Card testing, also known as card checking, is a form of fraud where criminals try to determine if stolen credit card information is valid by making small purchases or attempting to authorize a transaction. The preferred method for card testers is using authorizations, which is less likely to be noticed by cardholders. Card testers also use payments but typically choose small transactions to avoid detection. As a result, businesses that facilitate small-value purchases and donation pages are vulnerable targets for card testers.
Card testing has become more prevalent in recent years with businesses shifting their operations online. The consequences of card testing can be severe and include disputes, higher decline rates, additional fees, infrastructure strain and damage to the overall health of the payment ecosystem. Conflicts occur when customers notice successful payments and report them as fraud. This results in costly and time-consuming resolution processes for merchants. Higher decline rates can also harm the reputation of a business with card issuers and networks, making all transactions appear riskier, which can potentially lead to an increase in declined, legitimate payments.
Additionally, network fees for each transaction can add up quickly when a site is used for thousands or millions of card tests. In just a few hours, small merchants can be financially devastated by card testing.
How Do Criminals Obtain Stolen Credit Cards?
There are several ways cybercriminals can obtain stolen credit card numbers, including, but not limited to, the following:
- Phishing scams: Cybercriminals send out phishing emails or create fake websites that look like legitimate businesses to trick people into entering their credit card information.
- Data breaches: Hackers break into a company’s databases and steal sensitive information, including credit card numbers.
- Skimming: Criminals install skimming devices on payment terminals, such as ATMs or point-of-sale machines, to steal credit card information as it’s being entered.
- Malware: Criminals use malware, such as information stealers, to infect a person’s computer and steal stored credit card information.
- Dark web marketplaces: Stolen credit card information is bought and sold on the dark web, which is not indexed by search engines and is only accessible by using specialized software.
- Social engineering: Criminals trick an employee of a business or financial institution into giving them access to credit card information.
Keep in mind that credit card information can also be compromised by insiders, such as employees, contractors or third-party companies that have access to credit card information. Businesses must implement strong security measures to protect customer credit card information and detect suspicious activity.
Recent Examples of Card Testing
In recent years, there have been several high-profile instances of card testing fraud attacks. The example below demonstrates the seriousness and prevalence of this fraud and the need for online businesses to take proactive measures to protect themselves and their customers before disaster strikes.
In December 2022, a Central New York-based lacrosse supply store called Powell Lacrosse was targeted by a card testing attack. The store received 22,000 orders over the New Year’s holiday, mainly for the same item that was priced at $12.71. The suspicious orders flooded the store on Friday, December 30th and only about 2,000 of the 22,000 orders were legitimate. This resulted in the store and its employees losing a significant amount of time answering phone calls from people seeking refunds. According to store owner Ryan Powell, most of the affected people used the same bank and were not existing customers.
How to Mitigate Card Testing Attacks
To safeguard your business from card testing fraud, it is essential to implement various protective measures. These include using fraud detection tools, regularly monitoring your account for unusual activities, implementing security measures like web application firewalls (WAF) and bot management and utilizing a payment gateway to provide an added layer of security for your transactions.
WAF combined with a good bot management solution effectively prevents card testing fraud by monitoring and screening transactions to a website or web application. It detects and blocks suspicious activity by analyzing network traffic for patterns associated with card testing fraud and distinguishing between humans and bots, both good and bad.
An adequate protection solution should provide:
- Traffic Analysis: analyze traffic to detect patterns indicative of card testing fraud. For example, if a large number of requests are coming from the same IP address or if a large number of requests are for the same item and with small amounts.
- Signature-based detection: detect and block requests that match a specific signature or pattern. This can be used to block requests known to be associated with card testing fraud.
- Behavioral Analysis: use machine learning algorithms to analyze incoming traffic and detect behavior patterns indicative of card testing fraud. This can include analyzing the timing and frequency of requests, as well as the types of requests being made, to identify and block suspicious activity and users.
- IP blocking: block traffic from specific IP addresses or ranges. This can be used to block traffic from known card-testing bots, anonymous proxies or from IP addresses that have been associated with previous instances of card-testing fraud.
- Bot detection: ensure that the user is human and not a bot. CAPTCHA is a typical first barrier that is easy to implement. Just remember that more sophisticated bots are able to solve CAPTCHAs faster and more accurately than humans.
- Geo-blocking: block traffic from specific countries or regions. If you are a local store (a pizza delivery shop, for example), you would not expect an order coming from outside the country.
By implementing and combining these methods, a WAF and bot management solution can be an effective tool for blocking card testing fraud. They detect and block suspicious activity before causing harm to merchants, card networks and payment infrastructure.
Card testing fraud is a serious issue that affects the entire payments ecosystem. Merchants must understand how it works and proactively protect themselves and their businesses. You can reduce the risk of card testing fraud by using fraud detection tools, regularly monitoring your account for unusual activities, implementing security measures like WAF and Bot Management and utilizing a payment gateway. It’s also essential to stay up-to-date with the latest trends regarding fraudulent techniques and tactics leveraged by malicious actors.