At first thought, card testing may seem like a relatively low-stakes fraud activity. After all, most card testers only make small purchases. So how big of an impact could that have?
Unfortunately, the impact can be significant. It’s best to stay aware and vigilant so you can stop card testing before it gets out of hand.
What is Card Testing Fraud?
Card testing fraud or carding is a scheme where fraudsters test debit and credit card numbers they have either obtained from a data breach or purchased on the dark web. The goal is to find valid cards that they can use to make large purchases or sell to other cybercriminals.
Types of Card Testing Attacks
There are a couple ways that fraudsters can use your business to test card numbers.
If you have a mobile app or allow customers to open an online account, fraudsters might be able to verify cards simply by adding them to an account or app.
Another way fraudsters validate cards is by completing payments. If a transaction is approved, the card hasn’t been reported stolen and the account hasn’t been closed. Fraudulent transactions are usually for small amounts that might seem less suspicious.
Some fraudsters opt to crack cards manually. Others test cards automatically by programming computers — or bots — to perform repetitive tasks, like submitting multiple orders on several websites.
Bots can test a large number of cards much faster than a fraudster, so they can potentially do more damage. However, they can be easier to spot if you have the right fraud detection software in place.
What Makes Businesses Susceptible to Card Testing?
Any business can experience card testing. But some are more susceptible to card testing than others for a variety of reasons.
Any business in an industry where low-dollar transactions are common is a major target for card testing. For example, it’s not unusual for customers to make multiple purchases a day from a quick service restaurant (QSRs). And fraudsters know their card testing activity might not seem suspicious.
2. Use of mobile app
If you let customers order through an app, your business could be a conduit for card testing fraud since fraudsters don’t even have to make a purchase with you — they just input the card number to verify it works.
3. New to online or mobile sales
If you’ve recently opened your business up to online sales or have just implemented mobile ordering, chances are you don’t have the right protections in place yet. And fraudsters can easily take advantage of the situation to crack cards.
4. Accept donations
It may not seem like the obvious choice, but if you run an organization that accepts donations — thrift store, church, crowdfunding site — you could be a target. Unlike traditional purchases, there’s not usually a set amount for donations. So card testers can choose any amount they want.
5. Small business
Larger businesses often have fraud prevention in place that can prevent card testing fraud. But if you operate a smaller business without controls to detect fraud, you can be vulnerable to card testing attacks and other harmful fraud schemes.
What are the Impacts of Card Testing?
Your business can lose a lot from card testing. Before you decide how to handle card testing, understand what’s at stake if you do nothing.
1. Revenue loss
Sure, the transaction amounts from card testing might be low. But those small losses can add up quickly, especially if the fraudster is using a bot to test cards. And if the cardholder notices the unauthorized transaction, you could get a chargeback.
Even if the transaction is declined, you still pay processing fees. So no matter the outcome, you lose money that you can easily keep if you prevent card testing.
2. Classification as high risk
If you experience lots of declined transactions or high chargeback activity, your business could be re-classified as high risk. That means you’ll have higher fees and more declined transactions. Plus, that could put your business at higher risk for enrollment in a fraud or chargeback monitoring program.
3. Susceptible to other types of fraud
Successful card testing attempts reveal weaknesses in your security systems which tells fraudsters you might be an easy target for other schemes. Detecting your vulnerability, you could be hit with other attacks — like account takeover fraud — which can harm you and your loyal customers.
4. Gateway for bigger crimes
Once fraudsters know that cards work, they typically go on to commit more fraud — make huge, illegal purchases at other businesses or fund organized crime. You don’t want your business to get a bad reputation for enabling criminals to get away with fraudulent activities.
Warning Signs for Card Testing Fraud
The key to mitigating card testing is knowing the warning signs. And it’s easier to spot the signs if you have implemented fraud prevention software.
Look for warning signs at two different points in the customer journey:
- Watch for trends over time to identify card testing patterns.
- Monitor transactions in real time to identify and block instances of carding.
Trends over time
How can you spot card testing at work? Look for any patterns with the following performance indicators.
High decline rates
Are you noticing a disproportionate amount of declined transactions? It’s highly possible fraudsters are testing stolen debit and credit cards.
High chargeback rates
A key sign of carding is a spike in chargebacks. Each successful attempt to validate a card is an unauthorized transaction that will likely be disputed.
Note: Chargeback rates aren’t the only metric you should monitor. A spike in disputes definitely means trouble. But there’s a chance you might not see an increase in chargeback activity.
