Credit card fraud or ‘carding’ means the trafficking of credit card or bank account information. The credit card information is stolen by using ‘skimming’ techniques. Skimming is the theft of personal information through an otherwise normal transaction.
Credit card fraud
The collected payment card information can be used for fraud payments or sold forward. On dark web marketplaces, there are large collections of credit card information on sale, and criminals buy them to cash out the cards.
A credit card thief can procure a victim’s card number using basic methods, such as photocopying receipts, or more advanced methods, such as using a small electronic device (skimmer) to swipe and store hundreds of victims’ card numbers.
The ‘skimmer’ device can be placed on the card slot of an automated teller machine, where the device reads the magnetic strip as the user unknowingly passes their card through it. Skimmer devices are often attached to a miniature camera to read the user’s PIN.
Web skimming is a form of internet or card fraud whereby a payment page on a website is compromised when malware is injected onto the page to steal payment information. In addition, hackers are sometimes able to hack into companies and steal large credit card information databases. In some cases, millions of accounts are compromised through large data breaches.
On the dark web, there are tutorials and tools for sale on how to hack card payment devices and systems. Point of sale (POS) is the place where payment transactions are made, typically consisting of a device which reads the card information and POS software in a computer which sends the payment data to the payment service provider. For example, malware tools sold on the dark web can be installed on the POS system where payment cards are processed, allowing the attacker to collect card data during payment processing.
In many cases, skimmers and hackers collect the credit card information and sell the information online using dark web forums and marketplaces. They sell the collected credit card information to criminals who use the information for online payments or to produce physical cloned credit cards. Typically, the information or cloned credit card is used to cash out the credit.