What is card testing fraud, what makes it so dangerous for merchants, and what are the most effective steps they can take to protect themselves? Continue reading to learn more!
Online payment fraud has boomed over the last decade, especially following the global COVID-19 pandemic that struck the world in 2020 and forced everyone to go online, increasing the total transaction value of online payments to $6.68 trillion.
However, the rise in digital payments also incentivized the creativity of fraudsters, giving them more reasons to come up with new ideas for scamming innocent online users. In this article, we will focus on one of the most popular types of payment fraud – card testing fraud, covering everything that you will need to know about it.
So, without further ado, let’s dive right into it:
1. What is payment fraud?
Before we get into more detail with card testing fraud, it’s important to zoom out a little bit and focus on the big picture. What exactly is payment fraud, and what makes it so damaging for online businesses?
Payment fraud is any type of fraudulent activity in which a cybercriminal gets hold of legitimate payment data and uses the stolen card or credit card details to make unauthorized transactions and purchases. In most cases, the actual cardholder notices that their data is being used for illegitimate purposes, and files a payment dispute also known as a chargeback.
As we mentioned previously, there are many types of payment fraud online, and unfortunately they can be quite damaging for many businesses and customers. Let’s take a look at some of the most concerning statistics:
- Ecommerce losses to online payment fraud were estimated to grow by 20 billion U.S. dollars globally in 2021, 14% more than the previous year. (Statista)
- Global payments fraud has tripled, rising from $9.84 billion in 2011 to $32.39 billion in 2020. It is projected to cost $40.62 billion in 2027—25% higher than in 2020. (Finances Online).
- Successful monthly fraud attempts increased by 48% for larger retailers, and 27% for small online businesses. (Lexis Nexis)
- The most frequent payment method identified out of all fraud reports was credit cards. (Intuit Mint Life)
- In the cases of identity theft, people aged between 30 and 39 reported the most instances of credit card fraud while those age 80 and older reported the least. (Intuit Mint Life)
Where do consumers encounter fraudulent activities? Source: FinancesOnline.com
With these statistics in mind, it is not surprising that payment fraud is among the biggest concerns that merchants have online, especially considering that at least 5% of their revenue will be lost to fraud (according to the The Association of Certified Fraud Examiners report).
And now that we have cleared the importance of fighting payment fraud effectively, let’s talk about card testing fraud and what exactly it means for businesses:
2. What is card testing fraud?
Card testing fraud is a type of payment fraud in which a fraudster comes into possession of stolen credit card numbers, and then attempts to make small purchases online to see if the cards are valid and can be used for their fraudulent activity. In other words, they are testing the cards to find out which ones are still good (for example, not expired, not reported or blocked by the legitimate cardholder, etc.).
The main reason why card testing fraud is often performed with small purchases or transactions is because they are less likely to alert the merchant of fraudulent activity. It also makes it easier for fraudsters to check whether the testing was able to bypass the merchant’s fraud detection measures.
In addition, transactions for smaller amounts are more likely to go unnoticed by the legitimate cardholder.
If, on the contrary, the fraudster decides to make a big purchase – let’s say, for a couple hundred dollars, the owner of the credit card will immediately notice that there was a purchase that he didn’t make, and will file a chargeback as a consequence.
In most cases, he will also contact the issuing bank and block the card, which will render it unusable by the fraudster – which is obviously not their goal.
3. What are the signs of card testing fraud?
While card testing fraud can be challenging to prevent and deal with it when it happens, it doesn’t mean that merchants can’t do anything to reduce or negativize impact. Here are some of the most common signs that they should be looking for when it comes to card testing:
- Low-value transactions – if you notice a series of repeated low-value transactions from the same card number or IP address, it is highly likely that someone is testing a card or even multiple cards to check if they can go further with their fraudulent activity.
- Many purchases in a row – if you notice a lot of small purchases within a short range of time from the same account or IP address, this can also be a sign of card testing fraud. Fraudsters use programmed bots and scripts to make as many purchases as fast as possible.
- Authorization failures – because fraudsters are typically testing a lot of credit cards to see which ones are valid and which ones aren’t, the chances are that a lot of the cards they bought on the dark web or somewhere else are no longer valid. So, if you notice a high rate of authorization failures, this can indicate fraudulent testing.
- AVS alerts – another sign of possible card testing fraud is getting a lot of AVS (Address Verification Service system) alerts. AVS allows merchants to authenticate ownership of a credit or debit card, so getting an abnormal alerts volume is definitely something to look out for.
- CVV errors – the CVV number, also known as card security code, is typically printed on the credit card. It’s a 3 or 4 digit number typically used for the security of card not present transactions. However, many fraudsters who get hold of credit card data don’t always manage to get the CVV number. Transactions that miss this information can be fraudulent.
Card testing fraud: invalid card or CVV information
Even though fraudsters tend to use more technically advanced or sophisticated software and strategies, it’s still possible for businesses to detect card testing and prevent it before it’s too late. Having a secure, PCI-DSS Level 1 Payment Gateway and advanced fraud detection solutions are extremely important when it comes to fighting against fraud.
