Card Testing: One, Two, Three, Fraud
Good news! Your marketing campaign worked, your ecommerce site has so many new visitors at once you’re lucky the site didn’t crash. Sure, their purchases are small, but they’re adding up, and some of those new customers are returning to make larger purchases. You also notice several card authorizations are declined, but that’s not too uncommon for online transactions.
The bad news? In 30 to 90 days, you start seeing a lot of chargebacks. The transactions were initially approved, and the merchandise was shipped and delivered. The customers never notified you of a problem with the order. What went wrong? In a word: fraud. Specifically, credit card fraud.
Credit card fraud can happen to any merchant, but online merchants experience more than brick-and-mortar merchants. As we often see, what’s convenient for shoppers and merchants is also convenient for fraudsters.
Losses due to card fraud affect businesses and consumers alike. One of the most popular forms of ecommerce fraud is card testing fraud. What is card testing fraud? How does it often go unnoticed? And is there anything online merchants can do to prevent it?
Ecommerce Sales and Card Fraud: By the Numbers
Before we get into the specifics of card testing fraud, let’s look at the bigger picture of ecommerce and credit card fraud in general.
Ecommerce is big business. Not surprisingly, there was a sharp increase in ecommerce sales in Q2 2020 when the pandemic hit, and the numbers have continued to grow ever since. In the U.S. alone, ecommerce sales measured more than $280 billion for Q3 2023. That’s 15.6 percent of total retail sales for the same period.
Card fraud is big business as well, and it causes big problems for online merchants in the form of card-not-present (CNP) fraud, including card testing fraud. Unfortunately, as ecommerce grows, so does CNP fraud. It is projected to make up 73 percent of card fraud, or nearly $9.5 billion in losses, and more than half of CNP fraud activity comes from online merchants.
How Can Small Transactions Lead to Bigger Fraud?
To fraudsters, card testing is like dipping your toe in the pool to check the water temperature. Once fraudsters acquire card numbers, they test them by making small purchases to see if the numbers are valid. If they are valid, fraudsters don’t stop with that small purchase; they have bigger, more profitable plans.
But first, in order to test card numbers, fraudsters have to acquire them, and they have several ways to do so, including:
1. Data breaches. After a data breach, millions of card numbers, along with corresponding expiration dates and verification codes, end up on the dark web, where they sell for as little as $5 per record.
2. Card skimmers. Thieves place card skimming devices in card readers, frequently at gas stations and ATMs. When a card is inserted for payment, the device scans and stores credit card information. After hundreds or thousands of cards have been skimmed, the thieves retrieve the device and then use the card information themselves or sell it to other fraudsters.
3. Phishing schemes. Chances are you have received an email that seems to be from Netflix, Amazon, or some other subscription service, or even from your credit card company or a payment app such as Venmo or PayPal. The message says your payment card is invalid or expired and provides you with a link to update your information to avoid an interruption in service. The email and the link seem legit, but card information may be put at risk as soon as the link is clicked. It’s either delivered directly into the hands of fraudsters when the recipient enters the information, or the link installs malware that fraudsters can use to steal card and other personal information.
4. Lucky guesses. Cardholders may not realize that the first six numbers on a credit card number represent the Bank Identification Number (BIN), but fraudsters know. With that information, they can use software to generate card numbers to test.
Fraudsters test the fraudulently acquired card numbers by making small purchases online. They then use networks of compromised computers, or botnets, to quickly test thousands of numbers across multiple ecommerce sites to avoid detection. Active, valid card numbers that receive authorization are then typically used by the fraudsters in one of two ways: they make larger purchases with them or package them up to sell on the dark web. This is why card testing is often considered the first step in a larger fraud scheme.
The Widespread Effect of CNP Fraud
CNP fraud and card testing create multiple victims: cardholders, merchants, banks, and card issuers.
While cardholders are rarely responsible for fraudulent credit card transactions, they suffer the frustration of lost time disputing the charges. They likely also need to have the card replaced, which means they’ll spend more time updating any recurring payment information. If the fraud occurs with a debit card number, the transaction amount is deducted from their checking account, and the cardholder may have to wait as long as 90 days for the money to be refunded.
Online merchants not only lose revenue from fraudulent transactions, they are also out the time and expense of processing and shipping the order. In the short term, they can also rack up fees for declined transactions; if they experience excessive fraud, their processor may label the merchant as “high risk” and increase their transaction fees.
During a massive card testing attack, an ecommerce site can become overwhelmed, making it difficult, if not impossible, for legitimate customers to shop and complete purchases. Finally, the merchant’s brand takes a hit with cardholders.
Those who were customers before any fraudulent transactions hit their account may not come back; those who had not purchased from the ecommerce site in the past now have a negative impression and will likely never consider shopping on the site.
While the affected merchants usually absorb all the fraud costs, banks and card issuers are still out the time and costs related to fraud, including customer service and investigating claims.
Ultimately, we all pay the cost of credit card fraud in all its forms. That’s why it’s imperative that online merchants take proactive steps to identify and stop it as soon as possible.
How Online Merchants Can Detect and Fight Credit Card Fraud
Since card testing is a problem that can lead to even bigger ones, online merchants need to know the signs and how to prevent it. Watch out for lots of small purchases, particularly if they are coming in quickly or from unusual geographic regions, as this often indicates card testing. An unusually high number of declined transactions is another sign.
There are several verification steps ecommerce sites can incorporate to protect against card testing, including matching cardholder and billing address, requiring CVV to authenticate the card number, and email verification. Some sites may require users to create an account and log in to make a purchase. While cardholders may appreciate efforts to protect themselves and online merchants from fraudulent activity, too much friction in shopping and checkout processes may turn legitimate customers away.
One of the most effective and frictionless methods of preventing card testing and other forms of CNP fraud is to use a fraud prevention solution that constantly monitors your ecommerce site activity.
By collecting and reviewing hundreds of data points about each site visitor, Anura’s best-in-class ad fraud prevention solution can determine whether a visitor is a real human customer or a bot, even those types of ad fraud that replicate human behavior. Identifying fraudulent or invalid visitors and stopping them before they can make a fraudulent transaction or install malware on your site can save an online merchant the fraud-related costs of money and time.
Are you doing all you can to prevent ad fraud to protect your business and your customers? Learn more about ecommerce fraud and how Anura can help you fight and prevent it.