Carding Fraud

From SI410
Revision as of 21:22, 10 February 2023 by Ctrese (Talk | contribs)

Jump to: navigation, search
A point of sale skimming device that fits over the pin pad. [1]


Carding refers to a type of fraudulent activity involving the theft and unauthorized use of credit cards. Typically, carding involves using the stolen card to purchase prepaid gift cards or other merchandise that can be resold. The term "carders" refers to criminals who engage in carding related activities.[2] The Nilson Report states that "Gross fraud losses to issuers, merchants and acquirers of card transactions from merchants, as well as acquirers of card transactions from ATMs reached $28.65 billion" in 2019, and that 33.57% of these losses came from the United States. These losses do not include the costs of fraud prevention and detection to retailers.[3]

Carding Methods

Carding begins with carders obtaining card numbers and other information that allows them to impersonate the card holder. There are a variety of methods used to acquire card numbers and other information.[4]

Online forums & Marketplaces

Forums and Markets on the Web as well as hosted as hidden services on the dark web provide carders with resources as well as opportunities to buy and sell stolen credit card information.[5] Estimates for the total sales of personal information on the dark web is roughly one billion dollars per year. This information can be used to take over financial accounts.[6] The carding community using these sites remains resilient to raids by law enforcement. Following raids, the number of carding markets has historically decreased temporarily before recovering again.[7] While raids do not eliminate markets, they do decrease market activity as smaller markets compete for new business.[8] Many of the operators of these markets conduct their business with a high degree of professionalism in an effort to compete for customers. For example, some sites advertise refunds to customers that purchase card information that does not work.[9]

Skimming

Skimming is the technique of modifying point of sale devices to steal data. This is commonly done with an overlay terminal that reads data from the magnetic strip on credit cards. Overlay terminals are designed to fit over, and appear like, a regular point of sale device as to avoid detection. Popular skimming targets among carders include card readers in stores, gas pumps, and ATM machines.[10] Modern skimming devices are often very difficult to detect, sometimes even fitting inside the reader itself, and using tiny cameras to capture PIN numbers.[11]

Data Breaches

Credit card information can be leaked after retailers that store payment data become victims of hackers. In 2014, large U.S. based retailer Home Depot suffered a data breach due to hackers using custom exploits to gain access to their payment data. The breach exposed the information of over 40 million customers.[12] The number of data breaches has reached record highs in recent years, and shifts towards supply chain attacks indicate that data breaches will continue to be an issue in the foreseeable future.[13]

Social Engineering

Social Engineering encompasses practices involving deceiving and manipulating card holders or businesses to gather information. One case of carders employing social engineering occurred at a Hilton Garden Inn in Dallas Texas when the carders called hotel guests and pretended they were a hotel employee verifying credit card numbers after a computer issue.[14] There are many other ways that carders can use such as Email or text, usually involving impersonating a trusted institution.[15]

BIN Attack

BIN or Bank Identification Number is used to indicate what financial institution a credit card belongs to.[16] A BIN attack is where carders use a valid BIN number to generate lots of random credit card numbers, then test these numbers to find valid numbers. Generally, computers are used to automate the generation and testing of the card numbers.[17] BIN attacks are one of the simplest ways to find valid cards as cards can be tested in large quantities by computers that submit test payments with real merchants. If the information is valid and the transaction is not flagged as fraudulent, then the attack operator can use or sell the card information.[18]

Cashing Out

A common method carders use to make profit is the following:

  1. Carders create listings for easily sellable items on markets such as Ebay.
  2. When a bidder wins a bid for the carder's listing, the carder places an order with a real vendor of the item with the stolen credit card information
  3. If the payment is successful, the real vendor will ship the item to the bidder.

In this scheme the bidder is not aware of any fraudulent activity, and either the real card holder will not notice the charge, or will file a fraud claim and the real vendor will be required to cover the loss.[19]

Prevention

Merchant Mitigations

Due to substantial losses, merchants employ numerous strategies to make carding fraud difficult, and detection easier. Card processors use Address Verification Systems so that merchants can check a provided billing address against the billing address on file with the issuing bank.[20] This strategy makes it more difficult for carders, but can be circumvented by using social engineering or other methods to get the correct billing address. CVV security codes also add additionally security to transactions. CVVs are used to verify that the purchase was made by the real card owner. Online merchants do not store CVVs with credit card information, thus requiring CVVs can be an effective measure against data breaches as the leaked data will not include the CVV.[21]

Card Holder Mitigations

Many card issuers have zero liability policies that protect card holders from being responsible for carding fraud in most cases. Fraud victims should contact their bank immediately if suspicious activity is spotted on their account. Risk of fraud can be reduced by checking for skimmers at point of sale devices and ATMs, keeping all personal information private, and being aware of common social engineering techniques such as fake emails asking for personal information.[22]

Card Issuer Mitigations

Card Issuers provide some security built into cards and networks. Anti-fraud detection systems built into the networks of card issuers analyze transactions using AI or other analytic tools in order to try and spot potential fraud. These algorithms can consider factors like transaction amount, time, and place.[23] Card Issuers have also made use of smart chip cards that allow for contactless payment, which have become common in the United States.[24] Contactless cards contain a microprocessor that verifies each transaction by providing a unique code. This code is not able to be reused in the case that it is recovered by an attacker, thus providing extra security.[25]

