Card testing fraud: Prevent big loss from small purchases
Ordering coffee online is easy, fast, and convenient. Customers don’t need to wait in long lines or scramble to count cash and change. They simply order ahead from a mobile app, enter their credit card details, and pick up.
But if your staff has ever had small drink and food orders sit unclaimed at the end of the pickup counter, your business might be experiencing card testing attacks. Unfortunately, credit card testing fraud is a common practice among bad actors.
Coffee shops and quick-service restaurants (QSRs) with mobile order-ahead apps are prime targets. But any business or merchant that sells digital goods or accepts card-not-present (CNP) transactions may be at risk.
What is card testing fraud?
Card testing fraud is a form of mobile app fraud that occurs when bad actors need to validate stolen or purchased credit card numbers. Once they confirm which credit card numbers are live, they can make larger fraudulent purchases.
They may try to place several small orders at once or within a short time frame. They may make these purchases on one card or many. Essentially, they’re weeding out numbers that may have been canceled or are invalid.
Any business or merchant that sells digital goods or accepts online payments may be a target for card testing attacks. But QSRs and restaurants, in particular, are common targets for this kind of fraud, which is why they need online fraud detection for food service.
Since many QSRs offer low-dollar value items, it’s not unusual to fill a series of inexpensive orders. In addition, many QSRs lack the depth of technology and fraud prevention experience to anticipate card testing attacks. They may be new to the digital space, compared to traditional e-commerce businesses, which makes them easy victims for sophisticated card testers.
It’s easy for bad actors to run a large number of fraudulent cards quickly. These small purchases allow fraud to go mostly unnoticed by cardholders. And they put businesses in difficult situations. Small businesses might use manual reviews and rules-based fraud detection as a first line of defense against card testing.
But rules and manual reviews alone don’t scale. And they certainly don’t adapt to emerging fraud on their own. So they’re unreliable for detecting card testing, especially for businesses that receive hundreds or thousands of low-dollar-value orders per day.
Any merchant that relies on rules alone or tries to conduct more manual reviews will slow down order acceptance rates, which isn’t ideal. For customers, time is of the essence. Manual reviews may push customers to the competition.
Meanwhile, an increased velocity of charges can get businesses in trouble with payment processors. When authorization rates are affected negatively, processors can justify charging more fees to seemingly high-risk businesses.
What are the effects of card testing fraud?
The effects of card testing fraud can worsen for businesses and cardholders over time. Mass card testing attacks can result in thousands of small purchases at once.
Taken as a whole, those purchases can have a serious financial impact. Businesses lose products and inventory and get hit with chargebacks when cardholders dispute fraudulent purchases with their banks.
Businesses that have an excessive number of chargebacks and exceed payment processor thresholds, they risk placement in expensive dispute monitoring programs. Visa programs include the Visa Dispute Monitoring Program (VDMP) and the Visa Fraud Monitoring Program (VFMP).
Mastercard fraud monitoring programs include the Excessive Chargeback Program (ECP) or the Excessive Fraud Merchant (EFM) program. Businesses with excessive disputes risk losing access to payment processors, which can have devastating consequences on their businesses.
Fraudulent purchases can also damage relationships between brands and customers. Businesses risk losing the defrauded customer but also future customers to negative reviews and a bad brand reputation.
How bad actors use botnets in card testing attacks
Bad actors can automate card testing, which makes an attractive type of fraud attack. Javelin’s 2020 Identity Fraud Study suggests bad actors are working smarter to commit fewer fraudulent acts that yield higher funds.
For example, bad actors may program botnet attacks to do their work for them. They may launch fraud attacks and rent botnets to hide their IP address and circumvent IP address controls.
A botnet is a large network of compromised Internet of Things devices. An Internet of Things device is anything that’s connected to the internet that a bad actor can compromise and use.
These devices — doorbells, cameras, and thermostats, for example — have unique IP addresses that a bad actor can use to hide their originating IP address.
Essentially, botnets can place online orders to test credit cards faster than a bad actor could, inputting cards one by one.
Botnets are a common tool in credential stuffing and account takeover attacks. But bad actors also use botnets for card testing. They can program botnets to generate fake email addresses or use email addresses obtained in data breaches.
Once deployed, bots can go to a website and fill out a checkout page with an email, card details, and shipping address to complete orders. With a couple of hours of coding, a botnet can make thousands of purchases, login attempts, or account changes.
“Card testing or carding is an age-old problem that tallies billions of dollars in fraud per year,” said Rich Stuppy, Kount’s Chief Customer Experience Officer. “Fraudsters are finding more opportunities to steal as companies all over the world increase their digital channels and offer amazing digital customer experiences. But we can all work together to stop the pain and brand damage by implementing botnet detection tools and a handful of best practices.”
How to identify and stop card testing attacks with AI-driven fraud prevention
Bad actors often target businesses that process a lot of low-dollar-value orders and don’t challenge orders with digital identity verification protocols. For example, if a bad actor experiences friction in the order process, they may move on to another target.
To prevent card testing attacks, a global data network and an AI fraud prevention solution can establish the level of trust of every site visitor. And it can flag suspicious behavior and payments.
With a powerful data network of billions of interactions, businesses can establish identity trust at every stage of the customer journey.
Meanwhile, AI-driven fraud prevention that uses unsupervised and supervised machine learning can protect businesses from new and existing fraud attacks. Unsupervised machine learning detects transaction anomalies and catches emerging fraud attacks.
It stops fraud even when no historical evidence of fraud exists. Supervised machine learning identifies more sophisticated attempts by learning the risk associated with a purchase based on previous behavior and outcomes.
Overall, a digital identity solution that uses robust data, AI, and supervised and unsupervised machine learning prevents fraud in four keys ways:
- It checks signals that may indicate automated attacks.
- It protects all points in the customer journey that give access to the payment system.
- It establishes identity trust by linking patterns across devices, email addresses, IP addresses, payment methods, shipping and billing addresses, and phone numbers.
- It provides limited feedback to the bad actor, which makes it harder for them to carry out attacks.
Kount Command prevents card testing attacks, saves revenue
An AI-driven fraud prevention solution like Kount Command applies multiple layers of protection to prevent card testing attacks.
Kount’s Identity Trust Global NetworkTM and adaptive AI combines unsupervised and supervised machine learning to tell businesses in milliseconds if an order or payment event indicates fraud.
Kount’s global network and adaptive AI evaluates each interaction and generates a safety rating: Omniscore. Customize business policy thresholds to approve, decline, or hold a transaction for manual based on Omniscore’s risk assessment.
The effects from card testing attacks can be painful. Wasted product, excessive chargebacks, loss of brand loyalty, and strict fines and regulations from payment processors all add up. But businesses can prevent losses with a solution that delivers accurate e-commerce fraud protection pre-authorization.