How can merchants protect their sites from carding? (Setting up filters, checking IP, integrating with antifraud systems)

[Student]

Carding is a type of fraud in which criminals use stolen credit or debit card information to conduct unauthorized transactions. For merchants (online stores, e-commerce platforms), protecting against carding is critical, as fraudulent transactions lead to financial losses, chargebacks, reputational risks, and potential fines from payment systems. In this answer, I will detail how merchants can protect their websites from carding, focusing on setting up filters, IP verification, and integrating with anti-fraud systems. I will also provide educational context to explain the mechanisms and rationale behind the protection.

What is carding and how does it work?​

Carding is the process of using stolen card data (card number, cardholder name, CVV code, expiration date) to purchase goods or services. Fraudsters obtain this data through phishing, database leaks, skimming (reading cards at ATMs), the dark web, or malware. The main stages of carding are:

1. Obtaining card data: Attackers buy databases on the black market or collect them themselves.
2. Card testing: Fraudsters check the validity of cards by making small transactions (e.g. $1) or using card verification services.
3. Fraudulent transaction: Using cards to purchase goods (usually digital or easily resold) or withdraw funds.
4. Hiding your tracks: Use VPNs, proxies, fake identities, or dropshippers (intermediaries to obtain goods).

Merchants need to understand that carders often operate automatically, using bots, and act quickly to maximize damage before a card is blocked. Therefore, protection must be multi-layered, taking into account both technical and behavioral aspects.

1. Setting up filters​

Filters are rules that automatically analyze transactions and block or flag suspicious ones. They are configured in payment gateways, CMSs (e.g., Shopify, WooCommerce), or anti-fraud systems. Filters help minimize manual verification and quickly respond to threats.

Filter types​

• Geographic filters:
  • Principle: Carders often use cards from one country but make purchases from another. If your business operates, for example, only in Russia, you can block transactions from countries with high fraud rates (e.g., Nigeria, Indonesia, Vietnam – based on Visa/Mastercard statistics).
  • Settings: Payment gateways (Stripe, PayPal) allow you to restrict transactions by country or region. For example, in Stripe Radar, you can set up a rule: "Block transactions if the card country does not match the IP address."
  • Educational context: Carders often use VPNs or proxies to mask their location, so geographic filters are only effective when combined with IP checking (see below).
• Transaction limits:
  • Principle: Carders often make many small transactions to test cards or large purchases to get rich quick.
  • Setting: Set limits, for example:
    • Maximum amount of one transaction (e.g. $500).
    • Maximum number of transactions from one card/IP/account per day (e.g. 3 transactions).
    • Limit on purchase frequency (for example, no more than 1 order per hour from one account).
  • Example: In PayPal, you can set up a rule: "Flag orders over $1000 for manual review."
  • Educational context: Carders test cards with small amounts to avoid attracting attention. Limits help identify such tests.
• Checking card details:
  • Principle: A discrepancy between the billing address (specified at the bank), the delivery address and the data entered on the website is a common sign of carding.
  • Setting: Enable Address Verification System (AVS) and CVV verification. For example:
    • AVS checks whether the postal code and address entered by the user matches the bank's data.
    • Require CVV code for all transactions.
  • Example: In Stripe, you can set up a rule: "Reject transactions if AVS does not match."
  • Educational context: Carders often don't know the exact billing address because they obtain data from leaks. AVS helps identify this discrepancy.
• Behavioral filters:
  • Principle: Analysis of user behavior (e.g. speed of filling out a payment form, multiple attempts to enter different cards) can indicate fraud.
  • Setup: Set up rules that flag transactions if:
    • The user enters several cards in a row (for example, more than 3 attempts in 5 minutes).
    • The payment form is filled out too quickly (bots often fill out fields in a split second).
    • The purchase is made at an unusual time (for example, 3:00 AM local time for the user).
  • Example: In Shopify, you can set up a filter: "Mark orders if the user made more than 5 payment attempts within 10 minutes."
  • Educational context: Carders often use automated scripts that behave in a manner inconsistent with real users. Behavioral filters help identify such anomalies.
• Blacklist/Whitelist:
  • Principle: Maintaining lists of suspicious or trusted clients allows for automated decisions.
  • Setting:
    • Blacklist: Blacklist cards, emails, IPs, or devices associated with fraud.
    • Whitelist: Create a list of trusted customers (e.g., repeat customers) to exclude them from strict checks.
  • Example: Riskified allows you to automatically blacklist cards that have been subject to chargebacks.
  • Educational context: Blacklist is effective against replay attacks, but it needs to be updated regularly as carders often change data.

