Card Testing – Small Purchases can Lead to Big Losses
May 19, 2020
Online coffee ordering is easy – just use your mobile app. It’s fast and convenient – no need to wait in long lines in the store or scramble to find enough cash and change. Simply order ahead, tap in your credit card details, show up, and grab a gourmet coffee of choice.
However, have you ever stopped by the pick-up counter at the coffeeshop and found that you need to sort through tons of cups in order to find your order? Why are so many cups of gourmet coffee left unclaimed?
This is actually a common practice for card testers. Fraudsters test the validity of stolen credit card details by making small online orders. They aren’t interested in an Extra Foamy Latte – they are interested in whether or not they can actually use that card for much larger purchases.
What is card testing?
A coffee order is just the gateway to card testing. When fraudsters obtain – or purchase – lists of stolen card data, they need to check to see which are valid. Card testing occurs when fraudsters validate stolen credit card details, and once they confirm which credit card numbers are still live, they proceed with making larger fraudulent purchases. They often try placing multiple small orders all at once or within a very short timeframe. These purchases may be on the same card or dozens of different ones. They are essentially “weeding out” the numbers that may have been canceled or are no longer valid.
Quick Service Restaurants (QSRs) are a target for this kind of attack. Since many QSRs offer low-dollar value items on the menu, it is not atypical to fulfill a series of inexpensive purchases. In addition, many QSRs are not “digital natives” and lack the depth of technology and fraud prevention experience to anticipate card testing attacks. They are often new to the digital space, compared to traditional eCommerce merchants, and as a result, are easy victims for sophisticated card testers.
As a result, it’s easy to run a large number of fraudulent cards through these sites quickly. Important as well, QSRs often have below-dollar menu offerings (such as a 25-cent side of ranch dressing.) The small purchase testing tactic allows fraud to go mostly unnoticed by fraud detection solutions and by the innocent cardholder.
Merchants who are vulnerable to card testing typically don’t complete manual reviews because the rapid number of orders and low dollar amount make verification of customer orders nearly impossible. And, time is of the essence: customers don’t want to wait for the cup of coffee.
Due to the increased velocity of charges, businesses can get in trouble with the payment processor because authorization rates are negatively impacted and the processor can use that information to justify charging more fees to the merchant who appears as high risk.
What are the impacts of card testing?
Card testing has many negative aspects, some of which get worse over time. It’s particularly dangerous when it is done in a mass spree, resulting in thousands of small purchases all at once — purchases that, taken as a whole, equate to serious financial impact.
Businesses are left with lost product – as in the coffee example described above – and they are also left with costly chargebacks. When the original cardholder, who may be located in Boise, Idaho, notices that their card was used to purchase coffee at a small shop in Freeport, Maine, they initiate a dispute with their bank. A chargeback ensues.
When a business is hit with an excessive number of chargebacks and exceeds payment processor thresholds, they risk placement in expensive dispute monitoring programs. These programs may include the Visa Dispute Monitoring Program (VDMP), or Visa Fraud Monitoring Program (VFMP), Mastercard’s Excessive Fraud Merchant (EFM) or High Excessive Chargeback Merchant (HECM) programs.
If excessive disputes continue, a merchant risks losing access to the payment processor. This can have devastating consequences on their ability to conduct business.
Fraudulent purchases can also damage the relationship between a brand and customer. Businesses risk losing not only the defrauded customer, but also future customers to negative reviews and brand reputation damage.
Botnets and card testing attacks
Card testing can be automated which makes it particularly attractive to fraud. Krista Tedder of Javelin Strategy says that criminals are working smarter, not harder, to commit a fewer number of fraudulent acts that yield higher funds. For example, fraudsters can efficiently program bots to do their work for them.
If a fraud attack is launched from a U.S. metropolitan area, for example, in order to obfuscate the location of the IP address, and circumvent IP address controls, fraudsters will rent botnets. A botnet is a network of a large collection of compromised Internet of Things devices. Basically, anything connected to the internet – from doorbells, to cameras, to refrigerators – can be compromised and used. Thousands of these internet-connected access points, with unique IP addresses, are employed to circumvent the originating IP address.
Card testers try to avoid fraud prevention filters with sophisticated techniques such as botnets, in order to obfuscate their location. A bot can then automatically submit orders on multiple websites to check credit card validity faster than a fraudster inputting card numbers one by one.
