How To Slow Carding Attacks In WooCommerce


E-commerce businesses are expected to continue on their uptrend over the next few years. The global pandemic triggered a massive shift in consumer behavior that resulted in a 27% increase in e-commerce sales from 2019 to 2020. According to a study by Statista, global e-commerce sales will hit US$6.4 trillion in 2024.

Of course, lucrative industries will attract opportunists who have malicious intent. Cybersecurity Ventures has run a study on cyber-criminal activity and estimates that losses due to cyber attacks will hit US$10.5 trillion in 2025. 

One type of attack that will become prevalent over the next few years is carding. 

What Is Carding?

Carding is a type of cyber-attack whereby the criminal launches multiple attempts to approve several stolen credit cards. The criminal does this by identifying a number of e-commerce sites and making small purchases to test the validity of the stolen credit card numbers.

How Can Carding Damage My E-Commerce Business?

A credit card holder who sees questionable purchases on his credit card statement will not waste time. He will immediately address the matter by contacting the credit card company and challenge the authenticity of the purchase. 

The questionable purchase is called a chargeback and can be damaging to the merchant. If the dispute is successful, the merchant will be forced to reverse the charges and issue refunds to the customer.

Chargebacks are not only financially damaging to your e-commerce business. They can tarnish the reputation of your website with customers, and credit card processing companies.

How Do You Know You’ve Been A Victim Of A Carding Attack?

A cyber-criminal sets out a carding attack by unleashing a bot that has been programmed to perform several small purchases on various e-commerce websites. 

The stolen credit card numbers that yield positive results will be summarized in a list that will be used either to make more purchases or to be sold to a larger cyber-criminal organization.

How do you know that your e-commerce site has been targeted for carding attacks?

Here are signs to watch out for:

  • A larger than usual number of cart abandonment incidents.
  • An abnormally high number of failed credit card transactions.
  • A significantly high number of attempts at the checkout counter.
  • A high volume of failed attempts originating from the same IP address.
  • An alarmingly high number of chargebacks.
  • Shopping cart sizes are unusually small.

When you see any one of these signs on your website, don’t ignore them. Act right away.


How To Protect Your WooCommerce Platform Against Carding Attacks

WooCommerce is one of the most popular open-source e-commerce plugins for websites. In 2020, it was estimated that more than 3.9 million websites use WooCommerce.

If you’re using WooCommerce, you could be one of the many e-commerce websites that’s being targeted for carding attacks. 

We created a shortlist of techniques and processes that you can implement to protect your WooCommerce platform against carding attacks by cyber-criminals.

1. Multi-factor Authentication

Since cyber-criminals need multiple attempts to validate the stolen credit card numbers, multi-factor authentication will make the bots or the user exert more effort and potentially reduce the number of verified credit cards on the list.

With Multi-factor authentication, the user goes through multiple tests to prove his credentials in order to access the website. The credentials used by MFA are usually a combination of what he knows such as a password, a security test, and/or a biometric verification test. 

2. Fingerprinting

Fingerprinting is a process that seeks to identify who or what is trying to log in to the website by tracking down the browser of the user and linking it to the device that’s being used to make the connection.

When launching a carding attack, a bot will go through several attempts. By doing so, he will not be able to switch devices every time. The cyber-criminal will have to go through the process of clearing the cache of the device, switching to incognito mode, and changing browsers. 

3. User Challenges

If you use PayPal, you’ve probably had to deal with a user challenge designed to check if you’re human or a bot.

This user challenge is a type of Captcha program that seeks to verify you’re human by asking you to check on a box. 

Simple enough, but then the program shifts to another type of Captcha. One that asks you to identify a specific object – such as a bike or stairs – from a series of images. 

In some cases, the images are misleading. You will be forced to stop, analyze, and rely on intuition to choose the right answers. 

Certainly, this process can throw off a carding attack bot. 

4. API Security Technology

Popular e-commerce sites and payment platforms include credit card facilities in their API to improve user experience by making payments faster and more convenient. 

But these credit card facilities are frequent targets of carding attack bots. For this reason, these websites have integrated API security technology that’s specially designed to protect against carding attacks. 

Stripe is a good example of an API security program that can protect your e-commerce website from being infiltrated by carding bots. 

Stripe is a payment gateway that’s used to process credit card payments. To thwart carding attacks, Stripe uses a combination of automatic and manual processes that will diffuse the effectiveness of these bots. 

Examples of these anti-carding processes are:

  • Machine Learning
  • Rate Limiters
  • Alerts 
  • System Reviews

Likewise, Stripe wants to make it easy for their customers to access customer service by providing 24/7 support via email, inbound phone calling systems, and chat.

The best thing about Stripe is that you can integrate it with WooCommerce without incurring expenses. 

5. Bot Pattern Analysis

We mentioned Machine Learning in the previous section as one of the safeguards used by Stripe to detect carding activity.

Machine Learning analyzes carding bot behavior and attack patterns so it can determine the type of bot program and arrive at the most effective course of action to extinguish all verification attempts on the website.

Machine Learning programs review a large number of data to pinpoint the originating URL, the patterns of mouse, keypad, and swiping behavior of the carding attack bot as well as analyze site metrics in real-time. 


Setting up an e-commerce site for your business is a great way to capitalize on the shift in the purchasing behavior of consumers. More people are going online to find products and services that meet their needs.

And unfortunately, you’re not the only one who recognized this. Cyber-criminals are going to find ways to exploit opportunities and launching carding attacks are just one of the many schemes they will bank on to tear down what you’re building up. 

Installing SSL Certificates is a step in the right direction but it might not discourage criminals from undertaking carding attacks. 

We recommend adding other layers of security such as those discussed in this article to protect your e-commerce website from the threat of carding attack bots and stop them in their tracks.

We hope you found our article helpful and that it gave you valuable insights on the importance of fortifying site security. If you have any questions, please feel free to contact us or drop us an email. 

Let’s schedule a meeting so we can discuss how we can transform your website into an impenetrable fortress against cyber attacks.

And if you enjoyed this article, please feel free to share it with your friends who are planning to set up an e-commerce site for their businesses.