Sept. 12, 2024
Did you know about the silent killer of online business that is card testing? Fraudsters are always finding new and more advanced techniques to test stolen credit cards in the form of small transactions that many businesses won't even notice. When they do notice, it's not only that you're out of pocket, but it can also bring your merchant operations to a grinding hault, and push even small startups into bankruptcy. In this blog, we're going to go in-depth on card testing so that you can understand how fraudsters operate, and take measures to stop card testing effectively. By the end of this piece, you'll know how to reinforce your transactions, and protect yourself against this destructive force.
Card testing is a fraud where criminals conduct small transactions to see if the stolen credit card details are valid. It's like a "test run" for the payment card in advance of the "real scam" of consumer fraud where they use the payment card to conduct larger purchases or sell the established credit card details to another criminal group for a higher price. The micro transactions help the criminal attempt multiple tries with different cards and keep the payment card activity below the radar of the merchant.
Also known as card cracking, this fraud is popular among criminals because it's effective. The fraudster isn't looking to use their card once; they're looking to fraud as many cards as possible. What's more troubling is that they're not just looking for any credit card numbers, but numbers they can commit consumer fraud with. And this is particularly worrying because they are able to distinguish which card numbers they can still fraud and which card numbers they cannot fraud. Once they have the active number -- the key -- it can be used to commit consumer fraud in other ways as they're sold on the dark web or used in other unauthorized purchases.
The other thing to remember about carding is that generally speaking, it is usually used to fraud online merchants. Typically, merchants that are not proactively protecting their business. Merchants that have low dollar, high transaction volume -- like fast food or e-commerce -- are especially susceptible since the thresholds to flag the fraud may not be worth the couple dollars they're frauding. The math is not in the merchant's favor; they lose the money from the fraud and they pay transaction fees for both the fraud and the reversal, creating a cost that eats into the merchants' margins, over and over again.
Card testing is one of the most sophisticated and pervasive frauds today. Every transaction, whether it's declined or not, comes with fees. That can cut into a business's margins and, if you start getting lots of declines on your account, you get hit with high risk fees and a higher level of scrutiny from your payment processor. For small businesses with small margins, that can mean the difference between staying open and going out of business.
And because it's so large scale and automated, businesses have no idea it's happening. They're testing card numbers 24/7. As a business owner, how would you know what to look for or to do when one of your customers gets hit with a fraudulent charge? They're testing thousands of card numbers per minute, and with the bot's wide and erratic net, how would a business owner even know what to look for as far as fraudulent activity goes? They need to know what to look for as far as their transaction trends go--that's going to be the most important thing to look out for when it comes to card testing fraud. By implementing fraud detection in their payment systems, they can greatly minimize it, keeping profits where they belong.
Don't wait until it happens to you. They could have software checking their transactions and flagging transactions that don't feel right, so they can be alerted and take action immediately. They should also be analyzing their declines, chargebacks, and other transactional patterns to further protect themselves from card testing fraud.
The age of technology has given rise to a whole new breed of card fraud -- card testing. There are now more ways than ever to test stolen credit and debit cards to see if they are working. While this illegal activity causes significant losses to banks and merchants, it can also have a broader impact on the economy. Understanding how card testing activities work is the key to stopping fraud, keeping cardholders safe and secure.
So how do they do it? One common way is through a small transaction. Sometimes it's for a few cents. Sometimes it's for a few dollars. They want to test the waters and find out if the credit card number they've stolen is valid without you noticing. They want to keep things small so that you don't get an alert right away. This way, they can see if the card is active, and if it has funds. These small transactions can often go undetected for a long time because who really goes through their statement with a fine-tooth comb. By the time you catch on, the fraudster may have used your card multiple times. So not only did they get to test things out, they are now going to create multiple chargebacks once you realize that they have been stealing from you. And all of those chargebacks are going to cost the merchant money. That's why it's so important to look for patterns of fraud.
In addition to small dollar transactions, there is another type of card testing we often see: authorization checks. These are much rarer, thus less likely to jump out at the cardholder on their statement. But in essence, an authorization check is being used to test card data without actually running a transaction. Since they're not seen for a few days, other than the amount, cardholders usually don't remember them a few days later. Fraudsters use authorization checks to test if a card is "live" in moments. Merchants will often incur chargebacks days after these initial checks, putting their own funds at risk. But merchants who have real-time monitoring can see the odd authorization activity and block it before there's a fraudulent charge.
Fraudsters will pull out all of the stops when executing their tests. One common method? They use stop card testing as an easy way to identify valid and funded accounts. By attempting many different compromised card details, they are more likely to find a valid and funded account. This can be so damaging because it allows them to exploit a merchant’s system weakness by testing many more cards at once. The more card numbers they have, the more likely they are to find an active card, and this can result in significant financial loss if a business is unable to quickly identify such tests. CNP fraud is projected to cause losses of USD 34.66 billion annually, and merchants rely on risk models to detect this type of testing—many transactions that look the same and often come with high numbers of card details.
