The IT Law Wiki
The IT Law Wiki

Definition

Carding refers to the unauthorized use of credit and debit card account information to fraudulently purchase goods and services. The term has evolved in recent years, however, to include an assortment of activities surrounding the theft and fraudulent use of credit and debit card account numbers including computer hacking, phishing, cashing-out stolen account numbers, re-shipping schemes, and Internet auction fraud.

Overview

In contrast to other types of identity theft, carding involves the large scale theft of credit card account numbers and other financial information. Other types of common methods that criminals use to steal personal information include dumpster diving, skimming, phishing, change of address, and "old-fashioned stealing." In each of these methods, the number of victims rarely exceeds several hundred or, in rare cases, a few thousand. Carding, on the other hand, often involves thousands of victims, and in some cases, millions.

Dumps

One of the products frequently for sale by carders is the "dump," which generally refers to information electronically copied from the magnetic stripe on the back of credit and debit cards. In the credit card industry, this information is referred to as "full-track data," referencing the two tracks of data (Track 1 and Track 2) on the magnetic stripe.[1] Track 1 is alphanumeric and contains the customer's name and account number.[2] Track 2 is numeric and contains the account number, expiration date, the secure code (known as the CVV),[3] and discretionary institution data.[4] Dumps, which appeared for sale on carding forums in 2002, typically contain at least Track 2 data, but often contain both Track 1 and 2. Carders also refer to BINs[5] and PINs[6] in the course of selling dumps.

References

  1. Visa, Inc., Visa Fraud Investigations and Incident Management Procedures: What To Do If Compromised 16 (Dec. 2007) (full-text).
  2. Id. at 17.
  3. The term "CVV" is an acronym used the credit card industry to refer “card verification value.” Id. at 15. (To add to the confusion, Mastercard's term is CVC, or "card validation code"). There are two different types of CVV, each of which provides an additional fraud protection layer for different types of transactions: CVV (or CVV1), which is a unique three-digit value encoded on the magnetic stripe of the card, and CVV2, which is the three-digit value that is printed on the back of all payment cards. Id. at 15. CVV (or CVV1) assists in fraud detection for face-to-face retail transactions (known in the credit card industry as "card present" transactions) in that it must be verified online by the credit card issuer at the same time a transaction is authorized. Id. From the carder's perspective, therefore, in order to engage in card present transactions, he/she must possess not only the card number on the face of the card, but also the CVV encoded on the stripe. CVV2 assists in fraud detection for "card not present" transactions (i.e., sales transactions that take place over the Internet or by telephone) by ensuring that the customer actually has the physical card (because the CVV2 is printed on the back) when making a purchase. Card not present merchants are required to ask the customer for the CVV2 value and submit it as part of their authorization request. Id.
  4. Id. at 17.
  5. Carders are interested in BINs because they allow them to identify and target more vulnerable financial institutions, and spread thefts across a wide range of institutions. Often, carders will advertise "BIN lists" for sale.
  6. "PIN" is also a carding term of art indicating a credit card or debit card for which the personal identification number has also been obtained, allowing for direct cash withdrawals. Often, carders will advertise "dumps with PINs" for sale.

See also