Sept. 7, 2024
Did you know that lurking beneath the surface of each of your online transactions is a danger? One of the biggest threats in ecommerce today is card testing attacks, when cybercriminals try out stolen credit card information through small transactions. These fraudulent transactions can lead to major financial losses, more chargebacks, and a bad name for your business. In this post, we'll walk you through what card testing attacks are, how they work, why they're so harmful to merchants, and what you can do to protect yourself effectively. By the time you're finished reading, you'll know what you need to know and what you need to do to fight back against this growing issue.
Credit card fraud has gotten really sophisticated in the last few years, and one of the latest, sneakiest tricks is what's called a card testing attack. What happens is a thief will want to see if a stolen credit card works by making a small transaction -- usually just a few cents to a few dollars -- to see if a card works and if it has any money on it. These small, seemingly innocuous transactions are known as card testing, or 'carding.' It's just a small part of the larger credit card fraud event, but because it's so unassuming, it's even harder to detect. So it's really important for merchants and customers both to know what it is, and how it works, so they can be that much more aware of what's happening.
Card testing is a specific type of fraud designed to test which cards are still effective, without any notification to the cardholder. When fraudsters test stolen card information by making a small transaction, they gain the valuable information they need to commit fraud. If the transaction goes through, they know they can use that card for something big, because the card is still effective. This camouflage allows them to appear innocent while building a profile of which cards they can use, and which they can't.
It's the merchant that feels the sting of these attacks. Chargebacks -- instances when a customer disputes a charge -- become a huge headache for businesses. When merchants have high chargebacks from card testing, it eats into their margins and makes it more expensive just to stay in business. And if a fraudster successfully tests multiple stolen cards, it tips them off that your security is weak and they will keep on testing.
Scammers have built a tech stack for card testing that is surprisingly effective. Using an automated script/bot, they are able to test a high volume of cards at once to quickly determine whether a stolen card is live or not. By automating the process, they can test many cards and know whether a card is live without having to manually go through the motions for each transaction.
This is really only a problem in low security, low friction environments. They generally only care about digital goods and services because that's where they can get immediate feedback on whether a card is live or not. By exploiting vulnerabilities in e-commerce platforms they can get the most value for their effort, all at the expense of good businesses.
Card testing attacks have big consequences for merchants. Every successful attack can mean major monetary losses. Some estimates suggest fraud incidents could cost a merchant up to 3.60 times the transaction amount. For CNP fraud—fraud that occurs during online and remote transactions—an eye-popping USD 34.66 billion is projected to be lost annually.
Merchants also have to deal with chargeback ratios and the associated costs of reversing fraudulent transactions. Chargebacks are expensive, time-consuming, and can sour relationships with payment processors. It's important for merchants to have a strong anti-fraud strategy to detect and mitigate the risks associated with testing.
As commerce moves online, businesses need to protect themselves against card testing attacks. That means being PCI compliant. You've probably heard of PCI compliance, but what is it, really? PCI stands for Payment Card Industry, and if you're compliant, that means you're adhering to the Payment Card Industry Data Security Standard, or PCI DSS—a framework for protecting cardholder data. Things like device fingerprinting, risk scoring, and dynamic friction are all ways to help detect fraud and yet make it easy for real customers to buy things from you.
But merchants can't just be PCI compliant; they need to be hyper-vigilant and continuously improving their fraud prevention program. When you strengthen your fraud prevention program, you make it much harder for card testers to gain entry to your application. Things like data enrichment, monitoring transaction patterns, and setting velocity rules for suspicious activities are all ways to detect and stop these activities.
Card testing attacks are becoming increasingly common and are now a major issue for digital and non-digital organizations of all kinds -- although predominantly for ecommerce and online services. Understanding the different types of these attacks is important to help protect against them. In this article we'll look at these attacks, which include automated testing, manual testing, geographic targeting, zero-value transactions, and card cracking.
Bots are another key way attackers use card testing to get in and out to run their attack super fast and super quiet. Scammers can run thousands of small transactions in a short amount of time without actually doing anything themselves, so they can test a lot of stolen card numbers to find the ones that still work, and then use those to do more damage. Bot testing has the added bonus of testing a lot of card numbers at once, to maximize their chances of finding working card details to use, before the financial institutions can take them down.
On top of that, the bots can hide the attacker, so organizations won't see anything until it's too late, which is why organizations need security measures that can catch these kinds of threats. Things like traffic analysis, behavioral analytics, and implementing bot management tools like those Aite Group describes, are all effective at catching this kind of rapid-fire attack.
