Imagine waking up to find your site bombarded by thousands of transactions. “Yipee!” you think. “My hard work is paying off.” But, you look closer and see that all the purchases are small, and for some reason, they don’t make sense. You realize they’re fraudulent.
At first, you aren’t sure it’s a big deal
But your phone starts to ring with complaints from angry customers. When the calls have subsided, you start adding up all the chargebacks and authorization fees and see that this month’s profits—and maybe even this year’s profits—are down the drain.
Then you discover that due to the excessive number of fraudulent charges, your acquiring bank has shut you down from processing any transactions at all! For more and more businesses and organizations, this nightmare scenario has become all too real. The culprit? Card testing, often executed through botnets.
What is card testing?
Fraudsters use card testing to determine the validity of card numbers. First, they purchase or steal card details on the dark web, or via phishing or spyware software. Then, with the numbers in hand, they attempt small purchases on an unsuspecting merchant’s site to see if the card was approved .
Since cards are often stolen weeks or month prior, this process reveals which cards have been canceled by cardholders and banks—and which ones are available for use. Once the canceled or declined card numbers are weeded out, fraudsters can move on to make larger purchases, or resell the validated information on the dark web.
What role do botnets play?
When you add botnets to the equation, card testing enters new realms of destruction. Unlike manual testing, which is time-consuming and labor-intensive, fraudsters can program networks of compromised computers (botnets) to run thousands of low-value transactions at a time.
Fraudsters come away from these attacks with valid card numbers, while businesses are left with a huge revenue hit from authorization processing fees, not to mention serious brand damage and a major tax on their time and resources.
How do you know if you have been hit by card testing?
When businesses experience a large number of authorizations and a high authorization decline rate, this may be an indicator that fraudsters have successfully submitted orders. Fraudsters may be using your online shopping site to submit a large number of orders that are subsequently declined by your acquirer. This means that you have not mitigated the attack.
Businesses and organizations that don’t sell a physical good tend to be particularly vulnerable because they assume fraud isn’t a worry—the fraudsters know this and deliberately target them as a result. Take nonprofits for example. Since many nonprofit donation pages collect little information from donors and fail to place minimum limits for giving, they provide an ideal environment for card testing.
How can businesses and nonprofits protect themselves?
Fortunately, best practices, coupled with a strong fraud management platform, can help detect and prevent these attacks. Since no single component can stop card testing fraud, the key is implementing multiple layers of protection.
1. Perform risk reviews.
Fraudsters often target the point when cardholders add payment methods to their online accounts on merchant sites. Therefore, it’s important to perform risk reviews for this step, including Account Verifications of the payment being added, and basic velocity checks over specified timeframes.
2. If you accept donations or other custom payment amounts, be sure to set minimum thresholds.
In a card testing attack, fraudsters aim to validate if a credit card is good while avoiding the likelihood of the cardholder noticing and reporting it. The smaller the charge, the less likely it is to attract attention or result in a chargeback. It is common to see transactions for very low amounts, often less than $5. If possible, it’s best to set a minimum value that is as high as possible while still being appropriate for most donors.
3. Be vigilant, identify anomalies early on.
- If you see an unsuspected or sudden spike in your average daily transactions—research it.
- A sudden increase in the number of credit card declines can be a serious signal that your business is being targeted.
- Have a variety of velocity tools to track not only transaction totals, but also other specific data elements (including email, IP address, device fingerprint, etc.)
And, of course, we’re here to help
In addition to ensuring your website includes technologies to fend off botnet attacks, Cybersource fraud tools can also help protect you from card testing. Options to assist with defense:
- If you are selling using Cybersource’s payment platform, velocity rules implemented through Cybersource’s Fraud Management Essentials can track, count, and reject repeated transaction attempts that share common data elements or that exceed total transaction volume limits. Amount thresholds set in Fraud Management Essentials can limit transactions to those appropriate for your business. Cybersource provides a fraud management solution designed to support businesses as they grow and can help protect you from the unwelcome surprise of card testing attacks.
- If you are offering an option for customers to create online accounts, Cybersource’s Account Takeover Protection helps authenticate account creations and logins by detecting mismatches in locations, behaviors, devices and accounts. It also includes device fingerprinting with proxy-piercing technology and a bot-detection identifier. Implementing fraud checks during account creation and login can help to identify and block bots or fraudsters prior to logging in and prior to attempting to load and test cards.
Not sure which tools are right for your business? If you’re new to Cybersource, please reach out to our sales team, and we’ll get you started. If you’re an existing customer, contact your Cybersource representative, who will put together a management plan that can work for you.
Remember, protection must be multilayered
No single component can prevent card testing fraud. Businesses should use a combination of best practices and risk tools at every stage of the transaction flow, from account events to card loading to transaction requests. With a multifaceted approach, you can gain peace of mind and help protect yourself from card testing fraud.