However, even with bots, it is still necessary to have an email attached to any orders for confirmations. During an attack, fraudsters try to elude basic fraud filters by using a large number of fake emails without history in quick succession. Sophisticated attacks rely on slowly attempting purchases from many different locations, also called drip attacks.
Email age is a strong signal of card testing. Fraudsters can buy lists of email addresses and incur that expense, or they can simply generate bogus emails to launch the attack. For example, a bogus email may look like: firstname.lastname@example.org.
According to Rich Stuppy, Kount’s Chief Customer Experience Officer, “Card testing or carding is an age-old problem that tallies billions of dollars in fraud per year. Fraudsters are finding more opportunities to steal as companies all over the world increase their digital channels and offer amazing digital customer experiences,” he said. “We can all work together to stop the pain and brand damage by implementing a handful of best practices.”
Best practices for identifying and stopping card testing
Card testers strategically select businesses where they will be successful and where they will “get lost in the wash.” Part of their process is to first test the merchant to see if there is resistance. If they encounter immediate friction, they will move on to easier targets.
Pro tip: Card testers typically operate with limited resources. Some resources are relatively expensive, while some are relatively cheap. If the company can be protected in a way that exhausts the fraudster’s resources and causes fraudsters more expense, they will avoid practicing/testing on the company.
An AI-driven fraud prevention solution can easily flag suspicious orders – whether they are small or large.
Best practice approaches include:
- Checking signals that indicate automation attacks such as customers with new email addresses and signs of bots
- Protecting all points in the customer journey that give access to the payment system: web, app, phone, or other
- Measuring velocities and linkages across multiple components in a purchase, including:
- Identifying anomalies and inconsistencies in linked transactions
- Providing limited feedback to the card tester to make it harder for them to improve their game
How Kount solves card testing
Multiple layers of protection are needed to prevent card testing attacks. Using Kount’s Identity Trust Global Network and unsupervised and supervised machine learning (ML), Kount can immediately tell if there are signals of a fraudulent interaction, including if an email is new. Kount Command is easy to implement and use and delivers accurate eCommerce fraud protection to help businesses improve bottom-line profitability. It delivers anomaly detection to flag abnormal activities such as unusual spikes in traffic or shopping behavior and changing and evolving fraud attempts.
The solution includes advanced capabilities to evaluate transaction trust levels and fraud signals with advanced AI and ML that protects against new and existing fraud attacks:
• Unsupervised ML detects transaction anomalies and catches emerging fraud attacks. It stops fraud even when no historical evidence of fraud exists.
• Supervised ML identifies the more sophisticated attempts by learning the risk associated with a purchase based on historical outcomes.
How Kount Command works
When an interaction takes place on a website or mobile app, the data from this interaction is sent to Kount via simple APIs. Kount’s Identity Trust Global Network and adaptive AI immediately evaluate the data and generate a safety rating, Omniscore.
Omniscore flows through custom business policy thresholds and the interaction is either approved, declined, or held for manual review.
Kount Command features:
- Command Center: Gives businesses the ability to create, edit, and test customizable business policies, fine-tune fraud prevention decisions, conduct investigations, and monitor performance. Businesses can develop unique policies that meet unique needs and customize risk thresholds to address emerging attack methods, new use cases, and issues such as card testing.
- A case management capability to identify the patterns and connections revealed by machine learning. This helps business “harden defenses.”
- Protect accounts from being taken over that have access to credit card information.
- Access to an orchestration hub for third party integrations.
- Datamart: Businesses can track the type of fraud that is impacting them and measure the outcomes of fraud prevention efforts. Datamart is the analytics and reporting functionality within the platform that enables reporting on the rich data points collected from payment transactions, customer interactions, and outcomes. It allows in-depth investigation into suspicious behavior as well as business performance. New discoveries can inform future rules and policies created within the Kount solution and can also provide customer knowledge.
The impacts from card testing can be painful. From wasted product, excessive chargebacks and loss of brand loyalty, to strict fines and regulations from payment processors, it all adds up to a fraud problem. Investigate your options for preventing card testing and don’t let your hard-earned product go to waste. With fraud under control, you can kick-back and enjoy that cup of coffee.