A carding attack is an automated attack where a fraudster runs multiple stolen cards to determine their validity. A malicious actor will typically attempt to place an order on your website using a large number of credit cards and associated information such as addresses, expiration dates, and security codes.
There are a few ways to determine whether you are under a carding attack. You may see an increased number of declined authorization transactions on your website at your payment gateway — even if you do not see an increase in orders placed. This will depend on the type of the payment gateway integration you have set up, because the payment gateway rejects all of the order placement attempts with invalid credit card numbers.
Another sign of a carding attack is an increase in traffic to specific Adobe Commerce API endpoints via your web access logs. In Adobe Commerce the following two endpoints are used to accomplish authorizations:
- carts/mine/payment-information for logged-in customers
- guest-carts/[cartId]/payment-information, where [cartId] is a “masked” cart ID, for guest customers.
Depending on the payment method used, these endpoints may be different. To determine the exact endpoint you need to track requests in your browser during checkout.
If you are using a more modern payment integration type such as iFrame or direct post, you may not be able to directly determine that you are under a carding attack by looking at your Adobe Commerce infrastructure alone. Customers submit their credit card information directly to the payment gateway for credit card number tokenization, so the payment gateway may be declining to tokenize cards with invalid information. In this situation, you will likely be contacted by your payment processor about an increase in activity.
As part of our Adobe Commerce hosting and security services, we have developed a sophisticated log analytics system powered by AWS services such as Athena, Glue, S3, CloudWatch and Autoscaling. Access log data is continuously aggregated and analyzed for carding attacks, among other known attack vectors. When the system detects an anomaly, it automatically raises alarms with our 24/7 support team. Additionally, if the alert metrics are above certain thresholds, the system will automatically block Adobe Commerce API calls originating from the offending IP addresses. Our support staff also has the ability to manually perform blocking of suspicious sources.
WHY SHOULD MERCHANTS CARE?
Typically the intent of the malicious actor is not to place fraudulent orders. Instead, they are using your website to simply confirm the validity of the card data they have. As such, the negative effects fall on the cardholder and their issuing bank who is liable for any future fraudulent charges.
However, as a merchant you may face some fairly severe consequences as well.
You may see increased costs from your payment processor as they are handling an increased number of requests. As the number of failures increases as a percentage of all requests, this may cause additional cost increases by your financial institutions or you may be considered high-risk and cause your rates to go up. In our experience, payment processors require merchants to put mitigations in place so that these fraudulent transactions can be reduced to an acceptable level. We will discuss mitigations later in this article. Additionally, increased infrastructure costs are possible as a result of the additional volume of requests coming to your site.
HOW ARE CARDING ATTACKS AGAINST ADOBE COMMERCE STAGED?
The malicious actor will typically survey your site either manually or via automated tools in order to fingerprint the ecommerce platform.Once this is established, they will likely try to perform a manual attempt at checking out and update their tooling to account for any differences between your implementation and the native platform behavior.
At this point, the malicious actor will automatically iterate through the credit card information they want to check for validity and you will start executing a carding attack.
Depending on the configuration of your site, the attack may depend on a single cart which was populated ahead of time and then many order placement attempts will be made against that cart. In cases where you are restricting your cart to logged-in customers only, we have seen that the attacker will register any number of customer accounts needed in order to perform the attack. What is important to notice is that the attacker will automate any behavior a normal user can accomplish using valid email addresses, email address validation loops, and other verification.
As mentioned above, the attack may be different depending on your customizations, but it will likely be executed against the “payment-information” Adobe Commerce API endpoints.
DEFENSES AGAINST CARDING ATTACKS
We recommend a comprehensive defense approach when it comes to security, and carding attacks are no exception. Not one defense mechanism can adequately protect merchants against such carding attacks. Instead, We recommend a combination of several defense mechanisms which may include a combination of request throttling, gateway fraud protection, third-party fraud protection, generic security, and captcha.
REQUEST THROTTLING
WAF/CDN Throttling
One of the relatively easy ways of slowing down carding attacks is to throttle the API requests before they reach the Adobe Commerce infrastructure. We recommend doing this at the WAF level (Web Application Firewall) or CDN level (Content Delivery Network). We have developed throttling rules in our WAF solution powered by AWS which allows us to reduce the rate of API calls based on source IP and API endpoint being targeted. While WAF throttling does not completely eliminate the problem, it greatly slows it down and discourages the attacker to go elsewhere.
When implementing request throttling at WAF/CDN level, it is crucial to ensure that normal checkout process for real customers is not affected. We recommend setting the thresholds as low as possible but yet permissive enough so that end customers can transact.
GeoIP Blocking
A lot of these carding attacks (and security attacks in general) may originate from countries a merchant may not be doing business in. At WTC&T, we work closely with our merchants to identify which geographical areas of the world they are doing business with, and we help define “allow” lists and “block” lists for certain geographies. We then implement GeoIP blocking on the WAF and CDN level based on those lists. While this method is not 100% effective, paired with other defenses, we find it a good tool to discourage attackers from performing carding attacks against Adobe Commerce websites that we support.
GATEWAY FRAUD PROTECTION
The payment gateway you are currently using likely has a set of tools used to prevent fraudulent activity. These tools are crucial especially in a situation where the attacker does not need to attempt to place the order to determine the card validity. Another use case for the payment gateway fraud protection is to eliminate or reduce the number of tokenization attempts.
WTC&T works with our clients and with their payment providers to help set these tools so that the number of fraudulent transactions that make it through are minimized or eliminated. Some of the payment methods that are commonly implemented with Adobe Commerce already provide built in tools, for example:
- Braintree Basic Fraud Tools
- Cybersource Fraud management Essentials, Decision Manager or managed Risk Service
- PayPal
Some payment providers leverage crowdsourcing technologies which allow them to identify attacks across their entire network of clients and proactively prevent such attacks from occurring.
THIRD-PARTY FRAUD PROTECTION
Additional options exist outside of the platform and payment processor solutions in the form of specialized service providers focusing on fraud prevention specifically. Such services may provide proactive, reactive, or insurance protection against carding and other credit card fraud. Some of the services which are popular with our clients include Kount and Signifyd.
These services come with service fees of their own but can provide significant benefits when it comes to fraud prevention. Additionally, the payment gateway you are using may not be supported by every fraud prevention solution.
GENERIC SECURITY SOLUTIONS
Other service providers exist which provide generic solutions geared towards overall security hardening of websites. Some solutions in this tier may provide bot detection and might be well suited to protect against carding attacks.
Depending on the overall business needs in the security space, we work with our merchants to recommend, and determine, the best-suited solutions in this space.
CAPTCHA
Captcha is a system which is meant to distinguish between a human and a machine and as such is well suited for the task of preventing carding attacks. Depending on the implementation, captchas may be intrusive to the customers since barriers to order placement may cause decreased conversions.
However, Adobe Commerce has implemented a native Captcha solution for the checkout — a sophisticated bot can bypass this mitigation because it depends on rate limiting based on IP addresses.
Our recommended captcha solution would be an Invisible ReCaptcha by Google which provides a non-intrusive rating system for the likelihood that a particular user is a bot. Based on this behavior, additional actions may be taken by the ecommerce platform to reject the order and flag it for review.
