Ultimate Guide to Magento Carding Attack -Impact, Tips, Solutions + Expert Advice

April 21, 2021 Written By Hemant Parmar

Talk to Experts Need expert help? Don’t hesitate to talk.

You can do direct email atinfo@mconnectmedia.com


We would love to hear about your Magento project, challenge, or opportunity. We'll respond within 24 hours!

Cyberattack is on the rise for the last few years and that’s the reason website security issues are becoming a day-to-day struggle for businesses. A report from Accenture revealed that there has been a 67% rise in security breaches in the last five years. However, businesses in all niches are affected but some of the most targets are eCommerce sites.

Why Hackers Are Targeting eCommerce Sites?

This is a good question and points to be discussed because you are seeing that number of stores have been attacked in the last few years and lots of information is being stolen. The reason why attackers target eCommerce sites is simply that they are pretty targets.

By attacking eCommerce sites, hackers can access the system of an eCommerce site which provides them with a range of valuable data and information. And not just money, but also customer’s personal and financial details, which can be profitable to attackers.

Besides, eCommerce sites are attacked more often because they are seen as easier targets. So eCommerce sites that run on CMS systems like Magento, Joomla, and OpenCart are more likely to be successfully hacked when they run an older or outdated version of the platform. Many of these websites have web applications and that makes it easy for attackers to exploit vulnerabilities.

The pandemic was an exciting time for eCommerce merchants. As more of the world stays at home, the opportunities for eCommerce sales have rocketed. However, there’s money, they’re also cybercrime and attack.

Retailers or merchants have been attacked the most by carding attacks over recent years, criminals look to leverage the huge volumes of breached financial information for sale on the cybercrime ground. The aim behind the campaign is to steal customer payment card information and intercept the payment information of unsuspected store customers. The only reason attackers being able to breach such information is just because that most of the stores were found running Magento 1 version, which was already announced End-of-Life last June.

In this article, we will see what carding attack is and discover how it works. So let’s start with carding attack itself.

What is Carding Attack?

Carding attack is also known as carding fraud or a form of credit card fraud where hackers use stolen credit cards to charge prepaid cards and sell them to other people.  In simple terms, it’s like buying from someone’s card without their permission.

This information stolen includes data such as cardholder names, credit card numbers, expiration dates, CVV numbers, and zip codes. The process is undertaken by hackers as they distribute data online later. The attack aims to identify which card numbers or details can be used to perform purchases.

This damage can happen to your business as well because besides the damage caused to card owners, a carding attack can also affect businesses whose websites are easy to authorize stole credit cards.

How Do Carding Attacks Work?

The primary purpose behind carding attacks is to illegally purchase goods or cash out the cards. To further ado, here’s a typical scenario in a carding attack:

  • The Lifecycle of Carding Attack:

There are few steps you need to understand the lifecycle of carding attack. The steps can include accessing a list of stolen credit card numbers with associated security data such as card verification values, beginning bot attacks to test the acquired cards, and then finally a disposition for the tested card data.

  • Carding Attack Support Malicious Bots to Complete the Task:

Carding support a specific use case of malicious bot attacks. Well, this is because bots are automated which perform tasks to complete the attack. This is because bots can test card numbers without fly under the radar without detection by initiating small transactions. Once they verify the card, they add that to the list of valid cards to be used in wicked transactions.

  • Retailers Can be Left Washed:

Now, attackers have verified cards and that can be easily used to complete eCommerce transactions. And that’s why once a retailer ships a product, there’s less chance of the product to be recovered. Sings of such type of attack are a higher number of failed transactions or various payment attempts. This means sites may experience a higher number of abandoned carts when bots are used to validate a card from a list.

To summarize in brief;

  1. Attackers obtain a list of stolen credit card numbers, either from a criminal marketplace or payment channel. Their source is often unknown.
  2. The attacker uses a bot to perform small purchases on multiple payment sites. Each attempt tests a card number against a retailer’s buying processes to identify valid card information.
  3. Credit card validation is attempted multiple times until it succeeds in validated credit card details.
  4. The card numbers are organized into a spate list to use for other criminal activity.
  5. Carding fraud is hard to detect by cardholders especially when their funds are transferred without their consent.

How Do Hackers Perform Carding Attack?

Let’s solve an unsolved mystery by looking at the methods hackers use to perform carding attacks. So attackers have more than a few tricks which with they attempt and attack. One of the common ways fraudsters use is Phishing to get credit card information. The method is all about setting up malware and promoting the target into downloading a malicious file. Once malware is injected, attackers then gain access to the person’s bank identification number, passwords, and other valuable details.

Hackers do also attack through rootkit malware and unauthorized account takeovers. Rootkit malware is like an invisible cloak for a malicious program. In which, the malware protected by rootkit can even survive multiple robots and just blends in with regular computer processes. As a result, this lets hackers control your computer remotely.

Recently, a hacker group has attempted to RDC, a Dutch company that provides garage and maintenance services to Dutch car owners, has confirmed a data breach after the personal and vehicle details of millions of Dutch car owners were posted for sale on a renowned cybercrime forum.

