The Ever-Changing Landscape of Bots and Credit Card Testing

What is credit card testing?

Credit card testing fraud, also known as carding and card cracking, is when cybercriminals make a small online purchase to test whether a stolen credit card number is valid.

Credit card testing often goes unnoticed by fraud-detection solutions and is usually discovered only when it’s too late. Without proper measurements in place, credit card testing fraud can be costly and damaging to both SMBs and cardholders.

How does a credit card testing attack work?

Fraudsters can potentially abuse any user-related function on your company’s website, such as the ability to enable payments. Once the scammer purchases a list of stolen credit card numbers, they test them to see which ones are valid by making small transactions on unsuspecting e-commerce sites.

Fraudsters can enable bots to do this work efficiently. A bot can automatically submit orders on multiple websites to check credit card validity much faster than a fraudster inputting card numbers one by one could.

The fraudster’s end goal is to find valid credit cards they can use to make large online purchases or sell the list of validated credit cards to other cybercriminals.

Example of a carding attack

In 2019, a carding bot called the Canary Bot was was discovered by PerimeterX, a provider of solutions designed to curb online fraud. The Canary Bot was designed to to target e-commerce platforms. Mimicking a real shopper, the bot added products to an online shopping cart, set shipping information and completed the sale on multiple businesses within the platform.

The bot was discovered because its pattern differed from that of human shoppers. For example, activity increased before the holiday shopping season, which isn’t typical, since people usually wait for sales. The bot’s transactions also didn’t follow the usual human shopping time patterns; instead, the transactions happened randomly throughout the day.

What are the ramifications of credit card testing for small businesses?

Bot-driven credit card testing hurts your SMB with charge-backs, shipped goods that are never recovered, lost revenue from fraudulent sales and damage to your brand reputation. Additionally, operational costs rise, while customer service calls take up precious time. If your business unintentionally allowed fraudsters to enter the networks, it’s likely other cybercriminals will follow.

How do fraudsters get a person’s credit card number?

In the age of security breaches and hacks, data centers and credit card agencies unintentionally give hackers abundant access to credit card numbers. Typically, hackers sell a bulk list of stolen card numbers on the dark web, where a buyer — the fraudster — is lurking.

A fraudster can purchase lists of credit card numbers; the list’s resale value depreciates over time. Many cardholders and banks take preemptive measures to shut down credit cards if there is a breach, but a small, unauthorized purchase may go unnoticed.

How do you identify credit card fraud?

Luckily, you can spot red flags when carding attacks occur. Here are some things to look for:

• Unusually high shopping cart abandonment rates and charge-backs
• Small shopping-cart sales
• High proportion of declined payments
• Disproportionate use of the payment step in the shopping cart
• Multiple payments from the same customer within seconds or minutes
• Too many transactions with the same bank identification number (BIN), which is the first six digits of every credit and debit card
• Multiple declined transactions from the same user, IP address or session

How can you protect your business from credit card fraud?

If you’re a small business owner, follow these tips:

• Scrutinize historical operational trends. Increased customer support calls and charge-backs could mean card testers are targeting you. Also, look for spikes in the number of declined transactions. When fraudsters test older stolen credit card lists, many declines will occur.
• Install automated blocking software. Most engineering teams can use simple blocking software for high-velocity attacks, but more sophisticated attacks need specialized software. Some vendors specialize in this type of real-time fraud detection. Make sure your solution can quickly adjust to changing attack patterns and deliver obfuscation strategies to make it harder for fraudsters to complete a sale.
• Partner with a secure payment processor. The best credit card processing services have strong fraud and risk management engines with bot protection. Integrating with the right partner allows you to collect payments and focus on your business with peace of mind.
• Utilize device fingerprinting. This technology combines data from the user’s browser and device to identify a source. Because carding involves multiple attempts and the fraudsters have limited devices at their disposal, fingerprinting can identify the source of carding attacks and shut them down.
• Enable browser validation. Bots hide their tracks by pretending to run a certain browser and then using multiple user accounts. Browser validation analyzes the browser’s JavaScript and activity to ensure that an account acts like an actual human.
• Familiarize yourself with purchasing patterns. Human behavior and purchasing habits conform to specific patterns, including URLs, mouse movements and site engagement. When behavior deviates from the norm, it’s a red flag that a bot may be involved.
• Analyze your traffic. There are certain technical and behavioral patterns common to bots and specific IPs where they tend to originate. By keeping a keen eye on your traffic patterns, you may be able to nip a carding attack in the bud.
• Use AVS responses. An address verification service (AVS) matches the billing address input at checkout with the address on file with the credit card company. If it doesn’t match, the credit card company will still let the transaction go through, but you can set safeguards or use other fraud prevention tools to research the matter.
• Require card security codes. When companies store credit card information, they can’t store the CSV or CVV codes, and cybercriminals will typically not have this information. By requiring the code at checkout, you can ward off criminals.
• Challenge your purchasers. You are probably aware of the many “prove you’re not a robot” challenges online, like checking a box, typing in a captcha or identifying images with a specific item. These measures prevent bots from proceeding.

Jennifer Dublino contributed to this article.