While automated testing attempts to mimic the user transactions executed by machines, manual tests are carried out by humans, who actually make the transactions. This may be employed when attackers want to evade detection rules that don't properly account for automated testing. By actually making transactions and behaving just like a real user, they can evade security rules that are designed to discern between bot and human activity. Manual testers will often use some simple software tools to help them automate the process but will ultimately be required to make the transactions in a way that looks like it's real traffic.
This is especially dangerous because it allows the bad guys to very slowly and subtly test cards to see if they're good, and try different routes to the payment gateways depending on how the payment gateways are responding to their tests. The slow and steady approach of manual testing is very different from none of the other above, and thusly, allows for very prolonged periods of unauthorized access. Organizations need to be on the lookout and have various tools (like transaction monitoring, fraud alerts, etc.) in place to stop these manual routes.
Carding attacks tend to vary depending on where they're happening. Fraudsters might be targeting a specific region because they're aware that there is something unique about either the security practices there are exposed or vulnerable, or different than those in place elsewhere.
For example, maybe a particular region just has looser regulations or has lagged behind in upgrading their payment systems. A fraudster would know they can target that region and expect higher success rates.
And if they know who and where to target, it's also harder to detect for businesses. Businesses need to ensure that their fraud prevention strategy is truly holistic— including geographic considerations. They have to be able to use tools like IP geolocation and regional transaction monitoring to accurately detect and prevent these kinds of attacks.
Zero-value transactions provide another opportunity for card testing attacks, during which fraudsters try to transact for $0. The transactions are designed to not show up on the credit card statements, so neither the cardholder nor the bank detects them. This enables them to test card numbers without sticking out the way high-value transactions would.
Although zero-value tests are usually low dollar, they can be highly impactful because fraudsters use them to profile a fraud that they'll commit in the future. This covert approach requires businesses to have robust capabilities in place to monitor these transactions and detect patterns in these transactions that might indicate fraud.
Card cracking is a more complex credit card testing attack that fraudsters use to begin testing not just card numbers, but to validate card details with real compromised data from other sources -- payment databases, phishing scams, and ill-gotten data from other sources. With card cracking, attackers can track and validate card data and achieve a high level of validation to participate in online fraud.
When fraudsters use credit card cracking, they're demonstrating a heightened understanding of the payment system and how to bypass validation steps. Retailers should be aware and enhance their security strategy with advanced threat detection and proactive measures like multi-factor authentication to help guard against these advanced breaches. Understanding the threat landscape can also help businesses strengthen their defenses and build a more complete strategy against the most recent ways cybercriminals are attempting to get the best of companies.
E-commerce has a fraud problem, and card testing attacks are one of the worst things to come out of it. Fraudsters use stolen credit cards to make low-value transactions to check whether the cards are valid before making high-value transactions. It's a waste, it's costly for companies, and it's bad for your customers' security.
In 2022, Stripe was blocking more than 20 million card testing attacks a day. It’s a huge number and a sign that online fraud is growing. And that’s bad, because businesses are continuing to digitize and re-digitize as the pandemic starts to end. At their peak – during carding season, February – August of that year – the rate of testing attacks was more than 100x (one hundred times) the rate of 2019. Fraudsters usually attack lots of businesses at once, and the individual transactions they use to test whether the stolen credit cards are still active are typically very small. Stripe was also getting much better at blocking them (with their fraud prevention product, Radar), and machine learning meant they didn’t need to review as many transactions to do it. Fraudsters only test transactions, and when they find what they want, they “tune” their operations, and once they know their systems will work, they can do a lot of damage. Really, Stripe was only able to block so many card tests because they were also getting so good at identifying the fraud they were trying to measure (with their fraud prevention product, Radar). Stripe claimed they could block another 100 million of those “bad” transactions a day, with a practically identical false positive rate. Amazing! On top of the card tests they were blocking (and the fraud they were identifying), Stripe blocking was at an all-time high and continued to rise each year. Stripe was also getting very good at identifying the fraud they were trying to measure, and they claimed they could block another 100 million of those “bad” transactions a day, with a virtually indistinguishable false positive rate. Stripe was blocking more than 20 million card testing attacks per day that year (and could have been blocking as many as 40 million). As always, most of those attacks were taking place during the “carding season” (February – August), but attacks were also significantly higher outside of the typical “carding season.” Fraudsters are testing even more transactions than they used to. Stripe had never seen so many card testing attacks before. That’s a lot of card testing attacks! Stripe was blocking a lot of bad transactions, and also doing a good job of identifying the fraud they were trying to measure. Stripe was blocking a lot of card tests in 2022. And also that they had some new fraud prevention feature. Machine learning (Radar.io) and human judgment combined. Because of that new fraud prevention feature, businesses had been protected from a lot of fraud. And also that as a result they would have been able to block how much more of what they had been measuring, with a virtually identical false positive rate.
