Glossary

Carding

Carding is the theft of credit and debit card information for fraudulent purposes. Hackers will typically steal credit card numbers, expiration dates, and card security codes (CSC / CVV numbers) and either sell the information on to other criminals or use it to make fraudulent purchases and chargebacks.

Terms related to Carding: Credit card fraud, debit card fraud, data theft, identity theft, social engineering. phishing

Carding impacts both consumers and merchants. Consumers get unexpected charges against their debit or credit cards and merchants lose inventory to fraudulent sales. Merchants will also have to deal with chargebacks and refunds, which further eats into their revenue.

In most cases, carding doesn’t involve a criminal getting a physical copy of the credit or debit card. Instead, they get the important card numbers — the 16 digit main number, the expiration date, and the three or four digit security code (CSC / CVV number) that’s typically on the signature strip. They can get these details through various means:

  • Social engineering and phishing — convincing consumers to come to a fake website where they input their card details that are then stolen by a criminal.
  • Skimming — attaching a card reader device to ATMs, petrol pumps, and other places where users insert cards. The device then gathers data from the card and can even record a PIN entry.
  • Pretending — calling up consumers and pretending to be from a financial institution and requesting details from the card.

Some criminals will also purchase large amounts of cardholder information on the deep web black market.

There are several ways for consumers to protect themselves from carding:

  • Be careful with sharing credit and debit card information. Don’t use unsecured websites, check the website address in the browser bar, and if someone calls claiming to be from the bank, call back on the helpline number on the back of a card.
  • Be careful of phishing emails, and never click a link in an email to go to a website. Instead, enter the address yourself, directly into a browser.
  • Use one-time credit card numbers, if offered by a provider.
  • Look carefully at ATMs and other devices to check there’s nothing attached to them, and always shield your PIN when typing it in.

Carding Resources from Crossmatch