We previously wrote about Kadence reCAPTCHA to protect your site from spammers and brute force login attacks. Kadence reCAPTCHA can also be helpful for eCommerce stores that may be targeted in carding attacks.
Unfortunately, a current problem affecting numerous eCommerce stores, whether you use WooCommerce or any other cart application, is carding attacks. These attacks can have severe repercussions for online merchants both big and small.
In today’s post, we’re reviewing carding attacks, the risks associated with them, and how Kadence reCAPTCHA can be an effective tool to reduce the impact of carding attacks on your store.
What is a carding attack?
A carding attack can also be called just “carding” or “credit card stuffing.” In these attacks, criminals are looking to determine whether or not the stolen credit card numbers they’ve obtained are valid so that they can then turn around and use this stolen information to obtain merchandise fraudulently. Often, these criminals use stolen credit card numbers to purchase high ticket items and resell them for cash.
Criminals buy lists of stolen credit card numbers, which can also include Personally Identifiable Information (PII) of card holders including their name, credit card number, expiration date, CVV code, zip code, and even a cardholder’s address, email address and other sensitive information. What is included in these lists of stolen credit card numbers is dependent on the source. Sometimes these stolen credit cards are obtained through hacked sites (why you should always use protection such as iThemes Security) or they can be obtained through phishing scams on unsuspecting consumers.
Often these lists are purchased by numerous criminals or “carders,” so time is of the essence for them. They need to find out which credit card numbers are still valid so they can use them before the cardholder suspects fraud. Thus, they need to do so quickly.
As such, these criminals write scripts that test their list of stolen credit cards against unsuspecting merchants. These tests may just be small purchases, but they often are thousands of transactions sent to a single merchant’s online storefront.
Once a card is authenticated and is shown to be valid, the carder will use that credit card information to purchase large ticket items, gift cards, or anything else that they can obtain to turn around for a quick profit.
What are the risks of a carding attack to store owners?
A carding attack can negatively impact businesses whose websites are being used by carders to test stolen credit cards. Carding typically will result in a chargeback, a disputed transaction that results in a reversed transaction to refund the cardholder’s funds.
Every chargeback can affect the reputation of the online merchant with credit card processors, lead to a poor merchant history, and numerous chargeback penalties.
Often when these types of carding attacks affect a business, the credit card processing company will reach out to the merchant to ask the merchant to take steps to rectify the problem. If left unchecked, the store owner is at risk of losing their merchant account, eliminating their ability to accept transactions online until they can get a new merchant account. Even if they do, the store owner, already a victim of this type of attack, is marred by a high risk designation and they may be subject to higher fees from another merchant account provider.
How to know you’re under attack
If you’re targeted by online criminals attempting carding attacks, you’ll see aberrant cart behavior. You might begin to see:
- High cart abandonment rates
- Low average shopping cart size
- Numerous failed payment authorizations
- High traffic to the payment step in your shopping cart that doesn’t follow typical checkout flow
- Increased chargebacks
- Numerous failed payment authorizations from the same user, IP address, or session
If you’re watching your online transactions, a carding attack will be fairly obvious. Carding attacks, because of the time pressure carders are under, are almost always automated processes with clearly identifiable patterns. Something won’t look right, and there will be some patterns that make the attack stand out.
How to stop a carding attack
Stopping a carding attack can be a tricky endeavor. You want to ensure anyone who wants to purchase products can do so as easily as possible. You want them to be able to check out their way, without having to login, create an account, jump through any hoops, or experience any friction. We want them to quickly and easily provide payment information and click “Buy Now.”
However, as with all security practices, the easier you make it for site visitors to do something, the easier it is for malicious actors to abuse that functionality. The harder you make it for attackers, the harder you make it for potential customers.
So where does a shop owner find balance? Luckily, bots give us ample opportunity to block malicious activity when we can clearly identify their automated bot-driven patterns.
Our recommendation is similar to that of many security professionals: to stop a carding attack, take a layered approach to make using your site’s eCommerce platform unattractive to criminal carders and their merry collection of carding bots.
Towards that end we recommend:
- Using Kadence’s Google reCAPTCHA integration on your WooCommerce checkout.
- Talk to your merchant provider about any anti-fraud services they offer to protect your eCommerce site.
- Establish an incident response plan in the event your site is attacked so you can respond quickly.
- Use a service like Cloudflare that can widely identify bot activity before it ever reaches your site.
- Talk to your hosting provider about detecting malicious activity at the network level before it reaches your site.
How does Kadence reCAPTCHA cut down on carding attacks?
Because most carding attacks are automated, they almost always fail reCAPTCHA. The reCAPTCHA process detects whether or not a request is coming from a valid human input. If the request is detected to be automated, those easily identifiable patterns can be one of the effective measures helping you block a carding attack.
How to get started with Kadence reCAPTCHA to prevent carding attacks
Kadence’s reCAPTCHA plugin is available to those who have purchased either the Full or Lifetime Bundle. It is not available for individual purchase. If you are a Full or Lifetime Bundle customer, head to your account on KadenceWP.com and download the reCAPTCHA plugin. We have full instructions on how to get Kadence reCAPTCHA working on your site on our previous post about Kadence reCAPTCHA.
Some things of note:
- Ensure that reCAPTCHA for WooCommerce checkout is toggled on.
2. To reduce friction on your checkout, use reCAPTCHA v3 so that your users aren’t even aware that reCAPTCHA is being used on your checkout.
3. When you implement reCAPTCHA v3 on your checkout process, watch orders closely. You may need to tune the score threshold to ensure that valid users don’t have a problem.
4. If you receive orders from countries that routinely block Google, choose recaptcha.net in the Kadence reCAPTCHA settings to ensure your orders aren’t blocked.
5. If you hide the reCAPTCHA badge, ensure you add appropriate text to your form as instructed by Google.
Wherever there is commerce, there will be thieves and fraudsters looking to exploit weakness to make a profit. Our job as site owners is to harden our defenses and ensure that these types of attacks aren’t easy on our sites. Our reward is less administrative headache, lower credit card processing fees, more server resources available to valid customers, and a better online presence as a whole.
Kadence is committed to helping site owners build effective sites that delight customers, and towards that end, security is just one more tool in our bundled offering.
If you’ve been considering getting a Kadence Bundle to support your online storefront, we have a number of plugins that can help you. Both the Full and Lifetime Bundles include Kadence reCAPTCHA as well as Kadence Conversions, Kadence Shop Kit, and many other useful tools.