Case Study: Saving Payment Costs by Blocking Carding Attacks

A short time ago in a galaxy very, very close, an online fashion retailer with no bot protection system received an ominous message from its payment processor. “Too many fraudulent transaction attempts you have,” it said.

Alerted to the message, the company’s CTO understood that they were probably victims of carding attacks.

In carding attacks, cybercriminals test large numbers of stolen credit card numbers, usually by making small transactions on vulnerable websites, to find out if they are still working. If the test transactions go through, it confirms the card numbers’ validity, and the fraudsters can then use them for larger purchases or resell them to other criminals.

Read more: Card cracking and carding protection: how to stop bot-driven carding attacks.

Although carding fraud can be conducted manually, fraudsters typically make use of bots. Bots can perform repetitive tasks much faster than humans, and they enable the fraudsters to easily test thousands of cards without the manual drudgery.

Why was the website flagged by its payment processor?

The fashion website we are discussing runs on the BigCommerce platform. When someone makes a card payment, the website will generate a token which authorizes its payment processor to proceed with the transaction.

Whenever a bot completed and submitted the payment form with a stolen card number, the website would generate the token and send it to the payment processor as usual. However, if the card number was invalid or reported as stolen, the payment processor would decline the transaction.

Due to aggressive carding bot attacks, more and more transactions were being declined. Eventually, the website’s acceptance rate dropped below the payment processor’s allowed threshold, which prompted the alert.

This common scenario causes all sorts of problems and unnecessary costs for online businesses. For example, even when the card number is invalid and the transaction declined, you will pay the payment processor’s authentication fee. If the processor considers your website “high risk”, they may also increase your transaction fees, or even refuse to process any more payments until the problem is fixed. If you are using two-factor SMS authentication, it will drive up the cost even further.

Uncovering the Scope of Carding Fraud: the DataDome Free Trial

The payment processor’s alert spurred the fashion website’s CTO to look for a security solution that could be tested and deployed fast. The DataDome bot protection solution fit the bill: it’s a non-intrusive SaaS solution which any website administrator can easily set up and test on their own.

In free trial mode, the DataDome solution displays all bot traffic to the website in the user’s personal dashboard in real time, but does not block bad bots or interfere with the traffic in any other way.

The dashboard confirmed the CTO’s suspicions: in just two days, between April 28 and April 30, DataDome detected more than 8,400 carding attempts. The decision to subscribe and activate the DataDome protection was quickly made.

The protection was activated and took effect on May 1st. The DataDome solution now instantly blocks any bot-generated transaction attempts, before the token for the payment processor is generated. As a result, the website now has a normal acceptance rate, and the payment processor is happy (as is the CTO).

As you can see from the tail end of the graph above, the fraudsters quickly gave up when they realized that their carding attempts were being blocked. Instead of trying to work around the protection, they probably chose an easier route: finding another vulnerable website (hopefully not yours) where they could continue their carding attacks instead.

A Highly Distributed (But Not Very Smart) Attack

Today, most large-scale bot attacks are distributed across a vast number of different IP addresses. Services such as Luminati (the world’s largest proxy service) has made it cheap and easy for bot operators to rotate through thousands or even millions of different IPs.

This attack was no exception: the bot operators used IP addresses originating from 17 different countries in an attempt to mask the illicit traffic.

On the other hand, since the target website initially lacked protection, they didn’t go to too much trouble to pretend to be human. While a third of bad bots are now using residential IPs to blend in with human traffic and bypass IP-based security systems, the attackers in this case study only used data center IP addresses (which are cheaper).

How to Stop Carding Bot Fraud

Here at DataDome, we take pride in being able to detect even the most sophisticated bots. But truth be told, this attack was a pretty easy match for our detection engine. In fact, the bot operators didn’t even bother to equip their bots with user agents—which made sense as long as the target website hadn’t implemented any kind of bot protection.

Does this mean that the CTO could have easily fixed the problem with a free bot detection solution such as reCAPTCHA? The answer is no.

While CAPTCHAs offer decent protection against basic bots, bot operators are increasingly making use of both artificial intelligence and CAPTCHA farms to bypass CAPTCHAs. Once the CAPTCHA is solved, they can proceed undisturbed with their attack.

Furthermore, the false positive rate for CAPTCHAs is high, as any Internet user can attest. And identifying crosswalks, storefronts or fire hydrants is nobody’s idea of a great user experience, especially during the checkout and payment process. To have great conversion rates, you must minimize friction, and that includes making your security measures invisible for legitimate users.

Finally, a solid bot protection solution will also protect your website against other bot-related harms: content scraping, credential stuffing, bot fraud, and DDoS attacks, to mention but a few.

But why don’t you see for yourself? You can set up and start a 30-day DataDome free trial in less than an hour, and discover in real time what bad bots are really up to on your website. Start here, and be wiser by the end of the day!