What Is Carding? How It Works, Prevention Methods, and Examples

By
James Chen
Full Bio

James Chen, CMT is an expert trader, investment adviser, and global market strategist.

Learn about our editorial policies
Updated April 23, 2024
Reviewed by
Khadija Khartit
Khadija Khartit
Reviewed by Khadija Khartit
Full Bio
Khadija Khartit is a strategy, investment, and funding expert, and an educator of fintech and strategic finance in top universities. She has been an investor, entrepreneur, and advisor for more than 25 years. She is a FINRA Series 7, 63, and 66 license holder.
Learn about our Financial Review Board
Fact checked by
Vikki Velasquez
Vikkie Velasquez
Fact checked by Vikki Velasquez
Full Bio
Vikki Velasquez is a researcher and writer who has managed, coordinated, and directed various community and nonprofit organizations. She has conducted in-depth research on social and economic issues and has also revised and edited educational materials for the Greater Richmond area.
Learn about our editorial policies

What Is Carding?

Carding is a form of fraud where stolen credit or debit card information is used to charge prepaid cards, purchase gift cards, or assist other schemes. Stolen cards can be used to purchase store-branded gift cards, which can then be sold or used to purchase other goods that can be sold for cash. Stolen card information can also be sold to others. Credit and debit card thieves who are involved in this type of fraud are called “carders.”

Key Takeways

  • Carding is a third-party attack on an individual's financial information.
  • Card forums are online venues for stolen credit and debit card information and criminal techniques.
  • Newer technologies like CVVs, CAPTCHA, and multifactor authentication protect users against carders.

How Carding Works

Carding typically starts with a hacker gaining access to a store’s or website’s credit card processing system, with the hacker obtaining a list of credit or debit cards that were recently used to make purchases. Hackers might exploit weaknesses in the security software and technology intended to protect credit card accounts. They might also procure credit card information by using scanners to copy the coding from the magnetic strips.

Credit card information might also be compromised by accessing the account holder’s other personal information, such as bank accounts the hacker has already gained entry to, targeting the information at its source. The hacker then sells the list of credit or debit card numbers to a third party—a carder—who uses the stolen information to purchase a gift card.

Carding forums are websites that teach fraudsters about this illicit trade. Fraudsters use these sites to buy and sell their illegally-gained credit and debit card information. They also use them for money laundering.

PINs and chips have made it more difficult to use stolen cards in point of sale transactions, but card-not-present sales remain the mainstay of card thieves and are much discussed on carding forums.

Most credit card companies offer cardholders protection from fraudulent charges if a credit or debit card is reported stolen, but by the time the cards are canceled, the carder has often already made a purchase. The gift cards are used to buy high-value goods, such as cell phones, televisions, and computers, as these goods do not require registration and can be resold later. If the carder purchases a gift card from an electronics retailer, such as Amazon, they may use a third party to receive the goods and then ship them to other locations. This limits the carder’s risk of drawing attention to themselves. The carder may also sell the goods on websites offering a degree of anonymity.

Because credit cards are often canceled quickly after being lost, a major part of carding involves testing the stolen card information to see if it still works. This may involve submitting card-not-present purchase requests on the Internet.

Terminology

Carding comes with its own language. A couple of terms are discussed below.

Fullz

Fullz is slang for "full information". It refers to the information package containing a person's real name, address, and form of identification. The information is used for identity theft and financial fraud. The person whose "fullz" is sold is not a party to the transactions.

Credit Card Dump

A credit card dump occurs when a criminal makes an unauthorized digital copy of a credit card. It is performed by physically copying information from the card or hacking the issuer's payments network. Although the technique is not new, its scale has expanded tremendously in recent years, with some attacks including millions of victims.

How Companies Prevent Carding Fraud

Companies are implementing various techniques to stay ahead of carders. Some of the more interesting recent changes include requiring more information from the user that is not as easily available to the carder.

Address Verification System (AVS)

An AVS system compares the billing address supplied at checkout in an online purchase to the address on record with the credit card company. The results are immediately returned to the seller with a full match, address match, ZIP code match, and no match at all. A properly-functioning AVS system can stop no-match transactions if the card is reported lost or stolen. For the address-only or ZIP-only matches, the seller has discretion to accept or not. AVS is currently used in the United States, Canada, and the United Kingdom.

IP Geolocation Check

An IP geolocation system compares the IP location of the user's computer to the bill address entered on the checkout page. If they don't match, fraud may be indicated. There are legitimate reasons, such as travel, for a failure to match up, but these incidents often warrant further investigation.

Card Verification Value (CVV)

A card verification value (CVV) code is a three- or four-digit number on a credit card that adds an extra layer of security for making purchases when the buyer is not physically present. Since it is on the card itself, it verifies that the person making a phone or online purchase actually has a physical copy of the card.

