Preventing Card Testing Fraud

Thursday, October 22, 2020

Staying Ahead of Ecommerce Fraud

Protecting your business from fraud in an ever-changing ecommerce industry is a difficult task, especially when you have to fight on two fronts: shielding your organization from risk as well as your customers from scams. Fraud losses worldwide reached over $27 billion in 2018 and are projected to rise to over $35 billion in five years and $40 billion in 10 years, according to The Nilson Report. For small businesses, staying ahead of ever-changing fraud tactics and reducing risk is becoming more essential.

Card testing, also known as card cracking, is one of the most common fraud threats in today’s business world, but fortunately, you can take preventive measures by learning what card testing fraud is and following a few best practices.

How does card testing fraud work?

One card testing attack is a trial-and-error method used by fraudsters to get, within seconds, payment card information such as an account number, card expiration date or Card Verification Value 2 (CVV2), as well as a user password for online account access. Card data doesn’t have to be stolen; it can also be created. Automated software can generate a large volume of guesses of account data. A fraudster can continue to run credit card numbers through business websites until the authorization response comes back approved.

With carding, fraudsters can identify the beginning of a card number and, using technology, determine the possible whole number and likely access complete account details. Fraudsters pick a target website with the least amount of steps to get to the payments page and process transactions on this payment page for a small amount on the card. If the transaction authorizes, then the fraudster will know this card number is valid and can be used elsewhere.

How can you protect your business from card testing fraud?

As you monitor and update your fraud-prevention techniques, consider these best practices to protect your business:

  • Use CAPTCHA Controls and Three-Domain Secure (3DS) Authentication
    • This may help to prevent automated transaction initiation by robots or scripts (for example, five authorizations from one IP address or card).
  • Use a Layered Validation Approach
    • CVV2 and Address Verification Service (AVS)
  • Monitor IP Addresses
    • Include IP address with multiple failed card payment data in a fraud detection’s black-list database for manual review.
    • One key thing to look for is logins for a single card account coming from many IP addresses.
  • Perform Velocity Checks
    • Use for small and large transactions as well as authorization-only transactions.
  • Throttling
    • With throttling this injects random pauses when checking an account to slow brute force attacks that are dependent on time.
  • Monitor Processing Patterns
    • Start monitoring excessive usage and bandwidth consumption from a single user. You can also monitor multiple tracking elements in a purchase linked to the same device. (Example, multiple transactions with different cards using the same email address and same device ID)
  • Monitor Login Attempts
    • Locking out an account if a user guesses the user name / password. You can also consider locking out any account authentication data incorrectly on “x” number of login attempts.
  • Use Behavioral Biometrics
    • With behavior biometric monitoring in place, this prevents account takeover by monitoring the user throughout a session, not just at entry point. With visibility into all actions during that time period financial institutions are able to stop fraudulent transfers before they occur
  • Track Your Users 
    • Understanding the differences between the interactions of a legitimate user on a website and those of a fraudster. A user quickly moving between fields and going quickly to another section are likely signs of a bad actor. Using technology to track users can help reduce fraud.

Online payment fraud is an ongoing threat that could affect your business if you are vulnerable to attack. We encourage you to examine your fraud protection strategies today, and talk to your Heartland representative if you have concerns about staying protected.

Interested in learning more about how to protect your business from card fraud? Learn how Heartland protects your business and customers from security risks with Merchant Security.