The post-pandemic world is not the same as the pre-pandemic world, and it never will be again. We're seeing changes happen faster than ever: more people working from home, more people shopping online, and more businesses realizing they don't need to spend a lot of money on overhead and rent. You can stand there and holler at the tide about how things were better "in the old days" and how it "should" be, or you can get on board and make money and prosper.
This is a great example of what not to do. Don't have numbers: 1. Do have numbers: in your output.
This year, card testing topped the charts as the most popular scam type -- surpassing even other "old standbys" like phishing and identity theft. As fraud detection and prevention improved, fraudsters simply changed their tactics. At this particular moment in time, card testing was the flavor of the month, and merchants were definitely seeing a lot of it and probably getting a little weary of the high frequency of attacks. It's a reflection of fraudsters' agility, as well as an indication that e-commerce businesses need to adapt to protect themselves against this newest scam type.
Card testing can have devastating results. Some merchants see an increase in their chargeback rates, which can be very bad for your business. A chargeback happens when a customer disputes a charge, and the bank reverses the charge. This can mean a lot of fees, and multiple chargebacks can mean high-risk merchant status. That means for a small business, lots of fees and lots of security reserves, which means you can go out of business. So the financial consequence of card testing is very high, and you would like to protect your business from it.
A good example of card testing fraud is Stripe. At the peak of the fraud, they were stopping over 20 million card testing attempts a day. That's a lot of fraud. That's how rampant credit card fraud is. In fact, they claim that card testing attempts have increased more than 100x since 2019 because there's more online transactions happening. And as fraudsters get better, the fight between fraud prevention technology and clever scammers will only get more severe... so it's always good to remain on the lookout!
Looking forward, e-commerce has a big money problem on its hands. Industry analysts expect the costs of all the different types of fraud, including card testing, to balloon to a staggering $206 billion by 2025. That's why good fraud prevention is so important—it's how you stop card testing. As e-commerce gets bigger and bigger, you need to implement the newest technology and adopt the latest strategies for fighting fraud to help protect your business and earn and keep your customers' confidence.
Now that you’ve got these concepts and examples, you can see that card testing is only one piece of the fraud puzzle. Businesses need to remain vigilant and adapt to new tactics to prevent potential losses while making sure their variously legitimate clients always have a safe, enjoyable experience.
With the digital landscape always evolving, card testing has become a huge threat for online merchants, so stopping card testing is key to stopping fraud. Here are some signals to keep an eye out for if you're in the crosshairs.
A common indicator of card testing is a sudden, unexplained increase in small transactions with the same card number or IP address. That's because scammers often test stolen card details by making very small purchases. Small transactions fly under the radar. For example, if you suddenly notice a spike in $1 or $5 transactions from the same person, that could be a criminal trying to identify which cards are still active and valid, and is typically done via automated scripts so that they can try many card combos in a very short space of time.
These low-value transactions are often just one piece of a larger scheme. When merchants aren't protected suitably, they're at a real disadvantage when it comes to this type of activity. By looking out for this suspicious traffic, and by putting thresholds in place for the number and size of transactions, they can catch these so-called tests before completion.
Another surefire sign of potential card testing is when you see multiple failed auths all in a row. What's happening here is that fraudsters are taking stolen credit card numbers and running them to see if they're valid. So if you see a string of failures from the same account or IP address, chances are high someone is in the middle of a card testing binge.
For instance, if an IP address tries to run transactions on different card numbers and fails each time, they're likely blasting through data at breakneck speed. Nipping this activity in the bud as it occurs means merchants can prevent any additional attempts before they happen, whether by adding more security or outright blocking the IP address.
A rise in transaction declines is another telltale sign that fraudsters are stop card testing. When decline rates increase—especially when combined with other suspicious signs—merchants may wish to dig deeper. This is a classic pattern in card number theft. Fraudsters need to figure out which cards are still active.
Merchants may wish to dig deeper on the decline rates and tie that in with elements like the IPs used, geography of transactions, and when the actual card numbers begin being tested. All the better for stopping fraud right then and there, and for helping to bolster security in a way that stops more future incidents.
To catch potential card testing as it happens, you need to watch for transaction patterns and customer behavior, and analyze your transaction data and customer behavior with tools like Looker to pinpoint irregularities.
For instance, you might have a system in place that keeps an eye on your customers, and that flags anything that looks unusual—such as a long-time customer making a sudden surge of ultra-low-value purchases. You'll also want an array of pings that notify you when something's amiss, and prompt your customers for additional verification, if necessary. When you understand how your customers should be behaving, it's easy to detect card testing while it's still underway, and act to reduce your exposure as soon as possible.
Once you have a solid security setup, you'll be able to not only catch fraud in the act but also inspire trust in your customers by creating a secure shopping environment.
Card testing is a big problem for online merchants. As online transaction volumes have soared during COVID, fraudsters use stolen card details and tools like bots to run many transactions at a low dollar amount to find valid card details. Merchants need to stop card testing to have confidence in their transactions and feel great about their business. Good fraud prevention can mitigate these risks by a great deal.
