E-commerce fraud is quite common. According to credit card processor Shift Processing, credit card fraud was up 18.4 percent in 2018, and that number has continued to climb.
There are different types of e-commerce fraud, and in order for scammers to capitalize on their efforts, most of the savvier fraudsters test credit card numbers and employ different techniques to evade detection.
But what is a test credit card number? And how can fraudsters continue to employ this technique?
We’ll answer those questions in this blog.
What Is a Test Credit Card Number (vs. Testing Credit Card Numbers)?
It’s important to highlight that there’s a difference between a legitimate test credit card number and the practice of fraudsters testing stolen credit card credentials.
Test credit card numbers are ways for businesses to legitimately check their payment systems and verify that they’re working as intended.
These are card numbers that aren’t tied to real accounts, and they may be used by companies to trigger a specific response when used in testing.
The act of testing credit card numbers is when a scammer tries out a stolen credit card number on a small purchase to verify that it works before committing larger-scale fraud.
What Is Credit Card Fraud & How Is It Different for E-Commerce?
When people think of credit card fraud, they often think of the simplest method: A thief using a stolen credit card to make a purchase.
The transaction usually goes through, and the victim has to file a complaint with their card issuer to rectify the situation. The items purchased may be gift cards that the criminal uses as cash, goods that are resold, or goods that are kept by the criminal.
Such fraud can be divided into two broad categories:
- Card not present fraud (where the fraudster completes a transaction online or over the phone using stolen card information).
- Card present fraud (where the fraudster visits a store location with a copy of a card or even the actual stolen credit card).
This type of crime has been around since credit cards were first issued, and it continues to be a problem as online sales platforms make it harder to check identification before a purchase is made.
According to NCR, the rate of “card present” fraud has dropped in recent years—declining from $3.68 billion in 2015 to $2.91 billion in 2016.
However, “card not present” fraud increased during that time period, going from $3.4 billion to $4.57 billion.
This can be explained by the increased ease and safety of card not present fraud for scammers. With “card present” fraud, the person using the stolen card could be caught by security or police if a card was reported stolen, their likeness captured by CCTV cameras, and their general location tracked to the site of the fraud attempt.
“Card not present” fraud lets them use the card without the risk of getting physically caught at the time of transaction—increasing the likelihood of getting away.
A second method of payment card fraud occurs with affiliate marketing. This method doesn’t rely so much on the actual goods purchased.
Instead, the payday comes in the form of an affiliate payment. This lets the fraudster double-dip on their money-making schemes.
Since affiliate marketing often pays a percentage of a sale, fraudsters have learned that they can use this as a way to cash in. By making fraudulent purchases with stolen payment card information, they can get paid by the affiliate—typically before the chargeback comes through.
The charge is often still disputed, but that isn’t the scammer’s concern in this case. The money they collect from the marketing firm is what they are interested in.
This form of fraud could be another driving factor behind the increase in “card not present” fraud reported by NCR.
How One Instance of Fraud Creates Multiple Victims
How does a fraudster testing credit cards create multiple victims?
Here’s a quick breakdown of the harm a single fraudulent transaction can do.
First, the fraud can do short-term harm to the credit card’s owner. The victim can be left on the hook for a large transaction—leading to account overdrafts and other difficulties until they’re able to dispute the charge and get it cleared from their record.
Second, merchants lose the revenue from the transaction and have to deal with the lost value of their goods, the lost cost of shipping, and potential chargeback fees from the bank. This is because, unlike “card present” fraud where sufficient physical protections (like chip readers) can absolve the merchant of responsibility for the fraud, the merchant is held liable for the charges made with stolen payment card information. Merchants may even be assessed fees from their credit companies if they experience excessive amounts of fraud.
Last, banks and card issuers may be held liable for fraudulent charges. This forces them to cover the cost of the transaction if the merchant cannot be held liable. Additionally, banks are forced to process extra transactions and paperwork to reimburse the consumer and report the fraud to the authorities.
How Crooks Collect and Test Credit Card Numbers
How do criminals collect and then test credit card numbers? The sad fact is that there is no shortage of methods by which fraudsters can scam people out of sensitive financial information.
This isn’t limited to payment card information like the 16-digit number, CVV, and expiration date either. Some scammers might collect a victim’s bank account information to make direct money transfers using that account number.
