As someone whose used the internet for many years, the term 'Carding' was moderately familiar to me, a term used on unsavory forums and websites to describe the increasingly regimented process of stealing and laundering credit card information.
Drafting a brief history on Wikipedia, I reached out to Reddit's /r/DarkNetMarkets forums for some pointers which has led to be writing the first ever almost-complete history of Carding.
In my research, I found that the fundamentals of Carding are barely unchanged since the 80's (thanks to some wonderful archives from textfiles.com), simply moving between payment services and improving the security of their forums and markets over time. Close links with hackers, as well as ongoing cyberwarfare between services themselves appear to be the norm on these underground markets, as do complex law enforcement investigations and informants.
My research has led me to a somewhat unsettling conclusion that Carding isn't going away any time soon. Commercial websites and networks are simply too insecure, credit card and personal information too valuable and money laundering methodologies too reliable for law enforcement to perform enough investigations and arrests to stem the financial impact this industry has.
This confirms my suspicion that more secure and anonymous payment systems are required for day-to-day consumer use. Financial regulations should encourage the use of 'Virtual Visa' services
- This would allow one-time credit card number per website. We know not to reuse passwords across websites, so why do we use credit card numbers in this way? This would allow any breach to be instantly traced to the merchant in question
- You could transfer the exact purchase amount and no more to your virtual Visa number, protecting you not only against use beyond that transaction, but also from hidden merchant fees
- Ultimately you want to make a Smart Contract, that specifies exactly how much money you'll transfer to whom, in what time period. (such as a recurring payment)
Having extensively studied Bitcoin and Darknet markets (to be covered in future posts!), this is similar to the highly secure escrow based methodology that is already revolutionising the sale of the online trade in restricted items around the world. It's about time legitimate eCommerce caught up - because whilst I can revoke my credit card details, I can't revoke the personal information I'm asked to submit with our current card infrastructure.