Card Testing and Widespread Fraud
Card testing is used by criminals to determine the validity of stolen credit or debit card information by making small purchases or authorisation requests.
Although rarely mentioned in the news, at least in comparison to other scams like phishing, card testing is an enormous threat to ecommerce businesses today.
In fact, according to UK Finance, in the first half of 2022 alone, £609.8 million was stolen through fraud and scams. Banks, meanwhile, in the same time period, stopped an additional £584 million from being stolen.
How To Protect Yourself From Card Testing
Given the prevalence of card testing, the real question is, how do you protect yourself from it? Keep reading to find out.
PS For supplementary reading on this topic, check out our article Ecommerce fraud: credit card testing & bin attacks explained.
1. Regularly Monitor Your Account Activity
The most basic and essential step merchants can take to combat card testing fraud is to monitor their account activity.
There are certain red flags that should be closely monitored, such as dramatically increased declines and multiple back-to-back authorisation requests for low dollar amounts.
Other red flags include but are not limited to:
- A sudden increase in the number of cards on a merchant’s account
- Receiving multiple AVS alerts
- Seeing inconsistencies in a customer’s information across several purchases
- A customer wanting to use unusual payment methods
- Receiving payments from high-risk countries
- Receiving unusual orders (the order is too big, there are multiples of the same item being purchased, rush orders, etc.)
To keep track of card testing attacks, merchants can and should work closely with their payment processors.
Merchants who work with Pixxles receive added protection from us since we actively monitor your data security. We offer substantial benefits on the security front and attentive, high-quality customer service.
You can read more about how we protect you on our Security & Compliance page.
2. Set Minimum Thresholds To Custom Payment Amounts
Card testers operate by running very small charges that are unlikely to be noticed, so if you set a minimum threshold of $5 or more, you’re more likely to see if someone is engaging in foul play.
Note: Before setting a minimum payment threshold, check with your card network to ensure it doesn’t have a rule against setting a minimum spend amount.
If you are able to set a minimum payment amount, then it’s worth considering. Fraudsters really try to avoid making large charges when they first use a card, in part because they don’t want the card owner filing a chargeback.
Taking Donations and Customer Payments
If you are taking donations, try setting a minimum donation amount that will discourage fraudsters from attacking your website while also honoring what your donors are able to give.
This rule can be applied to any kind of payment a customer makes to your ecommerce store.
3. Require More Matching Security Elements
Some websites require customers to enter a CVV as part of the payment process, which helps prove that the buyer has the card in their possession and is not using stolen card information.
Simple requirements like these work well since fraudsters are often unable to get a hold of a customer’s complete information. CVVs for example are difficult to obtain, so if a transaction is run that is missing this information, it will fail to go through.
Additional matching security elements that ecommerce stores should require include the cardholder’s name, billing address, and the expiration date of the card.
To gather this information, you want to make sure you use a PCI DSS-compliant payment gateway. Then you should enable AVS matching, expiration date, and CVV.
4. Monitor IP Addresses
A lot of card testing attacks don’t come from inside the UK but from outside the country, where it is much more costly and time-consuming for authorities to track down suspects and make arrests.
By keeping an eye on the IP addresses that visit your website, you can see who is buying from another country and who is using a masked address. Masked IP addresses, although certainly not an automatic indicator of guilt, are a clue that fraudulent activity might be occurring.
To protect your ecommerce store, one option is to have your payment gateway limit all IP addresses outside the UK to only one or two orders per day.
5. Track Foreign Devices That Display Fraudulent Patterns
Today, thanks to device fingerprinting, merchants have access to incredible solutions that allow them to keep track of customer devices associated with fraudulent activity.
By analyzing various parameters such as the device type, operating system, browser type, screen resolution, IP address, and installed fonts, device fingerprinting can create a unique identifier for each device that is difficult to fake or duplicate.
Once user profiles have been created for your customers, comparing device fingerprints with known user profiles becomes a matter of course and can help detect fraudulent attempts to impersonate legitimate users.
6. Enable CAPTCHA But Be Careful
Captchas are a solution to counteract certain fraud patterns, including the use of a VPN, although some users find captchas to be time-consuming and annoying.
If your captcha is too difficult, you can lose sales from customers who don’t want to deal with the trouble of solving them. At the same time, enabling captcha on your website helps block automated attacks.
Additionally, Google’s reCaptcha can be utilized on all major VPN providers to reduce the chance of an attack from a masked IP address.
The Downside of CAPTCHAs
Unfortunately, captchas aren’t getting any easier for the average user to solve. If anything, they are getting more difficult due to advancements in image processing and AI technologies.
