What is a Card Testing Scam? What are Some Key Best Practices to Stop These Attacks?
As the digital landscape expands and online shopping becomes the new norm, the opportunities for fraudsters grow as well.
Credit card testing is just one of many clever ways to defraud cardholders and merchants. It’s a very subtle attack with a small impact per each incident. However, when conducted at scale, card testing becomes a big problem.
How does card testing work, though? How is it impacting eCommerce in general, and merchants in particular? Crucially, what are the signs that can tip you off and help stop these attacks? Let’s find out.
Recommended reading
- Address Fraud: How Criminals Swap Addresses to Abuse Victims
- The Top 5 Prepaid Card Scams to Watch Out For in 2024
- How do Banks Conduct Credit Card Fraud Investigations?
- Scammers See Opportunity as March Madness Begins
- Man-in-the-Middle Attacks: 10 Tips to Prevent These Scams
- Card-Not-Present Fraud: How to Fight This Growing Threat
What is Credit Card Testing?
- Card Testing
Card testing, also known as “card cracking,” is a type of credit card fraud that involves testing the validity of a credit card to determine if it's a valid, active card. This is done by charging a small amount to the card. If the charge goes through, the fraudster knows that the card is active and can then use it for larger purchases.
[noun]/kärd • test • iNG/Card testing is often an incremental process. Because the transaction is so small, it can be easy to write off as a minor concern. However, these little experiments in fraud can add up pretty quickly.
Card testing has gained a lot of popularity with fraudsters in recent years. This is because it’s extremely subtle; to the point of being undetectable. It can also provide an opportunity for fraudsters to identify the best candidates for long-term theft.
All things considered, it’s no wonder that card testing surpassed phishing and identity theft to become the most common fraud attack globally in 2021.
Why Do Fraudsters Engage in Card Testing?
The popularity of card testing has a lot to do with the increased availability of credit card numbers. It’s also due to advancements in technology, improved security measures, and increased use of online transactions.
Credit card testing is a method that fraudsters use to minimize their risk of detection and maximize their potential profits. This is because, when a fraudster uses a stolen credit card number for a large purchase, there is a higher risk of detection. Merchants may notice suspicious activity and block the user, which would prevent the fraudster from making further purchases.
By testing the validity of a credit card through small purchases, the fraudster can determine if the card is active and not yet canceled. This helps to minimize the risk of detection and increase the chances of successfully using the card for larger purchases.
Some fraudsters may test multiple cards at once. When one has access to a large volume of credit card numbers (such as after a data breach), they can use credit card testing to validate the cards and identify which ones are active and valid. This allows them to focus on using the active cards for larger purchases, maximizing their potential profits.
How Does Card Testing Work?
Card testers typically use automated scripts or bots to test hundreds of credit card numbers at once.
The process starts with the fraudster obtaining a large volume of credit card numbers. This can be done first-hand through a data breach or a phishing scam, or they can be purchased on the dark web from other hackers.
The fraudster will then make several small purchases or charges on the card; often for amounts less than $1. The purpose of these small transactions is to determine if the card is active, and has not yet been canceled or flagged as stolen.
If the small charges go through, the fraudster knows that the credit card number is active and valid. They can then use this information to make larger purchases.
Some card testers may opt to resell individual credit card numbers on the dark web. Numbers that have been verified and are active can sell for a much higher price point. In some cases, the fraudsters may even use the information to create counterfeit credit cards and use them for in-person purchases.
Negative Impacts of Card Testing
Between February and August 2022, payment processor Stripe tracked a wave of card fraud incidents in which bad actors inundated merchants with millions of small-dollar, or even zero-dollar transactions. At the peak of this activity, the company blocked more than 20 million card testing attempts per day.
As the situation continues to get worse, the negative effects of card testing fraud will reverberate more and more through eCommerce. Merchants, in particular, suffer the majority of the repercussions.
Although this list is far from exhaustive, here are a few major concerns merchants have about card testing:
You can never fully, 100% reliably stop fraudsters from inserting themselves into your payment processes. That said, how you respond to these attacks — how hard you work to stop them — can have a positive impact on your reputation.
Stripe rolled out a new tool last year aimed at tackling card testing. However, it's only for Stripe merchants.
On a broader scale, there’s not a lot being done currently. A key part of the problem is that, because the immediate financial impact of card testing is so small, there’s not as much institutional pressure to act.
How Will I Know if I’ve Been Targeted?
There’s a good chance that your business has already been the victim of card testing scams in the past. Either way, you want to make sure you’re doing everything you can to keep it from happening. The key is knowing what to look for.
