Cybercrime is happening more and more. In this article we will talk about one of the most common fraud scams, known as carding, and provide recommendations from the OSI (Oficina de Seguridad del Internauta) to help you avoid falling victim to it.
What is carding?
Carding is a type of fraud that uses information from stolen cards to use them fraudulently. The data that is subtracted is related to said cards, hence the term “carding”.
Cybercriminals use different techniques to obtain data from victims’ cards. The OSI have created a list of some of the best known.
- users who are victims of fraud such as: phishing, smishing, vishing* or shoulder surfing**
- distribution of malware, such as keyloggers, capable of capturing what you type on your device
- database of clients/users of websites whose security has been violated, and which are published on the Internet
- fraudulent websites in which users have entered their bank details
- use of readers with RFID (Radio Frequency Identification) or NFC wireless communication capable of obtaining card data. They approach the victim’s card at less than 15 centimetres and in a matter of seconds, the data is saved
Once the card details are obtained, cybercriminals proceed to make purchases to verify that the information they have replicated on a virtual card is valid. Generally, they start making purchases of products or services that have a low amount and will increase them in order to try to determine the available balance of the card.
If the above step was successful, the scammers will have verified both the card details and the quality of the stolen account information to determine its value.
In general, carding increases in the periods of the main commercial campaigns (Christmas, Black Friday, holidays etc). They take advantage of the overload of transactions due to purchases. Therefore, special attention must be paid on these dates.
The OSI give an example of a real case of carding and with considerable repercussion in Spain. This was called the “Proxy” operation. Members of the fraudulent network residing in various countries throughout the world, resold the fraudulently obtained products at prices lower than the stipulated in the market.
How can we protect ourselves from this attack?
As mentioned at the beginning of this article, carding is an attack that is closely related to social engineering. Cybercriminals use this and other techniques to obtain bank and personal data from their victims.
Here are 10 tips from the OSI that will help you protect yourself from this type of fraud:
- do not listen to spam messages or emails with unknown senders
- keep a periodic control of your banking operations and transactions. Put special emphasis on dates when you make more online purchases: sales, holidays, Christmas periods, Black Friday, etc
- turn off the NFC system on your mobile device when you’re not using it or use an anti-theft card protector
- when making purchases online, make sure that the store is trustworthy, and that it uses a payment gateway or accepts secure payment methods
- make use of the wallet or virtual cards offered by the bank for online payments
- disable the NFC and RFID option in your bank’s application if you do not use this method. If you do use it, enable the use of this card payment method to request confirmation with a PIN
- under no circumstances provide bank details over the phone
- do not use public computers to make purchases
- update the programs and applications that you use frequently
- activate the double authentication factor for card payments and be wary of any email that asks you for card details or credentials
What to do if you suspect you have been a victim
If you suspect that you have been a victim of this technique, contact your bank to report the problem and find a solution. In addition, report the facts to the OSI, providing all the evidence you have.
Attacks on the Internet are becoming more frequent and for this reason it is necessary to protect ourselves adequately. It no longer serves us to think that it only happens to other people, since we are all exposed. So, we must be aware of it and act on it. Knowing the main frauds that they will use, such as carding, is the first step to be able to prevent them.
Also read: Internet scam Kingpin arrested in Spain
* Vishing is a type of social engineering that, like phishing and smishing, aims to obtain users’ personal details or bank details; but in this case the fraud is committed over the phone, deceiving the victim by impersonating a trusted third party.
** A shoulder surfing attack describes a situation where the attacker can physically view the device screen and keypad to obtain personal information. It is one of the few attack methods requiring the attacker to be physically close to the victim to succeed.