There are many different types of captchas, and they are constantly evolving as automated bots become more sophisticated.
Some captchas, such as those based on image recognition, have been shown to be vulnerable to machine learning techniques.
At present, captchas that use puzzle-solving instead of distorted images act as a decent deterrent to automated attacks while still allowing human users to solve them quickly.
7. Block Fraudulent Accounts
A common tactic fraudsters use is to retarget merchants they’ve stolen from in the past.
If any of your customers show fraudulent activity patterns, blocking them from making additional purchases may be the best thing you can do.
8. Use 3D Secure
3D Secure is a globally recognized security protocol used by Visa, American Express, and Mastercard to make card transactions more secure.
The protocol is designed to help prevent fraudulent transactions by adding an extra layer of security to the authentication process.
By requiring the cardholder to provide additional authentication, such as an OTP or biometric scan, it helps to verify that the person making the transaction is a legitimate cardholder and not a fraudster using stolen card details.
9. Modify How Checkouts Work In Two Different Ways
Merchants have the option of modifying how their ecommerce checkouts work to make them more secure. There are two ways of doing this that we want to highlight.
First Way
The first way is to limit how many checkout attempts customers are allowed to make, which deters fraudsters who would otherwise try making several small purchases in rapid succession.
By working with the right payment gateway, merchants can limit the number of attempts a user makes with a single credit card number before the system automatically blocks them.
Merchants can also add a time delay between checkout attempts to prevent rapid card testing, as well as implement an anti-fraud solution that detects suspicious activities.
Second Way
The second way to reduce card testing fraud is to get rid of guest checkouts.
Requiring customers to create an account before they can make a purchase helps you collect more customer data, reducing the risk of fraudulent activities.
How Card Testing Thieves Operate
To minimize their risk of detection, card thieves tend to target small and medium-sized businesses that don’t have the same robust security measures in place that large businesses do.
Once fraudsters have selected a target, many of them use digital tools to submit multiple card-not-present (CNP) transaction requests on a target website in a short period of time.
What makes this approach harmful is merchants can end up with hefty fees stemming from declined transactions.
How Credit Card Numbers Get Stolen
Card testers primarily rely on card data harvesting and purchasing stolen card information from the dark web.
Some card thieves also resort to physical theft, especially in areas where pickpocketing is common.
Unfortunately, in the UK pickpocketing is widespread, with nearly 100,000 crime reports in 2022 alone, according to CrimeRate.
Various Methods of Theft
Beyond the methods mentioned, how fraudsters obtain credit card information varies.
The methods used include:
- Distributed Denial-of-Service (DDoS) attacks, which are a type of cyber attack in which multiple compromised systems, often infected with malware, are used to flood a targeted website or network with traffic or requests.
Card testers use these attacks to distract institutions while they try to steal credit card information and other important data.
- Skimmers and shimmers, which are clever devices used by fraudsters. Skimmers are physical devices that are placed over a legitimate card reader, while shimmers are similar devices that are inserted into the card reader itself.
- Installing malware on your device.
- Taking advantage of weaknesses in public wi-fi.
- Phishing schemes. These are a common tactic used by fraudsters who target victims through email, text messages, and phone calls.
When Do Fraudsters Most Often Attack?
Fraudsters are most likely to attack during the holidays or major shopping events like Black Friday and Cyber Monday when people are distracted.
As a business owner, if you’re having dinner with your family during Christmas, you’re less likely to notice a card testing attack than if you’re sitting in the office.
Similarly, the increase in transaction volume during major shopping events creates a distraction that allows card testing attacks to go unnoticed.
To protect against card testing attacks during the holidays, merchants should use fraud detection tools and services to identify and prevent fraudulent transactions, as well as implement strong data security measures to protect customer information.
The steps you need to take depend on your business. Contact us for more details.
Why Is Card Testing So Harmful To Businesses?
Card testing attacks cause a host of problems for merchants, the most damaging of which are costly fines and being classified as high-risk.
Other problems include:
- Increase in payment authorisation fees and gateway transaction fees
- Increased processing fees
- Losing the ability to support real customer transactions
- Increased chargeback rates
The damage merchants suffer from card testing fraud is substantial, which is why it’s important for merchants to protect themselves.
About Pixxles
Pixxles is a payment provider that is licensed by the Financial Conduct Authority. We remove third parties from the equation so that we remain directly accountable to you and the Regulator.
Pixxles is an Authorised E-Money Institution, meaning that we adhere to stringent regulatory standards, ensuring that both you and your customers receive the utmost protection from us.
It’s important to note that not all firms providing payment services are directly regulated by the FCA.
Visit our Contact page to learn more.
