Card testing, also known as carding and card cracking, is a rapidly growing type of fraud where a fraudster tests whether a stolen payment card is still active or has funds left before they attempt to use it. Typically, cards are stolen weeks or months ahead of attempted use, so card testing reveals which cards have been canceled or are still active.
Fraudsters use stolen bank cards, physical reproductions of cards gleaned from scraping, generated card information, and stolen credit card credentials. Often their targets are small and medium-sized businesses and non-profits who increasingly rely on online or e-commerce sites to drive business.
According to the 2021 Imperva Bad Bot Report, 25.6% of all internet traffic on e-commerce websites in the prior year consisted of bad bots. Once the bots have eliminated canceled or declined card numbers, fraudsters will attempt larger purchases or sell their validated information on the dark web.
Therefore small and midsize business (SMB) owners with e-commerce storefronts need to understand the threats and financial and reputational damage bot activity can be to your business. Here’s a look at bot-driven card testing fraud, how card testing works, and what business owners can do to protect their business and customers from this e-commerce fraud.
How Card testing works
Criminals primarily use two card testing methods: small payments and authorizations.
The fraudsters will try to use a card to make a small payment of, say, $1 or less. If the payment is accepted, the card is live, but it is also likely to draw the attention of the legitimate cardholder, appearing in their statement.
Fraudsters use rejected payments to understand what caused the rejection, helping the fraudster learn how to fool the system in future attempts.
Fraudsters testing stolen debit and credit cards try to avoid causing too many declines on a particular card. Some card issuers automatically freeze a card with too many declines, which makes it useless to the criminal.
Sophisticated criminals use bots to automate the card testing process. Fraudsters use compromised computer networks (bots) to run thousands of small payment transactions simultaneously.
Unlike small payments, authorizations are a query sent through the payment processor to the card issuer. Authorization is the first step in a payment, verifying whether the customer has funds for the transaction. While authorizations can appear on statements, they take much longer to appear, allowing a fraudster a longer time to use the card before the fraud is noticed.
Authorizations take longer for the cardholder to discover, making it an attractive method to test cards. However, advancements in anti-fraud technologies will flag these attempts as well.
Are you a victim of card testing?
Any business that experiences large numbers of authorizations and a high authorization decline rate can be an indicator of successfully submitted fraudster orders. Fraudsters can use e-commerce storefronts to submit many orders subsequently declined by your acquirer. This means that you have not mitigated the attack.
If your organization or business doesn’t sell physical products are highly vulnerable since they assume fraud won’t be a problem. Unfortunately, nothing could be further from the truth; the fraudsters understand this mindset and deliberately target these organizations. Take nonprofits, for example. Many donation pages collect little donor information and often lack minimum donation limits creating an ideal environment for card testing.
The damage can be substantial
Bot-driven card testing impacts profitability and operations. Chargebacks, shipped goods that are never recovered, lost revenue from a fraudulent sale and damage to your brand reputation are the most visible effects. However, operational costs rise while customer service support calls and chargeback defense take up precious time.
How can businesses protect themselves?
A robust fraud management program and best practices can help detect and prevent card testing attacks. While there isn’t a single magic bullet to stop card testing fraud, implementing multiple layers of protection is essential. Here are three essential best practices:
1. Perform risk reviews.
A frequent fraudster target is when cardholders add payment methods to their online accounts. It is essential to perform risk reviews for this step, including Account Verifications of the payment being added and basic velocity checks over specified timeframes.
2. Require CVC, CVV numbers
Fraudsters may not have access to CVC or CVV data. Therefore, blocking transactions with missing or invalid CVV numbers will likely cause the fraudsters to move to other vulnerable sites.
3. Check addresses and zip codes
The actual cardholder’s address and zip code are unlikely to be associated with stolen card data. Fraudsters will enter random addresses and zip codes to complete the transaction. Activating Address Verification Service (AVS) matches the address entered for the transaction to the address of the card being used.
IP geolocation checking matches the address provided by the fraudster to the IP address of the cardholder’s billing location. If the addresses or ZIP codes don’t match, it could be a card testing attempt. However, caution is required as the transaction could have been initiated by a legitimate customer on vacation or traveling.
4. Add an hCaptcha
hCaptcha offers unparalleled, machine learning powered fraud detection solutions to protect online properties from sophisticated, automated attacks including card testing. Unlike other solutions, hCaptcha maintains broad privacy and security compliance for its customers and their end-users while leveraging a rapidly deployable, modern and scalable architecture to deliver security with minimal friction.
5. Transactions from the same IP address
Botnets carrying out card testing run their transactions from the same IP address. Limiting the number of transactions from a single IP address can detect card testing attacks.
6. Checkout Limits
Best practices recommend limiting the times a user can attempt to checkout in a single session.
7. Block non-U.S. Transactions
Setting up IP restrictions to block transactions originating outside of the U.S. is another effective defense against card testing attacks.
8. Use a fraud-monitoring tool
Fraud experts recommend having various velocity tools to track transaction totals and other specific data elements (including email, IP address, device fingerprint, etc.
9. Be Constantly on the lookout
Review your daily transaction volume. It would be best to research it immediately to see an unsuspected or sudden spike in your average transactions.
Any sudden increase in declines should be a red flag that your business could be the target of a card testing attack.
Set minimum donation thresholds.
Fraudsters aim to validate if a card is valid while at the same time avoiding the likelihood of cardholder detection. As noted earlier, the smaller the payment, the less likely it is to attract attention or result in a chargeback. Therefore, it is common to see transactions for very low amounts, often less than $1.
The best defense is to set as high as a possible minimum donation that is still acceptable to most donors.
- Affects credit cards, debit cards, prepaid cards, and gift cards
- It is a rapidly growing threat to card-not-present transactions for merchants of all sizes and across all industries and sectors.
- It can quickly inflict economic and reputation damage to a merchant if left undetected.
In this article, we detailed some current best practices and tools merchants can use to protect themselves and avoid being victims of card testing attacks. The best advice is to look for sudden spikes and irregular transaction activity constantly.