What is Carding Forum?

Carding forum is an illegal site used to share stolen credit card data, carding methods, and results of carding attack exploits.

Another popular method attackers use for credit card fraud is credit card skimming. In credit card skimming, intruders use a small device to steal credit card information. When the credit card or debit card is swiped through a cashpoint, the device captures and stores all the details stored in the card’s magnetic strip. The strip contains the credit card number, expiration date, and the credit card holder’s full name. Thieves use the stolen data to make fraudulent charges either online or with a fake credit card.

How To Identify Carding Attack?

The only method to identify carding attacks is by recognizing the signs. What you need to do is look at the following techniques if any of the following occur, there’s a good possibility that carding or another type of fraud is happening:

  • Low average shopping cart abandonment rates
  • An unexpectedly high percentage of failed payment authorization
  • Enhanced chargebacks or payment disputes
  • Insanely high shopping cart abandonment rates
  • Inordinate use of the payment step in the shopping cart
  • Frequently and multiple failed payment authorizations from the same user, IP address, or fingerprint.

How You Can Avoid Carding Attack?

Here’s the list of techniques that can help you secure your payment site against this type of cybercrime.

  • Add CAPTCHA: integrating CAPTCHA technology onto the Magento website can defend payments. It ensures that all actions performed on a site are done so by humans or not bots. It helps those merchants to verify that you’re a human shopper. The process is very annoying but they’re effective in securing card cracking and other types of credit card fraud that occur via bots.
  • AVS (Address verification system):  An AVS check compares the billing address used in the transaction or order with the issuing bank’s address information on file for that cardholder. Depending on matches, the merchant can use that information in their decision to accept or cancel the order.

How does it work? So the cardholder provides their credit card’s billing address at checkout, and the AVS compared the address they entered with the one in the card issuer’s system to verify it matches. And that’s how if shoppers fail this test, it will deny the transaction.

  • Device Fingerprinting: To avoid carding attacks, you can make use of fingerprint by combining the user’s browser and device to understand who is accessing and what is connecting to the service. Hackers who are attempting credit card fraud or attack need to try multiple attempts to get success and they cannot even change their device every time. They will need to switch browsers, clear their cache, use private mode, use the virtual device, or use advanced fraud tools. And that’s how, fingerprinting technologies can create a unique device, browser, and cookie identifies, which, if shared by multiple attempts, then it considered as a part of a fraud attempt.
  • Validity check: There are some malicious bots that pretend to be running a specific browser and then cycle through user agents to avoid being detected. The validation of a browser involves validating that each user browser is really what it claims to be.
  • CVV (Card verification value) validation: This can disturb the hackers by not giving CVV validation. What they require to defend customer accounts is CVV validation. This is the code on the backside of most major credit cards.
  • Two-factor authentication: This can be an effective solution for your eCommerce site as all you need to do is provide two-factor authentication. eCommerce sites can require users to sign in with a password or username and something they have like mobile. Yes, it does not prevent cracking, but it makes it more difficult for crooks to create a large number of fake accounts.
  • Credit Card BIN checks:  As the name suggests, BIN is a bank identification number that is the first six digits of every credit and debit card. It does not only provide information about the type of card that is being used but also finds the name and location of the bank that issued that particular card. This information is important in carding. Generally, you should see a range of dispersal of cards with the same BIN. For example, you may receive two payments from cards with the same BIN a month, you may receive ten payments from cards that have the same BIN, within a day or two. Tracking BINS may help identify this activity.
  • Velocity Checks: Velocity is the number or speed at which shoppers make a purchase at a particular time. Merchants use this technique to identify irregular patterns in the checkout process that might show fraud.

To understand, it’s rare for someone to make several purchases within seconds or minutes of each other. In this case, merchants can decline transactions if they feel a robot is testing stolen credit card numbers in rapid succession.

Mitigation of Carding Attack

The mitigation of carding attacks is best and secure. Yes, Payflow, a secure and open payment gateway of PayPal that focused on enhancing the security of your website, suggests a list of countermeasures to identify carding attacks. Payflow a gateway of PayPal can help merchants to secure from carding attacks and the damage associated with them.

The feature will be enabled by default. Once the carding prevention device has been released, Payflow will monitor accounts for a high level of declines and invalid information provided. If this decline exceeds the limit set by PayPal, the carding device will be triggered and the account is blocked from doing any additional transaction until the block has been lifted.

If the carding module or device is triggered this will happen:

  • All ADMIN users will receive an email with a note that PayPal has noticed an increase in declines on their account and the account has been blocked from processing further transactions.
  • Account will be blocked and all transactions are rejected.
  • PayPal returns result code 170, with the note of fraudulent activity identified: carding, for all attempted transactions during blocked account.

Payflow can help merchant to secure their websites with the help of its fraud protection services. What you can do is request to PayPal support team to enable fraud protection services filters to provide the best control overpayments so that you can automatically deny payments that are likely to result in carding attacks or invalid transactions. The service you will receive minimizes carding attacks are paid and only customers are responsible for any transactional fees imposed by PayPal.