Here are a few ways that fraudsters might illicitly collect financial information:
1. Buying Stolen Payment Card Info off the Dark Web
Some criminals don’t use stolen credit card information themselves. Instead, they auction that information off to the highest bidder or batch large collections of stolen card data together to sell en masse to another fraudster.
The value of stolen payment card data varies wildly. Some estimates range from $5 per card to $150 per card depending on the quality and amount of supplemental data that goes with it.
2. Credit Card Skimmers
One of the oldest tricks in the book for collecting credit card information is to use a card skimmer on a point-of-sale (POS) terminal in a retail location.
Here, a thief will take advantage of an understaffed store to take apart a credit card reader and insert a skimmer device.
The device resides in the card reader and will scan the information off of any card inserted into the scanner afterwards. Some card skimmers may also include a fake keypad placed over the real one to capture debit card information as well. The information is stored on the skimmer until the thief can retrieve it.
Card skimmers are especially common in gas station pumps, as they are located outside where store staff are less able to directly monitor them and intervene. A particularly busy gas station could allow criminals to collect hundreds (or even thousands) of card numbers in a relatively short period of time.
3. Online Phishing Schemes
Cybercriminals (crooks who operate online) may use a technique called phishing to trick people into voluntarily giving up their credit card or banking information in droves.
There are a lot of different phishing techniques, but they often involve using spoofed email and website domains to trick their victims into thinking that they’re dealing with a legitimate company.
For example, a fraudster might send out a mass email to random people online warning them that their Netflix account payment information is invalid and needs to be updated.
In the email, there’s a link to a “mynetflix.payment.com” page (or something similar) that looks like the streaming service’s accounts page.
Unsuspecting users then re-enter their credit card info to avoid losing their streaming service, only to get hit with a bunch of fraudulent charges a week or two later.
4. Massive Data Breaches
Data breaches are a way for fraudsters to acquire a massive quantity of credit card numbers in a short amount of time.
Once a company’s security has been breached, cybercriminals can start collecting data—whether it’s stored data on the company’s database or “data-in-flight” that is captured as transactions are made.
Some of the worst data breaches have involved the theft of account details for millions of people taking place over several years. For example, the Marriott data breach of 2018 affected 500 million customers and included information like passport details, email addresses, and credit card information.
Why Criminals Test Credit Card Numbers
Since the advent of the internet, criminals have been able to buy stolen payment card information rather easily. However, not all stolen credit card numbers work. Cardholders eventually catch on to the fraud and their card number is changed.
Despite this, some older cards still work. In order to make this scam profitable, the bad guys have to test the credit card numbers. This is often done by using botnets to test multiple card numbers at a time, instead of entering this information by hand.
The bots then commit low-cost purchases on small e-commerce sites. The credit card numbers that work are recorded, and the ones that don’t are (presumably) discarded.
After fraudsters are done testing the credit card numbers, they start to use the active ones for larger purchases.
Virtual gift cards make this easy for criminals to collect stolen goods when they are nowhere in the vicinity of their victim. If actual goods are purchased, the packages are often stolen from the recipients by porch pirates or shipped to an address that is hard to track.
How to Stop Test Credit Card Fraud
While big purchases are where the criminals make most of their money, testing credit card numbers tend to hurt businesses the most.
These small purchases often end up costing hundreds after you are hit with chargeback fees and other problems. These purchases are also easier to spot, if you know what operational trends to look for:
- Monitor small order activity. If you notice that you are receiving a large volume of small order attempts, there may be something underhanded going on.
- Watch for purchases of small items that often accompany larger ones or items that are purchased out of season.
- Monitor purchases that come from foreign IP addresses, especially if you sell primarily inside your own country and you see a wave of traffic from customers abroad.
The most effective method of preventing credit card fraud on your site is to use a fraud prevention solution. If you place this type of solution in your security stack, it will monitor for possible fraud.
By collecting hundreds of data points, the best-in-class fraud prevention solutions spot and stop fraudulent activity without blocking legitimate customers from making a purchase.
Whether it is full credit card fraud or simply testing credit card numbers, many e-commerce sites are going to face this issue at one time or another.
Before your business is hit by fraudsters, look into how a trusted fraud prevention solution can help you. The costs associated with credit card fraud will continue to rise as the criminals become more and more sophisticated.
Make sure that you are doing what you can to protect your business and your customers by employing the right solutions to fight back against fraud.