I've had a lot of merchants reaching out to me about this lately. They're seeing tons of low-value auth attempts come in from all over the place, from different IPs. It's clear card testing. And most of the time, it is. They take a stolen card and make a bunch of small purchases--5 cents, 10 cents, etc. Because it's below the threshold that most fraud systems trigger on, they can test a ton of stolen cards and then use the good ones for fraud later. Not good.
But the thing is, they're seeing it more and more and it's a problem. Because the bad guys are getting more sophisticated and more capable of bypassing traditional fraud detection.
If you're a merchant, you need to be able to spot this. Because it's a sign your fraud management isn't very good, and you need to be examining all transactions more closely, even very small ones, or you'll have a very high chargeback rate, which will cost you.
Believe it or not, a gaming company fell victim to a credit card testing attack. The company was inundated with chargebacks due to credit card testing, and it was costing them a fortune. What's a chargeback? It's when the customer disputes the charge, setting off a chain reaction that ultimately results in the merchant getting hit with fees and damaging their reputation. Reputation is everything for gaming companies, and incidents like that could be devastating.
Which is why it's so important to keep your chargeback ratio in check and ensure that you're verifying transactions properly. With effective fraud prevention, situations like that can be completely avoided, and you can focus on growing your business instead of trying to recoup what was lost.
Nonprofits are especially susceptible to card testing attacks because they tend not to look as closely at transactions as for-profit organizations. They're targeted because most nonprofits can't afford the latest and greatest fraud prevention tools. As a result, they lose a lot of money that could be spent on mission and programs.
They should have stronger security practices, and they should have their staff trained so that they can scrutinize transactions more closely, monitor them more closely, and reduce their risk, and not have their hard-earned donations taken away from them.
E-commerce businesses suffer from reputation damage as a result of card testing attacks time and again. If there are enough fraudulent transactions, real users start to get leery and eventually lose trust and stop spending money. If word gets out that your site is not safe from fraud, you could miss out not only on future sales, but die-hard advocates could take to social and begin to actively destroy your brand.
You need to be honest about the ways you're keeping your customers safe and keeping their stuff safe. Invest in fraud prevention which is on display, and if there are problems, fess up in the open. Then, you can easily win back the trust of the customers you lost when they see that you are really looking out for them and their stuff. You've already built trust, and that's crucial for a healthy customer relationship and crucial in saving your brand trust in a competitive market.
Card testing is a common cybersecurity problem. Cyber criminals use it to test stolen credit/debit card numbers to find valid ones that they can monetize. It's got pros and cons for merchants and retailers that can make a big difference in your bottom line.
The reason card testing is popular is because fraudsters love it. It's low risk for them, so they can quickly determine which card numbers are good, without giving away too much. Usually they employ a combination of automation and other methods to vet large amounts of stolen credit card data. Because the transaction amounts tend to be so low, it often goes undetected by most merchants and banks.
The fact that they can test stolen card numbers, and not actually pay for it yet, is the cherry on top. It's like free money for them in a way. It's a very low cost of doing business, and so it has been highly effective at exploiting the vulnerabilities of the online transactional financial system.
And if the card testing attack is successful, then you've really had a real card number to start with. Once a fraudster has successfully card tested and found a real working credit card, they can use it for other things. They can buy stuff with it. They can sell the number on the dark web. They can commit even more sophisticated financial crimes with it. Having a list of valid credit card numbers opens up more opportunities for them to make more money.
Once they have the numbers validated and they have a list of valid credit card numbers, then the real fun starts and they can come up with all sorts of tactics to extract the most value. Whether it's making a big purchase with them or using them for subscription services, which will build in value over time, fraudsters know how to create value for themselves using stolen goods.
And you can bet the downsides of card testing are just as apparent, and just as costly. One of the first things that'll happen is you'll start to experience more and more chargebacks. A chargeback occurs when a cardholder disputes a charge. It may be a genuine fraud concern. In any case, you're stuck covering the cost of the dispute—that's money you'll never get back—and you'll also be charged a fee for the dispute as well, icing on the cake.