Ethics & Legality

In the United States, the Fair Credit Billing Act protects card holders that fall victim to carding fraud from paying more than $50.[26] Much of the losses from carding fraud fall on card issuers, about 68.39% of worldwide gross losses. The rest mostly harms merchants.[27] While much of the monetary costs do not fall directly on the card holder, merchants and card issuers may respond to losses by increasing prices rather than security measures. Card holders may also face other challenges, for example Merchants using Address Verification Systems can require card holders to update their billing address before using their card after changing residence.[28] In addition, card issuers may require fraud claims to be disputed due to chargeback fraud. Chargeback fraud occurs when a card holder claims that a purchase they made was fraudulent, and requests a chargeback from their bank with the hopes of getting the money back while keeping the merchandise. Card issuers investigate fraud claims for this reason, and the investigation takes time before the bank makes a decision meaning card holders must wait for, and may be declined, their chargeback.[29]

American beneficiaries of the Supplemental Nutrition Assistance Program (SNAP) May be at a higher risk of becoming a victim to carders using skimmers. SNAP provides low income with cards that are like prepaid debit cards and can be used to purchase necessary items.[30] These issued cards do not have smart chip technology in most states, and some experts argue that this makes they easier targets for carders.[31] In addition, U.S. federal law restricts states from using federal funding to cover the costs of stolen aid, leaving the responsibility of covering and preventing losses to the low income families most affected.[32] One documented case where a woman had almost $3k worth of SNAP benefits stolen occurred in Baltimore County. Her benefits have not been reimbursed even after Police found a card skimmer and surveillance footage of the suspects purchasing large quantities of baby formula was found.[33] Low income families that rely on SNAP becoming victims of card skimming is a growing problem in many states including Massachusetts, where The Massachusetts Law Reform Institute has filed a class action law-suite against the Department of Transitional Assistance on behalf of these victims.[34] Their aim is to increase the accountability of the involved government entities and simplify the process of restoring stolen benefits.

See Also

References

  1. Checkout Skimmers Powered by Chip Cards Krebs on Security https://krebsonsecurity.com/wp-content/uploads/2021/02/overlay-shim.png
  2. https://www.investopedia.com/terms/c/carding.asp
  3. https://nilsonreport.com/mention/1313/1link/
  4. https://www.forbes.com/advisor/credit-cards/how-credit-card-information-is-stolen-and-what-to-do-about-it/
  5. https://eprints.soton.ac.uk/413441/1/Final_Paper_After_Acceptance.pdf
  6. https://nilsonreport.com/mention/1313/1link/
  7. https://aisel.aisnet.org/wisp2018/20/
  8. https://blog.chainalysis.com/reports/how-darknet-markets-fought-for-users-in-wake-of-hydra-collapse-2022/
  9. https://krebsonsecurity.com/2020/03/russians-shut-down-huge-card-fraud-ring/
  10. https://abcnews.go.com/GMA/News/video/credit-card-skimming-crimes-rise-96656884
  11. https://krebsonsecurity.com/2022/09/say-hello-to-crazy-thin-deep-insert-atm-skimmers/
  12. https://www.reuters.com/article/us-home-depot-cyber-settlement-idUSKBN2842W5
  13. https://www.idtheftcenter.org/wp-content/uploads/2023/01/ITRC_2022-Data-Breach-Report_Final.pdf
  14. https://www.nbcnews.com/id/wbna43662080
  15. https://lifelock.norton.com/learn/identity-theft-resources/what-is-carding
  16. https://www.investopedia.com/terms/b/bank-identification-number.asp
  17. https://www.ascentra.org/learn/news-blogs/article/2022/07/26/credit-card-fraud-bin-attacks
  18. https://thepointsguy.com/guide/bin-attack-credit-card/
  19. https://krebsonsecurity.com/2015/11/how-carders-can-use-ebay-as-a-virtual-atm/
  20. https://www.investopedia.com/terms/a/address-verification-system.asp
  21. https://www.americanexpress.com/en-us/credit-cards/credit-intel/what-is-cvv/?linknav=creditintel-cards-article
  22. https://www.emerald.com/insight/content/doi/10.1108/13590790810907236/full/html#idm46555354902368
  23. https://usa.visa.com/visa-everywhere/security/outsmarting-fraudsters-with-advanced-analytics.html
  24. https://www.forbes.com/advisor/credit-cards/contactless-credit-cards/
  25. https://usa.visa.com/content/dam/VCOM/Media%20Kits/PDF/PaymentSecurity_Infographic.pdf
  26. http://uscode.house.gov/view.xhtml?req=granuleid%3AUSC-prelim-title15-chapter41-subchapter1-partD&edition=prelim
  27. https://nilsonreport.com/mention/1313/1link/
  28. https://www.investopedia.com/terms/a/address-verification-system.asp
  29. https://chargebacks911.com/credit-card-fraud-investigation/
  30. https://www.benefits.gov/benefit/361
  31. https://krebsonsecurity.com/2022/10/how-card-skimming-disproportionally-affects-those-most-in-need/
  32. https://krebsonsecurity.com/2022/11/lawsuit-seeks-food-benefits-stolen-by-skimmers/
  33. https://www.thebaltimorebanner.com/community/criminal-justice/one-womans-quest-for-justice-after-almost-3000-of-benefits-were-stolen-LHIKMQZSNJBULC7LXCEIE264OA/
  34. https://drive.google.com/file/d/1R11j74KZsBRLJAyHlBYiRBQTxJQSfdkc/view
Retrieved from "http://si410wiki.sites.uofmhosting.net/index.php?title=Carding_Fraud&oldid=115445"