Hello! For educational purposes, let's first clarify some key concepts. Carding is a type of cybercrime in which fraudsters use stolen credit or debit card information to verify its validity and then conduct fraudulent transactions. This is not an attack on the system itself, but rather the exploitation of data obtained from leaks or other sources. Fraudsters often purchase data on the darknet and then test it through automated bots by making numerous small purchases on online platforms. If the transaction goes through, the card is considered "live" and can be used for larger purchases or resold.
According to definitions from cybersecurity sources, carding includes:
Carding causes damage to retailers, from financial losses (chargebacks) to reputational risks and fines from payment systems (e.g., Visa or Mastercard). In 2023, global losses from online fraud exceeded $25 billion, and carding was a key contributor. Data breaches like the JD Sports case provide the raw material for such attacks, allowing fraudsters to combine partial data (e.g., the last four digits of a card) with phishing to obtain complete information.
Now let's turn to a specific case from 2023: the data breach at JD Sports Fashion, a major UK retailer of sportswear and footwear. This incident illustrates how a breach can lead to carding even if not all card data is leaked. I rely on official statements and reports to ensure accuracy.
Date and discovery: The incident occurred in late 2022 or early 2023, but was publicly disclosed on 30 January 2023. The company discovered unauthorized access to a system containing order data from November 2018 to October 2020. This was not a direct carding attack (i.e. testing cards on their website), but a server breach that resulted in the leakage of data suitable for subsequent carding and phishing.
Attack method: The exact vector has not been fully disclosed for security reasons, but experts suggest a combination of methods:
The attack did not affect current operations, but highlighted the problem of storing historical data without adequate segmentation.
The volume and type of data leaked:
This data is ideal for "carding preparation": Fraudsters can use partial details for targeted phishing to trick users into revealing full card details and then conduct carding tests.
For the company:
Broad context: In 2023, retail saw a 30% increase in breaches compared to 2022, often through supply chain attacks. JD Sports is one of the largest, but there were others, such as NCB Management (complete cards of 1 million customers were leaked) and a restaurant database in Pakistan (2.2 million cards).
Ultimately, the JD Sports case demonstrates how even a partial leak can trigger a chain of fraud. For retailers, the key is proactive security, and for users, awareness. If you need details on other 2023 cases (like NCB), let me know!
According to definitions from cybersecurity sources, carding includes:
- Data acquisition: Through data breaches, phishing, skimming (theft from terminals) or purchasing on the black market.
- Testing: Bots attempt to authorize cards on retailer websites, often with low amounts to avoid detection.
- Monetization: Valid cards are used to purchase goods that are then resold, or to launder money through gift cards.
Carding causes damage to retailers, from financial losses (chargebacks) to reputational risks and fines from payment systems (e.g., Visa or Mastercard). In 2023, global losses from online fraud exceeded $25 billion, and carding was a key contributor. Data breaches like the JD Sports case provide the raw material for such attacks, allowing fraudsters to combine partial data (e.g., the last four digits of a card) with phishing to obtain complete information.
Now let's turn to a specific case from 2023: the data breach at JD Sports Fashion, a major UK retailer of sportswear and footwear. This incident illustrates how a breach can lead to carding even if not all card data is leaked. I rely on official statements and reports to ensure accuracy.
JD Sports attacks timeline and details
Company background: JD Sports is a chain of over 900 stores across Europe, Asia, and the US, with a focus on online sales. In 2023, the company had a turnover of approximately £10 billion. The attack affected historical online order data stored on a legacy system.Date and discovery: The incident occurred in late 2022 or early 2023, but was publicly disclosed on 30 January 2023. The company discovered unauthorized access to a system containing order data from November 2018 to October 2020. This was not a direct carding attack (i.e. testing cards on their website), but a server breach that resulted in the leakage of data suitable for subsequent carding and phishing.
Attack method: The exact vector has not been fully disclosed for security reasons, but experts suggest a combination of methods:
- Phishing or credential stuffing: Fraudsters may have used stolen employee credentials to gain access.
- Vulnerability exploitation: Possibly misconfigurations in servers or outdated software. This is typical for retail attacks, where data is stored on legacy systems.
- No ransomware: Unlike the attacks on MGM Resorts the same year, there was no ransom; the focus was on stealing data for resale on the dark web.
The attack did not affect current operations, but highlighted the problem of storing historical data without adequate segmentation.
The volume and type of data leaked:
- Affected customers: Approximately 10 million unique users.
- Data:
- Personal: Names, shipping and billing addresses, email addresses, phone numbers.
- Financial: Order details and last 4 digits of payment cards (not full CVV numbers or expiry dates).
- Not leaked: Full card details, account passwords.
- Бренды: JD Sports, Size?, Millets, Blacks, Scotts и MilletSport.
This data is ideal for "carding preparation": Fraudsters can use partial details for targeted phishing to trick users into revealing full card details and then conduct carding tests.
Consequences of the leak
For clients:- Risks: Leaked data appeared on the dark web, increasing the risk of identity theft, phishing attacks, and carding. For example, scammers could call or email users pretending to be from JD Sports to obtain their CVV. The company warned about vigilance against scam emails, calls, and texts.
- Real Cases: Reports have mentioned instances where customers received phishing messages shortly after a breach.
- Educational lesson: Clients should monitor bank statements, use credit monitoring services, and change passwords. In the EU/UK, such breaches are covered by the GDPR, giving rise to compensation.
For the company:
- Financial losses: Estimates range from millions of pounds for investigations, notifications, and security upgrades. There are no exact figures, but similar breaches (such as the Target breach in 2013) cost hundreds of millions.
- Reputational: JD Sports shares fell 2-3% following the announcement. The company faces an investigation from the Information Commissioner's Office (ICO).
- Operational: Temporary suspension of some online features; strengthening MFA (multi-factor authentication) and system auditing.
Broad context: In 2023, retail saw a 30% increase in breaches compared to 2022, often through supply chain attacks. JD Sports is one of the largest, but there were others, such as NCB Management (complete cards of 1 million customers were leaked) and a restaurant database in Pakistan (2.2 million cards).
Lessons and best practices for prevention
This case study teaches how to prevent breaches that lead to carding. Here are the structured recommendations:| Aspect | Description | Examples of measures |
|---|---|---|
| Data storage | Minimize storage of sensitive data; use tokenization (replacing data with tokens). | JD Sports has retained historical data for too long - please apply data retention policies of no more than 2 years. |
| System security | Regular audits and vulnerability patching. | Use a Zero Trust model: every access is verified. Implement SIEM (Security Information and Event Management) for monitoring. |
| Carding protection | Detect bots on checkout pages. | CAPTCHA, rate limiting, AI-based fraud detection (e.g. from Akamai or HUMAN Security). |
| Incident response | Fast notification and cooperation with experts. | JD Sports has hired cybersecurity firms and notified regulators – follow incident response plans. |
| Education | Train employees and clients. | Conduct phishing simulations; inform customers of the risks. |
Ultimately, the JD Sports case demonstrates how even a partial leak can trigger a chain of fraud. For retailers, the key is proactive security, and for users, awareness. If you need details on other 2023 cases (like NCB), let me know!