And as you might expect, all those currency fluctuations can really begin to sting, and as chargebacks pile up higher and higher, it can spell operational headaches for your business. You may feel obliged to begin implementing stricter payment verification processes, which could introduce friction for valid transactions and turn away good customers. The chaos that card testing attacks sow has consequences that spread and could harm your reputation with customers and the integrity of your business overall.
Card testing can really hurt brand reputation and customers hate it. When customers begin to see the side effects of declined transactions due to fraud checks, or hear about breaches, their trust in the business's ability to secure their financial data is shaken. That means fewer return customers, and that can really hurt.
Once a business gets a reputation for being fraud-heavy, customers may go to the competition instead, and that business will see declines in sales and market share. Brand reputation is more important in the online space than it has ever been before. Businesses that don't prioritize fraud, even if it is by accident, will pay for it in the long run.
The costs of card testing really add up. Over time, businesses will pay a lot in fees and other costs, which can be really tough to handle. I mean tough in terms of more than just the lost sales. It's the chargeback fees. It's fees from payment processors. It's the added cost of more security. And other costs.
Businesses also spend money to detect fraud and prevent fraud so they don't see similar transactions in the future. But smaller businesses might not be able to afford those costs and might not be able to stay in business. In the worst case, a business could close after many net losses from fraudulent transactions. That's how businesses are impacted by, and go out of business because of card testing.
By understanding the impact and cost of card testing attacks, businesses can be prepared and resilient to these types of attacks in an increasingly digital world.
In the ever-changing world of e-commerce, online businesses have a lot of enemies to fight off. And just when you thought you'd seen it all—here comes another one. Card testing attacks. In a card testing attack, fraudsters use stolen credit card information to make small $1 purchases to test whether or not the card works. The financial damage can be significant—chargebacks, transaction fees, and a negative customer experience. To effectively protect yourself, you need to have a strong fraud prevention strategy in place. We've put together a few tips to help protect your business from card testing attacks.
One of the most effective ways businesses can defend themselves against bot attacks is by using Google reCAPTCHA. It's a tool that detects what makes a user a human, which makes it really hard for a computer to pretend it's a person. As a result, you can dramatically decrease the number of card testing scripts that attempt to automatically push stolen card numbers into your checkout. That matters because fraudsters are using increasingly sophisticated automation to exploit online sales channels. Businesses can enable Google reCAPTCHA in their security settings in their payment platform, select where they would like to protect, and paste in the API keys. It's a security wall that strengthens your security and improves the usability for genuine customers.
To make sure a transaction is legitimate, most merchants will want to check more than just the CVV. They'll also want to check AVS--the Address Verification System. Checking the CVV is helpful for making sure the customer has the card in their hand (since it's usually printed on the card). Checking AVS lets the merchant check the billing address the customer entered against what the issuing bank (the bank that actually issued the card to the customer) has on file. Both checks can help prevent a fraudster from running a transaction that would have misrepresented the user's identity or financials.
So, for instance, if they tried to enter stolen credit card information, but didn't know the CVV or the correct billing address. In that case, the transaction would raise a red flag, and the user wouldn't receive the product they were trying to steal.
You may have been tempted to guess that a minimum transaction amount would be a good deterrent for card testing attacks. After all, logic suggests that fraudsters would be less likely to test a card if they had to make a larger purchase. This is true, and it's a strategy that comes with additional upside. Surprisingly, you may also see marginally higher revenue as a result of deflecting transactions you likely weren't earning much money on in the first place. Also, fewer low dollar transactions hitting your payment system can help keep things running more smoothly.
Limiting the number of checkout attempts a shopper can make is an effective way to reduce card testing. By not allowing a user to enter their card information multiple times and just by not letting someone try multiple card numbers. For example, if you give a user 5 tries, you can greatly reduce the amount of fraud.
It also forces the user to be more careful and actually confirm their details before they finish checking out.
With advanced fraud detection tools, such as machine-learning powered ones, you'll be better able to catch really unusual transaction patterns that might indicate card testing. They analyze a lot of data, look at transaction histories, and pinpoint anomalous behavior that could indicate fraud.
For instance, if the same IP address is trying to use a bunch of different card numbers in a short amount of time, machine-learning algorithms can flag or block the transactions, so you can stay ahead of would-be fraudsters with fewer false positives that might hurt good customers.
