What you need to know about card testing fraud

Article provided by Authorize.net

Shop owner looking at paper in front of computer

Small and mid-size businesses should be proactive with fraud management to protect against fraudsters who may regard them as easy targets. You may think that the size of your business makes you less vulnerable to fraud attacks, but the opposite can often be the case. Sophisticated fraudsters have a good idea about which businesses have less protection or don’t have a dedicated fraud manager. They may target what they regard as relatively undefended businesses with card testing attacks.

Imagine waking up to find your site bombarded by thousands of transactions. “Yippee!” you think. “My hard work is paying off.” But you look closer and see that all the purchases are small, and the vast majority are declined for some reason. You realize they’re fraudulent. At first, you aren’t sure it’s a big deal, the charges are small after all. But then you start getting calls from customers about purchases they never made. When the calls have subsided, you start adding up all the chargebacks and authorization fees and realize that this month’s profits—and maybe even this year’s profits—are down the drain. Unfortunately, you are not alone. Card testing is one of the largest threats to modern e-commerce merchants. In fact, it was the most common form of fraud experienced by merchants in North America in 2021.1

What is card testing?

Fraudsters use card testing to validate credit card numbers for later use. Testing typically falls into two types: testing card numbers that have been illegally obtained, or intelligently guessing card numbers. A fraudster with a stolen credit card number makes a small purchase to check if the card is active and if the purchase avoids the merchant's fraud detection measures. If the small purchase is successful, the fraudster starts making larger purchases to get as much as they can out of the card before the fraud is detected.2

This process reveals which cards have been canceled or deactivated—and which ones are still valid. Once the canceled or declined card numbers are weeded out, fraudsters move on to make larger purchases or resell the validated information.

Who’s at risk?

Card testing attacks often target small and medium businesses as well as organizations that accept donations or even tuition. Businesses and organizations that don’t sell a physical good tend to be particularly vulnerable because they assume fraud isn’t a worry—the fraudsters know this and deliberately target them as a result.

What are the likely effects of a card testing attack?

Our risk analysts have found that a card testing attack can negatively affect an unprepared business for several months, causing financial and other losses. Here's a typical timeline of what you could experience:

Day 1 (attack day)

The fraudster submits potentially thousands of orders, many of which could be approved. Approved orders for physical goods could start to ship, resulting in lost product. Once card issuers become aware of what's happening, they may ask your acquirer to shut down your ability to process transactions. You'll need to provide proof of a mitigation strategy before you can restart transaction processing.

Day 2-30

Because the fraudster submitted so many transactions, you may have to pay significant authorization processing fees to your acquirer and payment gateway. For example, your authorization fees could jump from an average of $40 a month to $15,000 a month. To add insult to injury, you won’t earn any revenue on these transactions, either.

Day 31-120

Chargebacks and their associated fees start to roll in because transactions weren't reversed during the initial attack.OngoingYour business could experience brand and reputational damage and loss of customer trust.

What can I do to protect my business from card testing?

Unfortunately, once a card testing attack is in progress, there's little you can do. Your future self will thank you if, instead of reacting to an attack, you take a proactive approach to preventing card testing (and other types of fraud) instead of reacting to an attack after it occurs.

  1. Be proactive. Look at your website and see where you might be vulnerable. What customer verification tools do you have in place now? Don’t ignore suspicious activity.
  2. Use a fraud mitigation tool. Authorize.net has a built-in fraud tool: Advanced Fraud Detection Suite comes with 13 easily configurable fraud filters to help set proper minimum transaction thresholds, payment velocity settings, country limitations, and more to help prevent processing fraudulent transactions.
  3. Set up a simple firewall. Many firewalls come with basic tools for botnet detection, prevention, and removal.
  4. Consider implementing some type of CAPTCHA into your checkout flow. This technology has improved in recent years and can produce much less friction to your customers than previous versions.
  5. If you accept donations or other custom payment amounts, set a minimum. Fraudsters aim to validate if a card is good without the cardholder noticing and reporting it. The smaller the charge, the less likely it is to attract attention. Set a minimum value that is as high as possible while still being appropriate for most donors.

No single solution can completely stop fraud, which is why we recommend a multi-layered strategy. Consider combining best practices like risk reviews, minimum payment thresholds, and early identification of anomalies with a range of capable tools.

Stop fraud before it happens. Small businesses should be proactive with fraud management – take the time to understand what you can proactively do to protect your business and the tools available that help prevent fraud and ensure you are protected.

 

1 Preventing Card Testing Fraud by Chargeback Gurus, January 1, 2022, https://www.chargebackgurus.com/blog/card-testing-fraud

2 Preventing Card Testing Fraud by Chargeback Gurus, January 1, 2022, https://www.chargebackgurus.com/blog/card-testing-fraud