Practical recommendations​

• Use built-in payment gateway tools (Stripe Radar, PayPal Fraud Protection) for basic filters.
• Start with simple rules (e.g. geographic limits) and then add more complex ones (behavioral ones).
• Regularly analyze false positives to avoid alienating legitimate customers.

2. Checking IP addresses​

IP addresses are a valuable source of information about a user. IP verification helps identify inconsistencies, the use of anonymizers, and suspicious geographic patterns.

IP Verification Methods​

• Geolocation IP:
  • Principle: Compare the IP address with the stated billing address or card country. A discrepancy (for example, an IP from India, but the card is from the US) is a red flag.
  • Tools: Use databases such as MaxMind GeoIP, IP2Location or FraudLabs Plus to determine the country, region and IP provider.
  • Setting: In payment gateways, you can set up a rule: "Mark transactions if the IP country does not match the billing country."
  • Educational context: Carders often use VPNs or proxies to hide their location. IP geolocation is only effective when combined with other methods.
• VPN/Proxy Detection:
  • Principle: Carders often use anonymizing services to mask their IP address. Services like MaxMind or IPQualityScore can detect whether a VPN, Tor, or proxy is being used.
  • Setting: Set up a filter: "Block or mark transactions with IPs associated with anonymous services."
  • Example: MaxMind provides an "anonymousIP" parameter that specifies whether an IP is part of a VPN/proxy.
  • Educational context: Not all VPN users are scammers, so blocking all VPNs could discourage legitimate customers. It's best to flag such transactions for additional verification.
• IP Reputation:
  • Principle: Some IP addresses are associated with known fraudulent activities (e.g. mass attacks).
  • Tools: Services like IPQualityScore or ThreatMetrix provide a risk score (score) for an IP based on history.
  • Setting: Set up the rule: "Reject transactions from IPs with a low trust rating."
  • Educational context: IP databases are updated based on global fraud data, making them a powerful tool.
• IP activity monitoring:
  • Principle: Multiple transactions from one IP with different cards is a sign of an attack.
  • Setting: Set up a filter: "Mark transactions if more than 5 orders were received from one IP in an hour."
  • Educational context: Carders often use a single server or botnet for mass attacks, making IP monitoring effective.

Practical recommendations​

• Integrate IP verification services (MaxMind, IP2Location) with your website via API.
• Use a combination of geolocation and VPN verification for increased accuracy.
• Update your IP databases regularly, as carders often change addresses.

3. Integration with anti-fraud systems​

Anti-fraud systems are specialized platforms that use machine learning, big data analysis, and rules to identify fraudulent transactions in real time. They are effective against complex attacks that are undetectable by simple filters.

How anti-fraud systems work​

• Data Collection: Analyze hundreds of parameters, including:
  • Transaction details (amount, currency, time).
  • Device data (browser, operating system, device fingerprint).
  • User behavior (typing speed, site navigation).
  • Transaction history (repeat purchases, chargebacks).
  • External data (IP reputation, email, maps).
• Risk assessment: The system assigns a risk score (e.g., from 0 to 100) to transactions. A low score indicates a legitimate transaction, while a high score indicates a suspicious transaction.
• Actions: Transactions can be automatically accepted, rejected, or sent for manual review.

Popular anti-fraud systems​

• Signifyd: Uses machine learning and guarantees refunds on chargebacks.
• Sift: Analyzes user and device behavior, suitable for large stores.
• Riskified: Provides manual verification services and guarantees chargeback protection.
• Kount: Flexible system with customizable rules and device analysis.
• Forter: Focuses on automation and minimizing false positives.
• ClearSale: Suitable for markets with high fraud rates (e.g. Latin America).

Integration process​

1. Choosing a system: Consider your business scale, budget, and regions of operation. For example, Signifyd is suitable for the US/Europe, ClearSale for Latin America.
2. Integration: Most systems integrate via API with popular platforms (Shopify, Magento, WooCommerce) and payment gateways (Stripe, Adyen).
3. Rule Setup: Define risk criteria (e.g. "Mark transactions with high risk score for manual review").
4. Testing: Run tests to minimize false positives.
5. Monitoring: Regularly analyze system reports to update rules.

Educational context​

• Machine learning: Anti-fraud systems are trained on millions of transactions, allowing them to identify new carding patterns, such as the use of new proxies or bypass methods.
• Dynamic adaptation: Systems automatically update models to account for changes in carder behavior (such as switching to new VPNs or devices).
• Manual review: Some systems (such as ClearSale) offer human analysts to review suspicious transactions, reducing the burden on the merchant.

