cancel
Showing results for 
Search instead for 
Did you mean: 

Carding Attack

Carding Attack

I have been facing carding attack on my site.
This is the method the attackers are using:
they use a real browser and follow the genuine customer checkout flow. Means, they are manually executing the attack. They add products to the cart, proceed to the checkout page, input dummy shipping details, and at the card details form, they enter stolen card information. They then place the order. If the payment fails, they move on to the next set of card details and repeat the process. After 2-3 attempts, they change their IP, and each attempt has a gap of 1 or 2 minutes.

Currently, I have a Cloudflare rule to block all the country requests except one and a rate limit rule for the payment API endpoint set to 4 requests within 10 minutes, then block for 1 day. And also i have enabled the recaptcha on the checkout page. However, since their attempts are almost 90% manual, these CF rules are not much effective.

Do you have any suggestions on how I can prevent this type of attack?
5 REPLIES 5

Re: Carding Attack

Not, much  more you can do in the specific case you described.

 

The only way to be 100% certain would be to kill the guest checkout and require registered customers to go through KYC process so you know each of them is the real person they claim to be on the card. But that is not something a usual B2C customer would go through just to make a purchase.

Founder at https://agency418.com

Re: Carding Attack

Do you by any chance use Braintree for payment processing?  Our sites have been targeted for the last several days.  We have advanced fraud prevention on Braintree configured, we have reCaptcha configured on payment page.  But they seem to be able to bypass reCaptcha.  Any additional thoughts?  We are considering implementing CloudFlare and putting rate limiting in place.  We have noticed that when the attacks happen, they seem to be bypassing the captcha as there are hundreds of POST /captcha/refresh issued within just a few seconds.

THese attacks have occurred from multiple global locations, including the US and Canada.

Any additional thoughts you have are much appreciated

Re: Carding Attack

Implement more granular rate limiting that can Slither IO detect patterns of suspicious behavior. For instance, instead of a fixed number of requests, use algorithms that adapt to behavior patterns, such as frequency of checkout attempts or failed payment attempts.

Re: Carding Attack

I share your concerns about carding attacks. It’s pretty scary how quickly these things can happen. The best way to protect yourself is to stay aware of your accounts and be cautious about where you share your information. Using two-factor authentication is a good idea and can add that extra layer of security.
Also, have you checked out kyc verification? It can help reduce the risk of fraud by ensuring that only verified users have access to certain features. Just remember to keep an eye on your statements regularly and report any suspicious activity right away. Trust your gut and step back if you are unsure about a transaction.

Re: Carding Attack

To prevent carding attacks, you can implement the following measures that i also took for my Spotify premium apk site:

Enable 3D Secure Authentication: Add an extra verification layer via banks to prevent unauthorized transactions.
Behavioral Analysis: Use tools like ThreatMetrix to detect unusual user behavior.
Limit Payment Attempts: Allow only 1-2 failed payments per user/session and block further attempts temporarily.
Device Fingerprinting: Track devices even if IPs change, blocking flagged devices.
Advanced CAPTCHA: Use hCaptcha or multi-step verification earlier in the checkout process.
Geolocation & VPN Detection: Block high-risk connections using tools like MaxMind or IPQualityScore.
Enhanced Rate Limits: Apply rate limits across the entire checkout flow, not just the payment API.
These steps, combined with monitoring traffic and enabling fraud tools in your payment gateway, can reduce the attack's impact.