There are several signs which may indicate that card testers have targeted your business, including:
If you suspect that card testers have targeted your business, it's important to take steps to protect your business's financial security. This may include reporting the incident to the card issuer and law enforcement, as well as reviewing and updating your business's security and fraud prevention procedures.
10 Tips to Stop Credit Card Testing Fraud Attacks
Our best advice is to monitor absolutely everything.
Most businesses use some type of CRM (Customer Relationship Manager). If your business isn’t currently using a CRM, now may be the time to make the investment.
A CRM can help you reveal payment discrepancies, better communicate with customers, and manage and monitor social media accounts. And, for our purposes, it can help you keep track of metrics and analytics that can identify card testers posing as customers. CRM data should pair seamlessly with your payment gateway and also integrate with anti-fraud measures.
Of course, investing in or upgrading your CRM is just one idea. Here are 10 additional steps you can take to fight card testing fraud today:
Step #1 | Implement the Right Fraud Tools
Setup may be a time-consuming process, but ultimately worth it. Card testers will struggle to overcome safety measures like AVS, CVV matching, velocity checking, and IP monitoring if they’re all in place as part of a coordinated, multilayer strategy.
Integrate all or as many of these systems with your CRM as possible, and never authorize transactions that do not meet pre-required criteria.
Step #2 | Use a VPN
Ensure that your payment gateway and CRM data are accessed only through a VPN, or Virtual Private Network. As we’ve alluded to, basic firewall protections cannot stop every hacker. The security of your — and your client’s — accounts could be compromised.
If you offer WiFi for your customers, DO NOT take payments or access sensitive CRM data on the same network!
Step #3 | Enable SSO
SSO (Single Sign-On) can centralize password data under a secured framework, which will make it that much more difficult to compromise. This applies for you and your customers; SSO can help you safeguard your computers and terminals as well.
Google’s CAPTCHA (Completely Automated Public Turing Test) is a great addition to your SSO arsenal. Card testers often run automated scripts that CAPTCHA can block.
Step #4 | Designate Officers
Choose managers to “gatekeep” certain access points that could lead to data breaches. Also, make sure all employees must log in to the system securely to operate within it and are compliant with PCI standards.
Not everyone in your organization needs access to every portal. Make sure your crucial details are only accessible by accredited individuals.
Step #5 | Set Rate Limits
Flagging specific transactions based on the dollar value can be quite effective at stopping card testing. If you’re experiencing a specific, recurring amount associated with card testing, set your limits to exclude them.
Limit the number of IP addresses that can be used to create new accounts in a single day.
Step #6 | Limit Checkout Attempts
Remember, card testing often utilizes brute force tactics, such as many cards at once in hopes that one will prove fruitful. Limiting the number of transaction attempts can dramatically decrease these attacks.
You should also limit the number of times a cardholder can attempt to run a single card during checkout.
Step #7 | Block Cross-Border Transactions
Unfortunately, a majority of card testers and botnet companies are located and operated outside of the US. While becoming a global retailer is a fantastic goal for merchants, you should be extremely cautious of international IP addresses.
Try segmenting orders based on IP address. Orders from countries or regions known to have elevated fraud levels can be subjected to additional screening.
Step #8 | Encourage Customer Sign Up at Checkout
While guest checkout can speed up the payment process, it can also leave you vulnerable to fraud. Encouraging users to register before checkout will deter many fraudsters from targeting you.
Encourage — even incentivize — your buyers to create an account, but don’t mandate it. This is one of the leading drivers of shopping cart abandonment.
Step #9 | Set a Botnet Firewall
If you don’t already use a firewall on your website, stop reading this and go install one right now. Firewalls and various anti-fraud services generally include botnet prevention tools, which can deter card testing attacks.
Most card testing attacks are performed by bots on a large scale. Having a firewall in place can alleviate a lot of risk.
Step #10 | Deploy Third-Party Fraud Monitoring
If you lack the bandwidth or staff to effectively monitor and manage fraud prevention, many reputable third-party companies exist to help. Professional services utilize expert industry knowledge to detect, isolate, and help you recover from fraud attacks.
Many services combine fraud detection with chargeback prevention methods, which can protect your business from threats while you focus on increasing your revenue.
Get More Help With Card Testing Fraud
We certainly understand that this is a lot for anyone to take in. Of course, that’s no excuse to be complacent.
Fraud of any stripe can be a costly challenge for your business, and card testing is perhaps one of the most insidious. It can wreak tons of havoc within your organization and cause many problems that can leave lasting, painful scars. Chargebacks, for instance, are just one factor in the equation.
Now that you are familiar with the problem and the various ways in which you might combat card testing fraud… are you ready to fight back? Continue below and learn how today.
