What to Do After a ‘Carding’ Attack

In recent months utility companies, including fuel marketers, have increasingly become targets of carding attacks. In the August 2020 issue of Fuel Oil News, we explored how to identify and protect your business against this type of fraud. Below are the steps you should take if you find yourself a victim.

As a refresher, carding is an automated bot used to perform small purchases (often $1.00 or less) on stolen credit cards through a business’s website. Each purchase attempt uses the fuel marketer’s payment system to test whether the card is valid. The intent of carding is to compile a list of active credit card numbers and sell the list on the dark web. In addition to reputational damage, the biggest threat to fuel marketers is the increased costs of authorizing thousands of stolen credit cards, as well as any disputes that might arise from cardholders.

If you have been the victim of a carding attack or any fraudulent activity, contact your merchant account provider, payment gateway and web portal companies. These providers can help confirm your suspicions by researching any processing irregularities on your account. In some cases, the provider may have set thresholds to help identify this type of fraudulent activity and then proactively notify you. They will also be able to help determine the scope of the attack and advise you on your next steps.

Once your payment providers research and concur that your business has been a victim of carding, they can advise what tools are available to help stop the attack. 

Rotate your security key. Since you may not know how the attack originated, this is a good first step. Rotating the security key will stop rogue third parties’ access.

Block Specific IP addresses. If it is determined that the attack occurred through a specific IP address you can ask your hosting provider or gateway company to block those addresses from entering your website. Your merchant account provider may also temporarily disable your merchant account while it is determined how the attack was triggered.

Identify the good transactions from the fraudulent transactions. With so many transactions being run through the system, keep in mind that customers may have made actual payments during the time period of the attack. Enlist your payment gateway for help processing the voids (if the incident is caught before your settlement time) or refunds (if the transactions have already settled.) Additionally, consider integrating reliable RFID options into your payment processing system for enhanced security. If you have the contact information for cardholders, advise those customers to notify their bank and have a new credit card issued.

Communicate with customers. Create both an internal and external communication plan, which will include any impacted end-customers as well as any vendors that support your business. Make sure to have a strategy ready for dealing with customers who became victims of the carding attack. What you do ahead of time can go a long way in controlling the impact of the carding attack on you and your customers. Impacted cardholders, whose card numbers were stolen will see your business name on their statements or online banking records. Consequently, you should expect to hear from these cardholders, who may or may not be your customers.

Determine if authorities need to be notified of the incident. Based on specific criteria, your merchant account provider may need to file a Suspicious Activity Report. You may also file a police report or notify the Internet Crime Complaint Center at www.ic3.gov.

Finally, once the carding attack is under control, work with your payment partners to learn what techniques or steps can be implemented to prevent future attacks.

Marci Gagnon is vice president of strategic alliances for Qualpay, which provides processing solutions to fuel delivery and service businesses. For additional information contact her at marci@qualpay.com or visit https://www.qualpay.com/industry/utility-and-energy.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button