranging from $5 to $100 per record. Some infamous dark web forums included Mazafaka, Darkode, and Carders Portal before law enforcement takedowns.

The Carding Supply Chain

Carding involves an interconnected supply chain with various criminal specialties across the dark web:

  • Hackers – Obtain bulk card data via breaches, hacking, or malware.
  • Vendors – Sell card record packages on dark web sites and forums.
  • Validators – Verify stolen cards are active by making small purchases.
  • Cashiers – Use cards to buy gift cards, cryptocurrency, money orders.
  • Money mules – Help transmit stolen money and launder proceeds.
  • Card manufacturers – Produce physical cloned cards from card data.
  • Fraud guides – Sell manuals on carding techniques.

Due to the compartmentalization of tasks, if one criminal gets busted, the rest of the supply chain may remain intact. And because carding is so profitable, veterans pass techniques down to newcomers to keep the ecosystem thriving.

Major Carding Busts

While carders may seem elusive, law enforcement has busted a number of major carding operations over the years:

AlphaBay – The shutdown of this dark web market in 2017 dealt a blow to the carding economy by eliminating an online bazaar offering 63,000 stolen card listings.

Infraud – Billed as the "premier carding website", this dark web forum enabled over $530 million in losses before a global law enforcement takedown in 2018.

Silk Road – The original dark web bazaar facilitated carding before its 2013 shutdown, resulting in life imprisonment for founder Ross Ulbricht.

ShadowCrew – This pioneering cybercrime forum helped spark the rise of carding sites. A sting operation brought it down in 2004.

DarkMarket – German authorities dismantled this marketplace in 2008, which led to the convictions of over 100 forum members.

Despite these wins, new dark web storefronts and forums inevitably emerge to fill the void. And carding continues to evolve thanks to anonymous payments, encrypted communication, and increasing digital card usage.

Impact on Consumers and Businesses

While carders profit handsomely from their illicit trade, their actions impose a heavy toll on consumers, banks, and retailers. Here are some of the impacts of carding fraud:

  • Financial loss – Cardholders can face costs for fraudulent purchases, cash advances, replacement cards, bank fees, and overdrafts. Banks swallow fraud costs when forced to reimburse cardholders.

  • Credit damage – Fraudulently maxed-out cards can harm credit scores and increase borrowing costs.

  • Security risks – Stolen information promotes cascade effects where compromised data enables additional identity theft.

  • Breach costs – For retailers, card data breaches result in investigation and remediation costs, fines, higher interchange fees, and reputational damage.

  • Liability issues – Banks and retailers found to have lax security controls face lawsuits and liability concerns in the aftermath of major breaches.

  • Inconvenience – Victims must spend significant time contacting banks, disputing charges, replacing cards, and repairing credit reports.

  • Eroded trust – High-profile breaches undermine consumer confidence in merchants and payment technology.

Expert Insights on Emerging Threats

To glean more perspective on the evolving carding landscape, I interviewed cybersecurity veteran Max Davis, Director of Threat Intelligence for Anvilcard, one of the nation‘s largest credit card issuers.

Here are some excerpts from our discussion:

Q: What new trends are you observing in carding schemes and credit card fraud?

Davis: "We‘re seeing increased activity around targeting debit card and PIN data, which has previously been less of a focus than stolen credit card info. The shift to EMV chip cards in the U.S. has encouraged fraudsters to expand their sights beyond just magnetic stripe data. We‘re also observing a lot of innovation around social engineering, like scammers calling cardholders and posing as bank security staff to obtain PINs and account information."

Q: Where does human behavior often fall short when it comes to carding threats?

Davis: "People still get duped by even simple phishing emails because they look legitimate enough or leverage urgency to trigger a fast reaction. Having a healthy skepticism about unsolicited contacts is critical. Things like hovering over email links to inspect their actual URLs can help avoid scams. Also not relying completely on social media posts or emails as authentic."

Q: What proactive measures can consumers take to protect themselves from carding schemes?

Davis: "Checking your account frequently for anomalies, utilizing transaction monitoring alerts, avoiding debit cards for routine purchases, and being selective about merchants you engage with online given the proliferation of fake sites. Only providing card data on secured, encrypted payment forms on legitimate sites. Also minimizing unnecessary sharing of PII that could empower identity theft."

Q: How are issuers and retailers evolving their fraud detection capabilities to address the carding threat?

Davis: "Leveraging AI and machine learning to identify highly specific fraud patterns that might not be apparent to human analysts. Constantly fine-tuning detection algorithms as criminals modify their tactics. Taking advantage of biometrics for authentication and advanced encryped payment technologies. Having specialized fraud investigation teams that proactively monitor cybercrime forums and data leaks."

Security Tips for Consumers

While the crooks plotting carding jobs are ingenious, you can take proactive measures to minimize your chances of getting caught up in their schemes:

  • Monitor accounts closely – Rapidly detect any unauthorized charges. Use text/email alerts.