4. How do credit card numbers get stolen?
Of course, when talking about card testing fraud, it’s important to answer one very important question: exactly how do credit card numbers get stolen in the first place? Unfortunately, there are many ways in which they can get in possession of legitimate payment information. Some of them include:
- Buying stolen credit card numbers on the dark web or somewhere else on the Internet;
- Physical theft by stealing your wallet or credit card when you are not looking;
- Phishing attacks – a type of cyberattack that happens through email or SMS communication;
- Family members can also steal credit card data through friendly fraud;
- By using small devices called skimmers that collect payment data with magnetic strips;
- Public wi-fi and open wireless connections are a common way for fraudsters to hack into your data;
- By installing spyware or malware on your device, which can then steal sensitive data;
- By hacking into the online stores’ payment systems;
As you can see, there are many ways in which credit card numbers may get stolen, both online and offline. And the worst part is, this isn’t an exhaustive list but just a few examples so you can get the idea.
5. How is card testing fraud performed?
While there can be different ways in which fraudsters perform credit card testing fraud, including manual testing, they can also do this action better and much faster by automating it with programmed scripts and bots. One of the most common techniques is called botnets.
A botnet, short for robot network, is a number of Internet-connected devices that run at least one or more bots. They are usually used to execute Distributed Denial-of-Service attacks, steal credit card or other sensitive data, send spam, as well as allow hackers to access the device and its connection. The owners of the botnets can control them using command and control software.
If manual card testing fraud wasn’t already damaging enough, automated testing using botnets makes this type of payment fraud even more damaging for businesses online.
Instead of wasting time, money and resources on testing cards manually, fraudsters can simply conduct a massive, automated attack by programming networks of compromised computers to execute multiple low-amount transactions at the same time.
How a botnet for card testing fraud works. Image by wallarm.com.
Botnet attacks can be quite impactful because fraudsters come away with valid card numbers that they can use for their fraudulent purchases. Merchants, on another hand, are hit with a huge revenue loss, damaged brand reputation, as well as wasted time and resources.
6. What is the cost of card testing fraud?
As we mentioned, fraud amounts to more than 5% of revenue loss for businesses, and card testing can be particularly detrimental on their wallet and reputation.
Exactly how much a business can lose from card testing fraud will depend on multiple factors. On one hand, merchants will have to pay the fees for each of these multiple transaction attempts that the cybercriminal tries, no matter if they were approved or declined.
This can easily add up to hundreds of dollars of revenue loss, especially if the fraudster is testing many cards at the same time.
Next, we have the cost associated with chargebacks, in the cases in which the fraudulent transaction was initially approved, but then the rightful cardholder decided to dispute it because they didn’t recognize it on the account. Chargebacks can be costly for merchants, and high chargeback rates can lead to penalties and even termination of the account.
7. How can businesses prevent or protect themselves from this type of fraud?
There are a few steps that merchants can take to protect themselves from card testing fraud. Let’s take a look at them:
7.1. Add a Captcha
It may seem small, but actually one of the easiest ways to reduce the risk of card testing fraud is to add Captcha to your checkout, which the user will have to validate before they finalize the transaction. This type of verification can be surprisingly effective when it comes to stopping bots and scripts from performing their automated work.
7.2. Limit the number of checkout attempts
As we mentioned earlier, one of the most obvious signs of possible card testing fraud is the number of small purchases that the fraudster attempts in a very short period of time. Limiting the number of checkout attempts for a single user, especially the ones that happen within a single shopping cart session, can be a good way to protect yourself from testing fraud.
7.3. Eliminate guest checkout
Eliminating guest checkout, and encouraging (or obligating) users to create an account so they can complete the purchase, can be a great way of preventing multiple types of payment fraud. Requiring new users to complete a registration process will stop a lot of card testers from making card testing attempts on a particular website.
7.4. Set up a firewall
Botnets can be difficult to stop without implementing some prevention methods, such as setting up a firewall. If you don’t have one already, now is the perfect time – most firewalls come with botnet prevention tools so you can have a peace of mind.
7.5. Require a CVV number
Requiring the CVV number of the debit or credit card should be a must for any merchant. As we talked in one of the previous sections, many fraudsters are not able to get hold of CVV numbers (even if they’ve got the rest of the payment data), so requiring a CVV number from legitimate customers to allow them to complete their purchase can definitely be a smart move.
7.6. Check the address and ZIP code
Usually, when fraudsters test a credit card, they are highly unlikely to fill out the checkout page with the actual address and ZIP code. In fact, they will often enter ZIP codes and addresses at random when trying to finish their fraudulent transaction.
So, you can implement an AVS to ensure that the address that the user entered for the transaction actually matches the address of the card.
As one of the most common types of payment fraud, card testing fraud can be detrimental for businesses of all sizes, so it’s important to detect it and prevent it on time before it gets too late. One way you can do that is to ensure that you are using a PCI-DSS Level 1 compliant Payment Gateway that provides an advanced set of security and fraud detection tools.