Intruders can use stolen or invalid credit card information to perform purchases at your website, to make the recovery of your goods or services impossible by hiding your identity. To secure you against credit card fraud, the fraud protection filters identify carding activity and let you decide whether to accept or cancel the suspicious transactions. Let’s see how it is done.

How You can Check if Your Store Has Been Attacked?

You can easily identify that is your store has been attacked or not with the help of PayPal. To do this, you need to review your transaction regularly otherwise it may go unnoticed. What you have to do is visit PayPal and go to PayPal Manager to access the transactions summary on the report tab. Now run a report and see results for a specific timeframe.

Analyze all the transactions and review according to a specific time and ensure there are no suspicious charges. Well, every business has common patterns in transaction behavior. So, compare different periods to ensure the store has not become the hunt of hackers. That’s how you can easily check if your store has been attacked or not.

What Magento Store Owners can do to Protect Against Carding Attack?

By the time, eCommerce websites increasing exponentially, and no wonder online purchasing too, it has become very important to make your website secure for transactions. Hackers are always in search of the hunt as you can see online fraud has become a common thing. However, it has become one of the major concerns of all Magento stores. It doesn’t matter if you are an eCommerce giant or a start-up business, you are always on the list of hackers to be attacked.

If you have a Magento online store or website, then there’s nothing worse than being hacked as it can hurt your customers, cost you a lot, and also ruin your reputation. According to Juniper research, merchants all over the world will lose $130 billion between the years 2019- 2023 through various fraudulent transactions.

Do you know that stores that most being attacked by hackers are Magento 1?  This Magento version reached end-of-life on June 30, 2020, and is currently not receiving security updates anymore. Ironically, attacks against sites running the Magento 1.x were anticipated since last year when Adobe launch Magento 2.x.

The good news is that since November 2019, when Adobe started urging to migrate to the newer version, the number of Magento 1.x has decreased. In June 2020, it goes down from 240,000 to 110,000, and 95,000 today.

Why Migration of Magento 1.x to Magento 2.x can help you protect you from Carding Attack?

The reason why migration to Magento 2.x is because that Magento 1 will no longer receive any support from the official Magento team means there’s no security and support. While with more than 80,000 live websites, Magento 2 has become the popular and most used version than Magento 1 to handle all kinds of eCommerce operations. The best thing about the 2.x version is enhanced security and brilliant performance along with active support. So, what you can do is migrate your Magento 1 store to Magento 2 with Magento 1 to Magento 2 Migration services from experts like M-connect Media.

So, if you have a store that continues to run on Magento 1.x after June 30, you need to be alert that your store is safe because Magento will not be responding to any further security issues for Magento 1. It will be never okay to depend on web application firewalls to protect against breaches and attacks.

What do experts say about Carding Attack?

The first thing you need to take care of is that you have to stay up-to-date with all the security patches. You can also upgrade your Magento 2.x with the latest version because the older version not just causes security issues but also keeps you away from bug fixes and the latest security patches.

Second, make sure that you change all of your staff’s admin passwords even if you already have patched them. This is the most targeted area for hackers as they are stolen before you patched. Make use of a strong password with at least 10 characters.

Third, inspect your site for malicious code or unauthorized entry.

Fourth, as long as Magento has not launched a patch to hide the secret backend panel, you should implement extra security. An IP restriction is needed. If your staff uses dynamic IPs, it is suggested to have them use a VPN. This can help you enforce encryption.


This is a very serious event and it has affected many Magento websites across the globe. Credit card fraud or carding attack is a major concern for eCommerce business owners and shoppers alike. The good is news is that there are solutions as we have discussed above to reduce the chance of being a victim of this insidious cyber crime or attack.

Need help with Magento 2 Migration or Magento upgrade service? M-connect Media can help you here. Consult our Magento support services and discuss your needs. We can also help you with possible suggestions or solution to secure your store from being attacked by hackers. Contact us our Magento experts now!

Need Magento expert help?

We provide result-driven solutions to expand the competency level and productivity.

Instant Help CenterAvailable!

Monday to FridayResponse promised within 24 hours!

Call Us

+1 319 804-8627

Load Comments

Your email address will not be published. Required fields are marked *

5 4 3 2 1

  • Worried for deadlines? Our Magento Experts are effortlessly Working from Home.
  • Check out our Magento Developer Hiring Packages for Agency as well as individuals.
View Packages

Talk to Experts Need expert help? Don’t hesitate to talk.

You can do direct email atinfo@mconnectmedia.com


We would love to hear about your Magento project, challenge, or opportunity. We'll respond within 24 hours!

Please fill this form, Mr.Yogesh will reply by email asap.

Please fill this form, Mr.Darshit will reply by email asap.

Please fill this form, Mr.Jayesh will reply by email asap.

Please fill this form, Mr.Jiten will reply by email asap.