In the years since I co-founded eMerchantBroker we’ve seen the introduction of EMV standards help reduce the incidence of fraud in card-present environments. Unfortunately, as predicted, this tightening of security has caused fraudsters to migrate to the online world. According to Radial’s eCommerce Fraud Technology Lab, in the last year, fraud in the online space has increased 30%. And, they also report that in Q1 of 2017, a new problem has emerged. The rate of credit card testing has increased by 200%.
This testing explosion is driven by the need of criminals to quickly identify which stolen credit card numbers are active before customers discover the theft and close the account. The fraud is the primary problem most merchants worry about. But there are secondary problems that this testing creates. Card testing and the false-positives it generates can have dramatic negative impacts on merchants operating in that space. The high-risk processing industry is especially susceptible to these issues since many merchants operate in the less-secure card-not-present online environment. According to Radial the greatest increases in online fraud since August 2016 occurred in electronics, entertainment, jewelry and sporting goods—all items that can easily be resold, and because they are bought online, subject to the high-risk classification.
How fraudsters use card testing
Criminals are able to obtain large batches of stolen credit card numbers from sources on the dark web. Any one such transaction may give them hundreds or even thousands of numbers. And that creates an urgent ticking clock problem for them. In order to use those credit card numbers to make online purchases of items they can easily convert into cash they need to figure out which cards are still active. They have only a short window of time before consumers realize their data has been stolen and take action to close the account.
To solve this problem, fraudsters are turning to high-tech solutions. Many are investing in large server farms and hiring skilled developers to create scripts and bots that can automate the payment process. These programs can automatically attempt large numbers of small dollar value purchases, and track which cards are active. Those cards can then be used by the criminal to make big purchases before the account is closed. The testing software allows the criminal to check thousands of accounts in one quick blitz. But, not only does automated card testing reveal which cards can be used to make fraudulent purchases, it also creates secondary problems for merchants.
What is the financial and brand impact on merchants?
The first order problem for merchants is that unless they actively employ fraud prevention tools to combat card testing they leave themselves open to fraudsters making large purchases that customers will contest. But secondarily, if they are overly aggressive in their fraud prevention program high-risk merchants run the risk of rejecting transactions that are legitimate. This leads, not just to lost revenue, but also to decreased customer trust and confidence. When real customers have transactions rejected that shouldn’t have been, it creates negative reactions. Customers start to feel that the merchant doesn’t have a good handle on their anti-fraud procedures. And it’s a message that is likely to spread. Those kind of customer experiences are quickly shared with friends and on social media. Over time the mishandling of these false positives can have a serious negative impact on a merchant’s brand.
Taken together the combination of product loss due to fraudulent card use and false positives due to faulty fraud prevention poses a serious danger to high-risk merchants. In today’s competitive landscape they can’t afford to reject valid purchases or customers, and they certainly can’t afford the chargeback costs attached to failing to recognize fraudulent activity.
What they need is a robust fraud prevention strategy that targets card testing while reducing customer friction associated with false positives.
What can be done to mitigate the problem?
The first step in preventing card testing related fraud is to identify when it is happening. That requires security software tuned to the patterns that indicate card testing is being attempted. Generally, this software will be built around rules that identify common testing activities. The application looks for things like:
- small dollar transactions
- large numbers of transactions in a short period of time
- many transactions from different card brands
- higher than normal authorization failures
- card verification value mismatches
The system must be capable of catching this activity in almost real-time, without rejecting legitimate purchases from regular customers. If the testing pattern is only recognized after the fact, the fraud can’t be prevented. Those active stolen numbers will quickly be used to make larger, more damaging purchases.
The second piece of the solution is to be able to take action once fraud is detected. The anti-fraud software needs to be able to halt so-called ‘velocity attacks’—which occur when a large batch of stolen numbers is tested. Either the testing needs to be automatically shut down, or, at the very least, it needs to be flagged for human intervention.
Other solutions include apps that can identify when transactions are coming from human buyers rather than automated scripts or bots. Something as simple as Google’s reCAPTCHA tool which requires users to check a box when logging in accomplishes this without creating friction in the sales process. As well, two factor authentication—which asks for an additional layer of identification after username and passwords—can ward off fraudsters looking for the easiest possible path to validating their stolen data.
The bottom-line is it takes automation and skilled code development to defeat the criminals’ investment in their own high-tech automation software. High-risk merchants should look for processing solutions that include state-of -the-art fraud prevention software. They need to be protected by applications that can recognize and stop card testing—without generating the false positives that put a drag on revenues and decrease customer confidence.
The false positives created by the surge in card testing fraud are hurting the high-risk payments industry. Merchants and processors need to take significant steps to combat fraudsters who use sophisticated software automation to identify card numbers they can use to make illegal purchases. Because many of the merchants who fall into the high-risk category are online sellers, their challenge is acute. As credit card testing carried out by fraudsters becomes increasingly common high-risk merchants must find the right fraud prevention tools to avoid becoming victims.
Electronic payments expert, Blair Thomas, co-founded eMerchantBroker in 2010. His passions include writing/producing music, and travel. eMerchantBroker is America’s No. 1 credit card processing company, serving both traditional and high-risk merchants.