Combined with those other pieces we talked about—things like adding Google reCAPTCHA, adding in additional verification steps, and using advanced fraud detection tools—you'll be protected from card testing, and more, so you can protect your business and your customers.
| Key Takeaways | Details |
|---|---|
| What is it? | Carding attack where fraudsters use stolen credit card information to make a lot of small transactions to see if the cards actually work. |
| Why does it matter? | Find working cards; collect data with low risk; get everything they need to commit larger fraud. |
| How do they do it? | Scripts, bots, to automate things so they can test a lot of cards quickly; in less-secure areas so they don't get caught. |
| What does it mean for merchants? | Big financial loss from chargebacks; potential losses as high as 3.60x the fraud; big loss of merchant trust. |
| What can merchants do? | Be PCI-DSS compliant; use strategies like risk scoring and dynamic friction; always be one step ahead with fraud prevention. |
| What does it look like? | Automated testing, manual testing, geographic testing, zero-value testing, card cracking methods. |
| Where have we seen it? | Stripe blocking 20M attempts every day; more low amount transaction approvals; charities affected; brand damage. |
| Pros | Less-risky fraud testing; they get working card info; profitable for fraudster. |
| Cons | More chargebacks; brand damage; monetary loss and cost-of-mitigation. |
| How can I prevent this? | Use Google reCAPTCHA; challenge more; set transaction minimums; limit checkout attempts; use machine learning to help catch.
Card testing is a growing and evolving problem in the e-commerce world, where fraudsters use stolen credit card data to complete small transactions to test if a card is live. This kind of illicit activity is often the first step in much larger fraud scams and can cause big problems for merchants like you, such as loss of funds due to chargeback, higher operational expenses, and damaged brand reputation. Fraudsters use tactics like machine-driven scripts, geographic patterns, and other methods, as well as different types of attacks like zero-value transactions, manual testing, and more to leverage the vulnerabilities in your defenses. You and your team need strong security like Google reCAPTCHA, escalated verification, or other advanced anti-fraud tools to help you battle back and keep your business safe from card testing.
A carding test is a fraudulent method fraudsters use to validate stolen credit card details by making small transactions. By making low-value transactions (typically cents to a few dollars), they can check if a stolen card is active and has funds in it. If the transaction goes through, the fraudster has the green light to make bigger purchases with the stolen card.
Card testing is a difficult problem for merchants. You lose money. You get more chargebacks. Your operations get disrupted. Chargebacks happen when customers dispute an unauthorized transaction, and you're hit with fees and administrative overhead. Your payment processors are unhappy with you. And, on the other side, fraudsters see you as an easy target, and will keep coming back to attack you with attack after attack.
Thieves use a mix of automated and manual tactics to test cards. Automated scripts or bots let them make many transactions very quickly and quietly so as to avoid detection. On the other hand, manual testing means that a real person—appearing as an average user—makes the transactions and is often able to evade detection systems designed to catch automated processes.
Card testing often goes after small transactions because they're typically not worth it to merchants to flag as a fraudulent test. This allows the fraudster to test a lot of stolen card numbers for free, and any successful small test means the card is valid and it's time to make a large purchase with the card.
Incorporating a few key strategies can help merchants protect themselves more effectively against card testing. They can block automated submissions using Google reCAPTCHA, implement additional verification tools such as CVV and Address Verification Systems, set minimum transaction amounts, limit the number of checkouts per session, and finally use an advanced fraud detection system that uses machine learning to identify unusual transaction patterns.
Card cracking is a more sophisticated scheme in which fraudsters validate stolen credit card info using breached data from other sources such as payment database breaches or phishing scams. It's an augmentation of the card testing stage of the fraud process, which lets criminals confirm valid card numbers and use it for larger-scale fraud. That means they have more information about payment systems and represents an increase in sophistication of fraudulent tactics.
Recurring issues can damage a business's reputation and customer trust. Once customers begin experiencing fraud or unsuccessful transactions, they lose trust in the merchant. And that means less loyalty, less sales, and potentially a load of negative social media coverage damaging the brand even further. The brand will always be playing defense with their reputation management. It's important to take a proactive approach to communicating your security efforts to regain that customer trust.
The number of card testing attacks surged, particularly during times when more businesses were shifting online. For example, Stripe (a major payment processor) observed a huge increase in the number of card testing attempts, with 2022 in particular seeing an enormous uptick compared to previous years. It's a reminder that online fraud is only growing in frequency and becoming more inescapable.
A computer screen displaying fraudulent transactions related to card testing attack
SMS Check