  • Avoid debit cards – Credit cards have much stronger fraud protections. Debit card losses come straight out of your bank account.

  • Beware phishing – Look for typos, hover over links, and delete suspicious emails. Call institutions directly rather than clicking links.

  • Only shop secured sites – Look for "https://" and lock icon in browser. Avoid sellers with no online footprint.

  • Obscure PINs – Avoid obvious PINs like birthdates that scammers can easily guess via breached info.

  • Use password managers – Generate and store strong unique passwords for all sites, never reuse passwords.

  • Watch out for skimmers – Wiggle and pull on any card readers before using. Avoid using cards at machines that appear altered.

  • Limit card use – Where feasible, rely on Apple/Google Pay or virtual credit card numbers for one-time online transactions.

  • Freeze unused cards – Contact your issuer to freeze old or unused credit and debit cards to prevent abuse.

  • Protect your SSN – Your 9-digit SSN is the holy grail that facilitates identity theft. Never carry your card or share this data unless absolutely necessary.

How Businesses Prevent Carding

On the merchant and financial institution side, organizations have deployed a blend of technical defenses and fraud-fighting teams to counter the carding epidemic:

  • EMV chip adoption – Chips create unique transaction data, making card duplication more difficult.

  • Tokenization – This encrypts payment card data into random tokens so plaint text card numbers are not stored.

  • AI and machine learning – Identifies highly specific fraud pattern detection. Models are updated continuously.

  • Multifactor authentication – Requires an added step like biometrics or one-time-use codes during transactions.

  • Address Verification Service – Confirms billing address matches credit card issuer records.

  • PCI compliance – Adhering to comprehensive Payment Card Industry standards reduces vulnerabilities.

  • Fraud monitoring – Checks card usage against databases of compromised account numbers and suspicious signals.

  • Proactive notifications – Banks alert customers about out-of-pattern spending indicative of fraud.

Encrypted payments – Leveraging technologies like EMV, tokenization, Apple Pay, etc. for contactless "tap & pay".

  • Insider threat programs – Monitoring and controls around employee access to sensitive cardholder data.

Reporting Carding Activity

If you suspect you have been victimized by a carding scheme, take the following actions:

  • Immediately contact your bank and credit card issuers – Their fraud teams can start monitoring, invalidating compromised cards, and issuing replacements.

  • File a police report – This creates an official record and may aid recovery of losses.

  • Report it to the FTC – Alerting the Federal Trade Commission adds useful data that supports investigations.

  • Check credit reports – Uncover any wider impacts of stolen identity information that may facilitate additional fraud.

  • Update account passwords – Use newly strong credentials everywhere compromised login info may have been reused.

  • Set up transaction monitoring – Banking alerts can flag future anomalous account activity requiring swift response.

Carding FAQs

How do criminals validate stolen cards?

Common techniques include making small online transactions, using card number verification sites, or loading amounts onto gift cards to see if they go through.

Where do carders buy and sell stolen cards?

Dedicated dark web criminal marketplaces and Russian-language forums are popular card trading spots. Top destinations included CardPlanet, DarkMarket, and Joker‘s Stash.

What can happen if you get caught buying/using stolen cards?

Severe criminal penalties apply, including multi-year prison sentences for felony crimes like wire fraud, identity theft, money laundering, and computer hacking.

How much does stolen card data cost on the dark web?

Full stolen identity packages with associated card numbers typically cost $5-$30. Complete dumps with card numbers, expiration, CVV, and PINs fetch higher prices around $20-$100+ each.

What countries are leading sources of carding schemes?

Eastern European countries like Russia, Ukraine, and Belarus have been notorious for skilled cybercriminals engaging in carding activities due to technical abilities but lower incomes. There are carders worldwide.

The Bottom Line

As long as credit cards remain a dominant form of payment, the criminal enterprises looking to exploit card data for profit will continue to evolve. However, a combination of consumer vigilance, security best practices, and fraud detection innovation can constrain the risks and effectiveness of carding over time.

With protections like zero liability policies and improved card technologies, the costs of carding are borne less by innocent consumers and increasingly shifted to banks and merchants better resourced to absorb losses. But staying alert and being selective about how and where you use payment cards remains the best defense.

Luis Masters

Written by Luis Masters

Luis Masters is a highly skilled expert in cybersecurity and data security. He possesses extensive experience and profound knowledge of the latest trends and technologies in these rapidly evolving fields. Masters is particularly renowned for his ability to develop robust security strategies and innovative solutions to protect against sophisticated cyber threats.

His expertise extends to areas such as risk management, network security, and the implementation of effective data protection measures. As a sought-after speaker and author, Masters regularly contributes valuable insights into the evolving landscape of digital security. His work plays a crucial role in helping organizations navigate the complex world of online threats and data privacy.