If your card number is stolen, a thief without the CVV will have difficulty using it. The CVV can be stored in the card's magnetic strip or in the card's chip. The seller submits the CVV with all other data as part of the transaction authorization request. The issuer can approve, refer, or decline transactions that fail CVV validation, depending on the issuer's procedures.

Multifactor Authentication (MFA)

Multifactor authentication (MFA) is a security technology that requires more than one method of authentication from independent credentials to verify a user's login or other transaction. It can use two or more independent information bits, such as a password, authenticator token, or biometric data. Using MFA creates a layered process that makes it more difficult for an unauthorized person to access their target, because the attacker probably won't hack all of the layers. MFA originally used only two factors, but more factors are no longer uncommon.

CAPTCHA

CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a security measure of the challenge-response authentication type. It protects users from password decryption by asking the user to complete a test that proves the test taker is human and not a computer attempting to break into the account.

CAPTCHA typically uses a random series of images in a block and requires the user to identify them. These are anomaly-spotting systems (e.g. click on the squares with motorcycles). The challenges are designed to be easy for humans, but less so for computers.

Velocity Checks

Velocity checks look at the number of transactions attempted by the same card or site visitor within a given number of seconds or minutes of one another. Typically, users do not make multiple payments in quick succession, especially payments so rapid as to be beyond the capacity of a human being. Velocity can be monitored by dollar amount, user IP address, billing address, Bank Identification Number (BIN), and device.

Carding FAQs

What Is a Credit Card Skimmer?

A credit card skimmer is a fraudulent instrument or device placed inside a legitimate reader, such as an automated teller machine (ATM) or a gas pump to copy the data off cards used in that ATM or pump.

How Do Criminals Steal Credit Card Information?

Fraudsters steal credit card information in various ways. They use skimmers, which steal credit and debit card information from ATMs and gas pumps in which they have been installed. They also gain information through phishing scams, site compromises, and by purchasing the information on carder forums.

What Is a Carding Attack?

A carding attack is an attempt to place multiple fraudulent orders on a website in rapid succession. It can usually be recognized by a sharp, sudden spike in orders, which usually have the same shipping address. Often the customer information given will be clearly fraudulent.

How Can You Protect Yourself from Carding?

As a seller, you can protect yourself from carding by using one or more of the newly-developed fraud prevention methods like CAPTCHA and CVV. Cardholders should also be careful with their cards and be on the lookout for signs of tampering when using ATMs and gas stations.

The Bottom Line

Carding is a crime that often involves the purchase of gift cards which can then be spent on relatively difficult-to-trace goods. The goods are then re-sold online or elsewhere. The credit or debit card information may also be resold to others for use in various illicit schemes, such as identity theft and money laundering.

In the long run, carding can only be prevented if cardholders and those who accept cards aggressively take advantage of every available method to prevent carding. Sellers should use as many prevention aids as they can practically afford, while cardholders should keep an eye out for physical signs of tampering any time they use a card in an ATM or gas pump.

Article Sources
Investopedia requires writers to use primary sources to support their work. These include white papers, government data, original reporting, and interviews with industry experts. We also reference original research from other reputable publishers where appropriate. You can learn more about the standards we follow in producing accurate, unbiased content in our editorial policy.

  1. Santa Clara High Technology Law Journal. "Data Breaches: What the Underground World of Carding Reveals." Pages 380, 393.

  2. Santa Clara High Technology Law Journal. "Data Breaches: What the Underground World of Carding Reveals."

  3. Santa Clara High Technology Law Journal. "Data Breaches: What the Underground World of Carding Reveals." Pages 381-382.

  4. Santa Clara High Technology Law Journal. "Data Breaches: What the Underground World of Carding Reveals." Page 382.

  5. Santa Clara High Technology Law Journal. "Data Breaches: What the Underground World of Carding Reveals." Page 388.

  6. Institute of Electrical and Electronics Engineers. "All Your Cards Are Belong to Us: Understanding Online Carding Forums." Page 2.

  7. Santa Clara High Technology Law Journal. "Data Breaches: What the Underground World of Carding Reveals." Page 387.

  8. Board of Governors of the Federal Reserve System. "Networks, Processors, and Issuers Payments Surveys (NPIPS)." Pages 3, 9, 11.

  9. International Trade Administration. "Minimizing Fraud."

  10. National Institute of Standards and Technology. "Multi-Factor Authentication."

  11. IBM. "What is CAPTCHA?"

  12. U.S. Payments Forum. "Velocity Checks."

  13. Federal Bureau of Investigation. "Skimming."

  14. Scandiweb. "Store Under Carding Attack? Here’s What to Do."

Take the Next Step to Invest
×
The offers that appear in this table are from partnerships from which Investopedia receives compensation. This compensation may impact how and where listings appear. Investopedia does not include all offers available in the marketplace.