Card testing: How to stop small purchases from becoming big losses
Ordering coffee online is easy – just use your smartphone. It’s fast and convenient. And there’s no need to wait in a long line or scramble to count cash and change. Simply order ahead from a mobile app, enter your credit card details, and pick up gourmet coffee of choice.
But if you’ve ever picked up an order and seen drinks and food items unclaimed, you might be seeing card testing at work. Card testing with stolen credit cards is a common practice among bad actors. Coffee shops and quick-service restaurants (QSRs) with mobile order-ahead apps are prime targets. But any business or merchant that sells digital goods or accepts card-not-present (CNP) transactions may be at risk.
What is card testing?
Card testing occurs when bad actors need to validate stolen or purchased credit card numbers. Once they confirm which credit card numbers are live, they can make larger fraudulent purchases. They may try to place several small orders at once or within a short time frame. They may make these purchases on one card or many. Essentially, they’re weeding out numbers that may have been canceled or are invalid.
Any business or merchant that sells digital goods or accepts card-not-present (CNP) transactions may be a target for card testing. But QSRs, in particular, are common targets for this kind of fraud. Since many QSRs offer low-dollar value items, it’s not atypical to fill a series of inexpensive orders. In addition, many QSRs lack the depth of technology and fraud prevention experience to anticipate card testing attacks. They may be new to the digital space, compared to traditional eCommerce businesses, which makes them easy victims for sophisticated card testers.
It’s easy for bad actors to run a large number of fraudulent cards quickly. These small purchases allow fraud to go mostly unnoticed by cardholders. And they put businesses in difficult situations. Small businesses might use manual reviews and rules-based fraud detection as a first line of defense against card testing. But rules and manual reviews alone don’t scale. And they certainly don’t adapt to emerging fraud on their own. So they’re unreliable for detecting card testing, especially for businesses that receive hundreds or thousands of low-dollar-value orders per day.
Any merchant that relies on rules alone or tries to conduct more manual reviews will slow down order acceptance rates, which isn’t ideal. For customers, time is of the essence. Manual reviews may push customers to the competition. Meanwhile, an increased velocity of charges can get businesses in trouble with payment processors. When authorization rates are affected negatively, processors can justify charging more fees to seemingly high-risk businesses.
What are the effects of card testing?
The effects of card testing can worsen for businesses and cardholders over time. Mass card testing can result in thousands of small purchases at once. Taken as a whole, those purchases can have a serious financial impact. Businesses lose products and inventory and get hit with chargebacks when cardholders dispute fraudulent purchases with their banks.
Businesses that have an excessive number of chargebacks and exceed payment processor thresholds, they risk placement in expensive dispute monitoring programs. Visa programs include the Visa Dispute Monitoring Program (VDMP) and the Visa Fraud Monitoring Program (VFMP). Mastercard programs include the Excessive Fraud Merchant (EFM) program or the High Excessive Chargeback Merchant (HECM) program. Businesses with excessive disputes risk losing access to payment processors, which can have devastating consequences on their businesses.
Fraudulent purchases can also damage relationships between brands and customers. Businesses risk losing the defrauded customer but also future customers to negative reviews and a bad brand reputation.
Are you interested in stopping card testing?
Schedule a call to learn more.
How bad actors use botnets in card testing attacks
Bad actors can automate card testing, which makes an attractive type of fraud attack. Javelin’s 2020 Identity Fraud Study suggests bad actors are working smarter to commit fewer fraudulent acts that yield higher funds. For example, bad actors may program botnets to do their work for them. They may launch fraud attacks and rent botnets to hide their IP address and circumvent IP address controls.
A botnet is a large network of compromised Internet of Things devices. An Internet of Things device is anything that’s connected to the internet that a bad actor can compromise and use. These devices — doorbells, cameras, and thermostats, for example — have unique IP addresses that a bad actor can use to hide their originating IP address. Essentially, botnets can place online orders to test credit cards faster than a bad actor could, inputting cards one by one.
Botnets are a common tool in credential stuffing and account takeover attacks. But bad actors also use botnets for card testing. They can program botnets to generate fake email addresses or use email addresses obtained in data breaches. Once deployed, bots can go to a website and fill out a checkout page with an email, card details, and shipping address to complete orders. With a couple of hours of coding, a botnet can make thousands of purchases, login attempts, or account changes.
“Card testing or carding is an age-old problem that tallies billions of dollars in fraud per year,” said Rich Stuppy, Kount’s Chief Customer Experience Officer. “Fraudsters are finding more opportunities to steal as companies all over the world increase their digital channels and offer amazing digital customer experiences. But we can all work together to stop the pain and brand damage by implementing a handful of best practices.”
How AI-driven fraud prevention can identify and stop card testing
Bad actors often target businesses that process a lot of low-dollar-value orders and don’t challenge orders with friction or step-up authentication. For example, if a bad actor experiences friction in the order process, they may move on to another target. To prevent fraud attacks like card testing, a global data network and an AI fraud prevention solution can establish the level of trust of every site visitor. And it can flag suspicious behavior, logins, and orders.
With a powerful data network of billions of interactions, businesses can establish identity trust at every stage of the customer journey. Businesses can see an account creation, log-in, or payment event’s level of trust on a scale of low to high. Low levels of trust block fraud or challenge the event with step-up authentication. And high levels of trust deliver frictionless customer experiences.
Meanwhile, AI-driven fraud prevention that uses unsupervised and supervised machine learning can protect businesses from new and existing fraud attacks. Unsupervised machine learning detects transaction anomalies and catches emerging fraud attacks. It stops fraud even when no historical evidence of fraud exists. Supervised machine learning identifies more sophisticated attempts by learning the risk associated with a purchase based on previous behavior and outcomes.
Overall, an identity trust platform that uses robust data, AI, and supervised and unsupervised machine learning prevents fraud in four keys ways:
- It checks signals that may indicate automated attacks.
- It protects all points in the customer journey that give access to the payment system.
- It establishes identity trust by linking patterns across devices, email addresses, IP addresses, payment methods, shipping and billing addresses, and phone numbers.
- It provides limited feedback to the bad actor, which makes it harder for them to carry out attacks.
Kount Command uses AI and machine learning to prevent card testing
An AI-driven fraud prevention solution like Kount Command applies multiple layers of protection to prevent card testing attacks. Using Kount’s Identity Trust Global NetworkTM and adaptive AI that combines unsupervised and supervised machine learning, businesses can tell in milliseconds if a sign-in, order, or payment indicates fraud.
With each interaction on a website or mobile app, Kount’s Identity Trust Global Network and adaptive AI evaluate it and generate a safety rating: Omniscore. Custom business policy thresholds inform Omniscore’s letter grade, and an interaction is approved, declined, or held for manual review.
Kount Command is easy to implement and delivers accurate eCommerce fraud protection to help businesses improve bottom-line profitability. It delivers anomaly detection that flags evolving fraud attempts and activities such as unusual spikes in traffic or shopping behavior.
The effects from card testing can be painful. Wasted product, excessive chargebacks, loss of brand loyalty, and strict fines and regulations from payment processors all add up. But businesses can prevent losses from fraud and card testing.