A great way to keep your business safe is to require 2 factor authentication (2FA) and CVV. 2FA means you need two pieces of information to log in, instead of just a password (for example, a code sent to your phone via text, or from an authenticator app). This way, even if someone gets your password, they can't log in without the second thing. Then your account is basically unhackable. Need to lock an employee or contractor out of your account? Easy. Just change your password. They'll have the password, but they won't have your phone. Can't log in!
CVV means you need the card to complete the transaction. For example, when a customer comes in to make a purchase, we'll ask for the CVV on the back of their card. If the transaction doesn't meet 2FA + CVV requirements, we'll flag it, and you can review it, or we might decline it, protecting you and our real customers.
You can also help prevent fraud by using Address Verification Services (AVS) which compares the billing address the customer gives you with the billing address on file with their credit card issuer. If they don't match, that discrepancy can be a good indicator that something is going on and you can use that info to help you catch more bad stuff before it happens—or to decide to reject the transaction altogether.
For example, if someone has a credit card issued in the United States but their shipping address is in some high-fraud area overseas, the AVS discrepancy might serve as a trigger for further investigation. By using AVS, you can ensure transactions look like what you'd expect from your customers, and that helps your security all around.
Understood! Please provide the passage you would like me to process.
Stopping card testing fraud can also be achieved by blocking transactions from IP addresses that are associated with high-risk geolocations or have been linked with fraudulent activity in the past. This way, merchants can stop fraudulent card testing before it begins, using geolocation and known fraud databases to filter out potentially unsafe transactions before they occur.
For instance, if requests from a certain IP range (which is often associated with fraud) are frequent, merchants can use filters to block these requests, saving time, resources, and headaches over time, all while ensuring that good customers continue to have a seamless experience.
Don't just make up numbers. If there are no numbers, don't put any. Only use numbers that are in the source.
Category | Details |
---|---|
Definition | Carding is when fraudsters perform small transactions to test stolen credit card information. |
Also Known As | Most people simply refer to this as carding. |
Target | Mostly online businesses with weak security. |
Impact on Merchants | Increased chargebacks, financial strain, potential bankruptcy. |
Detection Challenges | Automated tools make fraud prevention more difficult. |
Common Methods | Small transactions, authorization tests, one card, automated scripts. |
Indicators of Fraud | Spike in low-value transactions, many failed authorizations, increased declines. |
Best Practices | Tighten up security (e.g., 2FA, CVV), use AVS, limit transaction frequency, block sketchy IPs, periodically review transaction data. |
Projected Losses | By 2025, carding is projected to result in more than $206 billion in fraud-related losses. |
| Notable Example | At peak times Stripe was blocking more than 20 million carding attempts each day.
Card testing is a growing problem for ecommerce merchants. Cybercriminals use card testing to determine if a stolen credit card number is valid through a small 'test' purchase. With the results of that test purchase, they can then use the card for larger illegal purchases. The repercussions for merchants can be devastating—lots of chargebacks and fees that could bankrupt a vulnerable business. In this article, you'll learn what card testing is and how card testers make small purchases, automate scripts and employ authorization checks. You'll also learn what you can do about card testing, like using address verification services, two-factor authentication and frequently reviewing your transaction data. Card testing is on the rise. Online merchants should be informed and act to protect themselves and their customers.
0.0/5 (0 Reviews)
Card testing is a way for bad guys to check if stolen credit card information works. They'll run small transactions to see if the card is actually active and can be used for larger, illicit purchases. It's a low-key way for them to check the card without getting caught and to see if the stolen card has potential value.
Card testing is expensive for merchants. They pay for the transaction whether it goes through or gets declined. High chargeback rates can affect their reputation and turn them into a high-risk business, which means even more fees. For small businesses, that can push them over the edge and into bankruptcy.
Carding indicators include an abrupt surge in low-value transactions originating from a single IP address, multiple authorizations that fail, and an increase in transaction declines. All of these activities tend to suggest that fraudsters are using automation to rapidly test multiple card numbers to find the working card that they can exploit.
Scammers use automated scripts to run hundreds of transaction attempts in a short period of time, greatly increasing their ability to validate stolen card information. This creates the ability to run thousands of tests quickly, so it can be difficult for merchants to spot and stop these activities in time.
Merchants can defend themselves here using a multi-pronged approach. That includes things like instituting 2FA and CVV for transactions, performing an Address Verification Service (AVS) check to verify that the customer provided the right address, capping the number of transactions someone can do, blocking risky IP addresses, and proactively reviewing their transaction data. By doing so they'll reduce their chances of being the victim of card testing.
You might even use a different transaction monitoring software yourself. That's okay. That's not the point. I'm not saying that Sift is the best transaction monitoring software. I'm saying that you should use some transaction monitoring system.
There has been an increase in card testing recently, particularly in 2021, once again challenging ecomm businesses to up their fraud protection game. The increase reflects a shift in criminal tactics, and really, as more transactions shift online, the more advanced attacking that environment becomes—further reinforcing that strong security is critical to protecting your business and your customers.
An e-commerce website with security warnings, stop card testing