Because card testing usually involves low-amount transactions, some banks might just accept the liability and lose money instead of filing a chargeback.
So even if your chargeback rate hasn’t gone up, you may still have a card testing problem.
High fraud rates
All fraud claims — whether a chargeback is issued or not — are documented by cardholder (issuing) banks. Your monthly ratio of good to bad transactions is monitored by the card brands and your acquiring bank. If your fraud rate spikes, your business may be a target for card testing.
Make sure your fraud technology looks for the following red flags. Individually, they might not be cause for concern. But when present in mass, then it’s a problem.
Low transaction amounts
This characteristic is normal when most of what you sell is a low-dollar amount. It becomes suspicious if someone makes hundreds of low-dollar transactions at random times. Or if you sell mostly high-dollar products, but someone buys a bunch of less popular, low-dollar products.
Multiple declines in a short period of time
Transactions are declined all the time, mostly for valid reasons — not enough funds or an expired card, for example. But when multiple transactions are declined during a short window of time, it can indicate fraudulent activity.
Multiple purchases from the same IP address
It’s common to receive multiple purchases from different cards in the span of twenty minutes. But it’s not normal to receive multiple purchases from the same IP address. That kind of activity indicates a single person — or a bot — is acting instead of multiple different shoppers.
Lots of transactions from the same bank identification number (BIN)
The first few digits of an account number are used to identify the financial institution that issued the card. Throughout the day, you’ll usually see a wide variety of BINs pass through your system. But if a substantial number of transactions are processed with the same BIN, it could indicate the bank was hacked and account information was stolen.
How to Prevent Card Testing Fraud
If you process card-not-present (CNP) transactions, you most likely will be — or have been — exposed to card testing. Fortunately, there are things you can implement today to prevent that from happening.
1. Add a Captcha
Improve your security protocols at the front door. Add captchas to catch most scripts and bots that run card testing attacks.
2. Set up a firewall
Bolster your network security and better monitor traffic to your site by setting up a firewall. Make sure you find one with a botnet prevention feature.
3. Require card security codes
Businesses aren’t allowed to store CVV codes. So if fraudsters obtain card credentials from a data breach, they probably won’t have access to CVVs. Requiring this information could block card testing.
4. Run AVS checks
Address Verification Service (AVS) compares the billing address provided during checkout to the billing address on file with the bank. If the addresses don’t match, the shopper probably isn’t the cardholder.
5. Check IP addresses
Monitoring IP addresses allows you to do a couple things.
First, IP addresses are location specific. If the IP address doesn’t match the same geographical area of either the billing or shipping address, a fraudster could be at work. Second, multiple purchase attempts from a single IP address could mean a fraudster is testing multiple cards.
6. Limit checkout attempts
Limit the number of transaction attempts in a single shopping cart session. Fraudsters trying to guess things they don’t know — like CVV, address, or expiration date — will most likely fail to guess multiple times.
7. Require accounts
Don’t allow guest checkout. The more customer information you have, the better you can verify if the cardholder is the one using the card. Plus, the extra work of opening an account may dissuade fraudsters from using your business.
8. Enable browser validation
9. Don’t give a decline reason
If a transaction is declined, some merchants explain why — the address didn’t match or the expiration date was wrong. But that information just educates the fraudster. Instead, encourage the shopper to call and discuss the issue with the customer care team.
10. Stop account takeover fraud
If fraudsters gain access to customer accounts, they can test cards by simply adding them to the account — which might be harder for your fraud technology to detect. Make sure you have account protection so you can avoid this loophole for fraudsters.
11. Set a minimum transaction amount
If you accept donations, set a limit on the minimum donation amount to avoid tiny donations that could be card testing.
Stop Card Testing: Partner with Trust and Safety Technology
If card testing sounds scary, don’t worry. We’ve got your back. Kount is trust and safety technology with decades of experience helping businesses like yours stop card testing. Plus, we can help solve for other fraud schemes — from account takeover fraud to friendly fraud — all from one platform.
CASE STUDY: Bookseller Stops Card Testers with Kount
Before Book Depot came to Kount, the company was experiencing high chargebacks and a huge drain on resources because of card testing. Employees were working weekends to keep up with the fraud attacks. But Book Depot still struggled to eradicate the problem.
After implementing Kount, Book Depot stopped mass card testing attacks and related chargebacks, automated approve and decline decisions to reduce manual reviews by 50%, and gained back time to dedicate to the business rather than fight fraud.