Tackling the Persistent Threat of Carding Attacks

This should be an exciting time for ecommerce merchants. As more of the world stays at home, the opportunities for ecommerce sales have rocketed. Global retail platforms have seen an unprecedented spike in traffic since the start of the year: up from 16 billion web visits in January to nearly 22 billion in June.1 However, where there’s money, there’s also cybercrime and fraud.

Merchants have been hit hard by carding attacks over recent years, as fraudsters look to leverage the huge volumes of breached financial data up for sale on the cybercrime underground. The impact can go way beyond the cost of chargebacks. But with Fraud Protection, merchants have proven, enterprise-grade capabilities at their fingertips.

From breaches to carding

In the U.S. alone, there were over 1,470 separate incidents reported by organizations last year, exposing almost 165 million records.2 What does this mean for fraud? It means a readymade supply of financial and identity data flooding the underground cybercrime economy. However, fraudsters need to know whether the card details that they’re buying are still usable, or if the rightful owner and/or issuer has already canceled them.

This is where carding comes in. Fraudsters typically use bot scripts to automate the process of testing large numbers of stolen cards across various sites. Here’s what happens:
1. The fraudster procures a trove of card details from the dark web or other channels.
2. They use a bot to attempt to make small online purchases with the card data across multiple sites, in order to validate them. This could happen thousands of times until they are successful.
3. They filter the validated card details from the rest, and either use them for high-value fraudulent purchases or sell them onwards on another underground site.

Unfortunately for merchants, this kind of activity can have a significant financial and reputational impact. It could lead to:

  • Chargeback losses, after the customer complains to their bank that someone has made a purchase using their card.
  • Lost revenue in terms of the fraudulently purchased products which may never be recovered.
  • Reputational damage and potential customer attrition. Social media and review sites can amplify negative customer experiences today.
  • Operational overheads associated with customer support and dealing with an incident.
  • Being placed on a card issuer’s fraud monitoring program.

Of these negative outcomes, the latter is particularly serious for a smaller business as it can entail extra administrative overheads in the form of remediation plans that need to be filled out with the issuer. There could also be additional fees added to the merchant’s service agreement with the issuer while in the program, and even the chance that the merchant account can be closed if they remain in the program for several months.

Enter Fraud Protection

Fortunately, Fraud Protection offers merchants an integrated and easy-to-manage solution that helps empower smaller businesses with enterprise-grade fraud prevention capabilities. Customized fraud filters are provided out-of-the-box, and filters stay optimized with continuous recommendations based on new transactions and evolving fraud.

Most importantly, Fraud Protection has been proven to detect and block carding attacks — helping to reduce chargebacks and operational costs, and is designed to keep merchants out of issuer fraud monitoring programs.
For example:

  • A game rental company’s previous fraud protection tool used to only decline about 1% of fraudulent transactions while the issuer was declining around 95%. Now the company is able to decline 75% of fraudulent transactions by using Fraud Protection, preventing a majority of bad transactions from being sent to the issuer and thereby improving the game rental company’s authorization rates.3
  • A marketing software company’s decline rate using another fraud tool was between 1-10%, while the issuer was declining 40-50%. Now with Fraud Protection, the company is able to decline about 20-30% of bad transactions before they get rejected by the issuer and result in authorization fees.4

As David Mattei, a Senior Analyst in the Fraud & AML Practice at Aite Group recently said: “Fraud Protection is an easy-to-use solution to help protect small and medium size businesses from fraudulent transactions.”

He continued to highlight that: “Leveraging the consortium insights into consumer risk enabled by PayPal’s 12 billion annual transactions and advanced machine learning, merchants can manage fraud without needing specialized expertise. The on-demand filter recommendations allow merchants to keep fraud strategies up-to-date with minimal effort.”

Fraud Protection is available to all Braintree merchants, and can be easily enabled in the Fraud Management section of the Braintree Control Panel. For more information on Fraud Protection, check out our guides.

  1. Statista (August 17, 2020) https://www.statista.com/statistics/1112595/covid-19-impact-retail-e-commerce-site-traffic-global/

  2. Statista (March 10, 2020) https://www.statista.com/statistics/273550/data-breaches-recorded-in-the-united-states-by-number-of-breaches-and-records-exposed/

  3. Results are specific to this merchant. Other results may vary by industry, customer, and use case.

  4. Results are specific to this merchant. Other results may vary by industry, customer, and use case.

Fan Zhang Fan is the product lead for fraud management solutions for Braintree merchants at PayPal. She has also led B2C and B2B product portfolios at other Fortune 500 companies. More posts by this author

You Might Also Like