Stolen card number testing on ecommerce websites has become rampant and is causing major headaches for merchants. As a result, merchants are looking for ways to better protect themselves against card testing fraud. Card testing, or carding, is a practice that uses unsuspecting ecommerce websites to:
- Test stolen credit card numbers to see if they are active
- ‘Guess’ the expiration date or other card parameters to see what works
- Systematically try different combinations of card numbers to find one that works
Card testing can be quite costly for merchants if their ecommerce site is targeted for this activity. They will be on the hook for associated authorization fees and possibly other transaction-related fees. Often, cybercriminals use bot automation to attempt hundreds or even thousands of authorizations per hour. Typically, the transaction amount is low – around $1. They usually don’t settle, but it’s the related authorization fees that can quickly add up. Transactions that make it through the authorization process confirm that those card numbers are active. They can then be used to make fraudulent purchases or get sold on the dark web.
In addition to racking up authorization and transaction fees, ecommerce sites that fall victim to card testing activity tend to be recurring targets for other financial fraud attempts. It is far better to proactively protect against card testing fraud rather than engaging in fraud clean-up after the fact.
Below a list of actions you can take to help you thwart such fraudulent activity.
- Add ReCaptcha to your ecommerce site. Recaptcha is a cost-free, anti-automation solution from Google. While more sophisticated attackers have tools to get around ReCaptcha, it is usually successful at stopping these types of attacks. We recommend using the most up-to-date version, V.3. Your web developer should be able to deploy this tool to your website.
- Use any available Web host tools. Check with your web developer or 3rd party web host to see if they have any tools available to protect against card testing fraud. Note that blocking a single IP is not sophisticated enough as attackers often simply change their IP.
- Incorporate gateway anti-fraud tools. Many payment gateways have their own anti-fraud tools which may help. Typically, these tools come with a cost, but they’re a good way to protect against card testing fraud. A word of caution, configuration of these tools can be a little tricky. We recommend working with your web developer to ensure they are implemented correctly. It is important to make sure the settings you use to stop card testing do not impede legitimate sales. Wind River also has experience with these types of tools and can help you.
- Consider requiring users to register or login to make purchases. This puts a significant speedbump in the way of automated card testing. You’ll want to carefully consider this option as you do not want to deter legitimate customers from purchasing on your ecommerce site.
- Use a modern cloud-based fraud solution. This is the highest level solution that can make a real-time determination whether a machine or person is inputting authorizations. There are costs associated with these types of solutions, but they are effective at stopping card testing as well as other types of fraud. Examples of solution providers include Signifyd and Kount.
Often, cybercriminals gain access to a merchant’s gateway or virtual terminal credentials to test stolen card numbers using the merchant’s account. The actions below will help prevent those credentials from being compromised.
- Enable multi-factor authentication. This allows the gateway to send you an out-of-channel verification during login attempts (e.g. receiving a code on your mobile device). Enabling multi-factor authentication is highly effective at preventing criminals from accessing your account.
- Require strong passwords for your login credentials. A strong password had 10 or more characters with upper and lower case letters, numbers, and special characters.
Related Content: Seven Cybersecurity Tips
If ever there was a scenario for which Ben Franklin’s quote: “An ounce of prevention is worth a pound of cure” applied, it is this one. The tools to protect against card testing fraud are readily available, easily accessible, and quite affordable. Take the time to add those layers of protection now. It’ll save you a lot of cost and aggravation down the road.