Protecting your business from fraud in an ever-changing ecommerce industry is a difficult task, especially when you have to fight on two fronts: shielding your organization from risk as well as your customers from scams. Fraud losses worldwide reached over $27 billion in 2018 and are projected to rise to over $35 billion in five years and $40 billion in 10 years, according to The Nilson Report. For small businesses, staying ahead of ever-changing fraud tactics and reducing risk is becoming more essential.
Card testing is one of the most common fraud threats in today’s business world, but fortunately, you can take preventive measures by learning what card testing fraud is and following a few best practices.
How does card testing fraud work?
One card testing attack is a trial-and-error method used by fraudsters to get, within seconds, payment card information such as an account number, card expiration date or Card Verification Value 2 (CVV2), as well as a user password for online account access. Card data doesn’t have to be stolen; it can also be created. Automated software can generate a large volume of guesses of account data. A fraudster can continue to run credit card numbers through business websites until the authorization response comes back approved.
With carding, fraudsters can identify the beginning of a card number and, using technology, determine the possible whole number and likely access complete account details. Fraudsters pick a target website with the least amount of steps to get to the payments page and process transactions on this payment page for a small amount on the card. If the transaction authorizes, then the fraudster will know this card number is valid and can be used elsewhere.
How can you protect your business from card testing fraud?
As you monitor and update your fraud-prevention techniques, consider these best practices to protect your business:
Use CAPTCHA Controls and Three-Domain Secure (3DS) Authentication
This may help to prevent automated transaction initiation by robots or scripts (for example, five authorizations from one IP address or card).
Use a Layered Validation Approach
CVV2 and Address Verification Service (AVS)
Monitor IP Addresses
Include IP address with multiple failed card payment data in a fraud detection’s black-list database for manual review.
Look for logins for a single card account coming from many IP addresses.
Use for small and large transactions as well as authorization-only transactions.
Throttling injects random pauses when checking an account to slow brute force attacks that are dependent on time.
Monitor Processing Patterns
Excessive usage and bandwidth consumption from a single user.
Multiple tracking elements in a purchase linked to the same device. (Example, multiple transactions with different cards using the same email address and same device ID)
Monitor Login Attempts
Lock out an account if a user guesses the user name / password.
Lock out any account authentication data incorrectly on “x” number of login attempts.
Know the differences between the interactions of a legitimate user on a website and those of a fraudster. A user quickly moving between fields and going quickly to another section are likely signs of a bad actor. Using technology to track users can help reduce fraud.
Online payment fraud is an ongoing threat that could affect your business if you are vulnerable to attack. We encourage you to examine your fraud protection strategies today, and talk to your Heartland representative if you have concerns about staying protected.