Research conducted by credit reporting agency Experian and reported on by the State of California found, for instance, that a single credit or debit card number — with card verification values (CVVs) included — can cost just $5 to purchase from an illegal data broker on the dark web.
Meanwhile, stolen data packages that paired card details with login information associated with the victim’s bank account cost $15. So-called “fullz” — a comprehensive or “full” bundle of the victim’s name, birth date, address, social security number (SSN), card details, and banking information — could be had for a mere $30.
With stolen financial information so plentiful and cheap, it’s common for scammers or professional fraud rings to make bulk purchases of hundreds of card numbers at once. Of course, not all of those card numbers will work.
To validate them and avoid triggering suspicion, scammers sometimes avoid making high-value, fraudulent purchases right out of the gate. Instead, bad actors engage in a process known as card testing, where they use a merchant’s checkout system to attempt small-dollar purchases as a way to validate whether the credit card is still active.
In this article, we’ll take a closer look at the practice of card testing. We’ll talk about what it is, how it happens, and how it affects merchants. We’ll also explore how you can identify and prevent card testing fraudsters from harming your business.
Card testing is a form of credit card fraud in which fraudsters with access to stolen payment information attempt to validate or check which cards are still active and usable.
Card testing is a precursor to the actual fraudulent purchase. In a card testing scam, fraudsters attempt small-dollar purchases or payment authorizations. If the card is found to be usable, scammers will then use it to make unauthorized purchases.
Read MoreTo test hundreds or thousands of stolen cards at once, fraudsters often turn to bots, scripts, and other forms of automation.
This approach is supplemented by new account fraud, location spoofing, and other tactics that allow fraudsters to hide their tracks and evade detection. As for the actual tests themselves, fraudsters often run small transactions — usually under $5 — just to see whether a transaction will go through on a stolen card.
Read MoreDue to the small transaction values involved, it can be tempting to dismiss card testing as a relatively benign form of payment card fraud.
But chargebacks and chargeback fees, as well as the indirect costs like operational strain and damage to your business’s reputation, can make card testing fraud just as costly as any other type of scam. It’s for this reason that many merchants still regard card testing as one of the most significant and common forms of eCommerce fraud today.
Read MoreA sudden influx of small, seemingly random charges, a high number of failed transactions from a single IP address, and a surge in new account creations using invalid card information can all signal potential card testing.
And, when it occurs, the impact can be massive. A single attack can incorporate anywhere from thousands to tens of millions of credit cards.
Read MoreOne silver lining is that card testing attacks are fairly easy to detect. That’s because the automation employed by card cracking attackers stands apart from genuine purchases.
Specifically, you can detect attacks early by monitoring your checkout environments for red flags like a sudden spike in card declines, an unusual number of transactions from the same geographic location, or a high volume of attempted orders with mismatched verification information.
Read MoreA proactive, multi-layered approach to checkout security can help you prevent card testing attacks.
Fraud monitoring tools, single-sign on (SSO), velocity checks, and limits on checkout attempts, for instance, can help you deter bad actors who use heavy automation to run card cracking schemes.
Read More
Card testing is a fraud tactic in which attackers use bots or scripts to determine whether stolen card numbers and CVV combinations are active and usable.
Scammers perform card testing using bots or scripts that automatically test thousands of card numbers and CVV combinations at once.
You can detect card testing by being on the lookout for anomalous transaction trends. For example, if you notice a large number of small and often unsuccessful transaction attempts, that’s a telltale sign of card testing.
To tell if someone is using your card, look for red flags like unexpected declines or transactions you don’t recognize on your credit card statement. Unusual activity on your credit report, like a large number of unanticipated new inquiries or new accounts you didn’t open, could also be signs that fraudsters are using credit cards in your name.
Scammers can run card testing schemes by attempting small-dollar transactions or authorization requests on stolen card numbers, or by using automated bots or scripts to test or generate card number, PIN, and CVV combinations in bulk, all at once.