Practical recommendations​

• Start with basic systems (like Stripe Radar) for small businesses.
• For medium/large businesses, choose Signifyd or Riskified, especially if you experience chargebacks.
• Regularly analyze anti-fraud system metrics (e.g., percentage of rejected transactions) to optimize your rules.

4. Additional protective measures​

In addition to filters, IP checks, and anti-fraud systems, there are additional methods that enhance protection:

• 3D-Secure (3DS):
  • Principle: An additional level of authentication that requires the user to enter a password or code from SMS/bank application.
  • Advantages: Reduces the risk of chargebacks, as responsibility for fraud is shifted to the bank.
  • Setup: Enable 3DS in your payment gateway (e.g. Stripe supports 3DS 2.0).
  • Educational context: Carders avoid 3DS because they do not have access to the card owner's phone or app.
• Tokenization and encryption:
  • Principle: Replace card data with tokens that are useless to attackers if leaked.
  • Setup: Use tokenization in payment gateways (e.g. Stripe, PayPal).
  • Educational context: Tokenization protects data from leaks, which is especially important during attacks on the website's database.
• Captcha and bot protection:
  • Principle: Carders often use bots to test cards en masse.
  • Setup: Implement Google reCAPTCHA or Cloudflare Turnstile on the payment page.
  • Educational context: Bots can bypass simple CAPTCHAs, so use adaptive solutions that analyze behavior.
• Transaction Monitoring:
  • Regularly analyze transaction logs for anomalies (for example, a surge in orders from one country).
  • Use payment gateway or anti-fraud system dashboards for visualization.
• Staff training:
  • Train your team to recognize signs of carding (e.g., orders with mismatched addresses, suspicious emails).
  • Set up an escalation process for suspicious transactions.

5. Example of a security workflow​

1. The user places an order → The payment gateway checks the CVV and 3D-Secure.
2. The anti-fraud system analyzes:
   • IP geolocation (MaxMind).
   • User behavior (form filling speed, device).
   • Card details (AVS, transaction history).
3. The system assigns a risk score:
   • Low Risk (0-30): The transaction is approved.
   • Medium risk (30-70): Sent for manual review.
   • High risk (70-100): The transaction is rejected and the data is added to the blacklist.
4. During manual verification, an employee contacts the client (for example, asking for a photo of the card or ID).
5. After analysis, the data is updated in the anti-fraud system to improve the model.

6. Practical examples of tools​

• Small business:
  • Stripe Radar: A built-in anti-fraud tool with customizable rules and machine learning. Suitable for beginner merchants.
  • PayPal Fraud Protection: Easy filter setup and IP verification.
• Medium/large business:
  • Signifyd: Chargeback money back guarantee, Shopify/Magento integration.
  • Riskified: Suitable for stores with high transaction volume.
• Specific needs:
  • MaxMind: A cheap solution for checking IP and geolocation.
  • ClearSale: Manual verification for high-fraud markets.

7. Educational aspects​

• Why is carding so difficult to detect? Carders are constantly refining their methods, using stolen identities, counterfeit documents, and new technologies (such as device emulators). This requires merchants to develop dynamic protection.
• Balancing security and user experience: Overly strict filters can discourage legitimate customers (for example, blocking all VPNs). Machine-learning anti-fraud systems help find the balance.
• Chargebacks as the main threat: If a carder successfully makes a purchase, the cardholder can request a chargeback, and the merchant loses both money and goods. Anti-fraud systems with a refund guarantee (Signified, Riskified) mitigate this risk.
• Legal aspects: Some countries (such as the EU) require compliance with PCI DSS standards to protect cardholder data. Failure to comply may result in fines.

Conclusion​

Carding protection requires a multi-layered approach:

1. Filters help filter out suspicious transactions based on geography, limits, card details, and behavior.
2. IP verification reveals geolocation inconsistencies and the use of anonymizers.
3. Anti-fraud systems automate analysis and adapt to new threats.
4. Additional measures (3DS, tokenization, captcha) enhance security.

For educational purposes, it's important to understand that carding is a dynamic threat, and protection must be flexible. Start with simple tools (Stripe Radar, PayPal), then move on to more advanced systems (Signifyd, Sift). Regularly analyze data and update rules to minimize risks and false positives.

If you'd like to dive deeper into configuring a specific system (for example, Stripe Radar) or receive example rules, please contact me, and I'll provide more detailed information!