Card testing: An old crime gets a boost in the downturn

A long-standing trick crooks use to optimize credit card theft is becoming more popular, adding another worry for payment processors and merchants already girding for a potential recession. 

While card testing has existed for years, it has grown by more than 100 times in the past three years, according to Stripe. "For merchants it's becoming more problematic," said Will Megson, product lead for Radar at Stripe. "In many cases their revenue growth is shrinking but fraud is going up." 

A new Stripe poll of more than 2,500 businesses found 64% of merchants say it has become harder to prevent fraud over the past three years, a time frame that has also seen a dramatic increase in digital commerce, payments and banking. The survey also found 59% of businesses are worried about fraud losses accelerating in the next year. Card testing, which is used to enhance the effectiveness of other fraud, is also emerging as a concern. 

The large migration of firms to online commerce over the past three years is one reason card fraud is on the rise, with the recent rise in inflation and concerns over an economic slowdown also paying a role, Megson said, adding Stripe has noticed an increase in behaviors consistent with fraud testing and related payment fraud in 2022 as general economic stress has grown. 

Megson-Will-Stripe
Stripe's Will Megson says card testing is on the rise as digital payments increase.

Economic hardship also increases financial fraud attacks against vulnerable consumer and businesses, according to analysis from Experian

Crooks use card testing to measure how "valuable" a stolen card may be. They make small payments for fraudulent purchases, and if enough of these payments are not flagged, they gradually up the ante by making larger purchases. Card testing is the most common form of card fraud, according to Chargebacks911.

Philanthropic ventures, which have accelerated their migration online in recent years, are particularly prone to card testing, according to Stripe, because they often allow small payments of $1 to $5, which are less likely to be noticed by the consumer in a monthly financial statement. 

The use of bots has made card testing easier and less manual. Fraudsters will create bots to automate the process of testing these cards in which they attempt to perform a low dollar transaction and see if the transaction is approved, according to David Mattei, a strategic advisor at Aite-Novarica. If the payment is approved, the crook knows the card issuing  financial institution has not detected a breach and the cards can be leveraged to make larger purchases or greater numbers of purchases. Human farms can also be used to do card testing using a combination of people and automation to circumvent detection," Mattei said. 

Fraudsters also use card testing to find out if card numbers that have been stolen are usable, to ferret out the active cards from inactive cards that have been flagged and shut off. Acting like a data scrubber, the crooks team to create a basket of usable card numbers that are more valuable on the Dark Web, according to Megson. 

"These fraudsters are almost like an enterprise, providing a service to the larger fraud community," Megson said. 

Stripe contends card processing fees accrued in such an attack can bankrupt a small merchant in just a few hours, and those that aren't bankrupted may face higher processing fees from the card merchants to compensate for the high rate of chargebacks they receive. 

Additionally, 75% of global businesses are diverting resources away from developing their products to fight fraud, according to Stripe, and 54% of global businesses think growth in their fraud losses is outstripping growth in their revenue.

Stripe, which powers online payment processing and provides online storefronts for merchants, has added dozens of features to its Radar fraud prevention service as card fraud has increased in recent months. The payment company is using machine learning to gain a better idea of where the attacks may be originating by spotting signs of card testing. 

"It's an ongoing battle that has been ramping up," Megson said. 

Other payment technology companies also offer protections against card testing. Verifi offers tools that help merchants adjust credit card authorization response messages, which can combat card testing. It also offers card verification value checks as well as geolocation  and biometric analysis. Another service includes implementation of 3D Secure protocols, which are designed for digital commerce. JPMorgan Chase, Kount and Chargebacks 911 also offer services to mitigate card testing fraud. 

Bot detection can be used to stop the automated testing of large volumes of stolen card numbers, Mattei said. Other measures include velocity checks to see if there is a spike in the number of incoming authorization requests that is inconsistent with typical authorization volumes and patterns, he said. Velocity checks can also be used around the source IP address or the originating merchant ID to see if a fraudster is using a fake merchant account to submit the test authorizations.

There are other existing measures, such as security teams inserting test images into e-commerce sites to root out bot-induced fraud. Consumers have to identify the images correctly in order for a transaction to be processed, Megson said. "It's something like asking a consumer to pick a stoplight out of a bunch of images that have only one stoplight. It's easy for a person to do that but hard for machines," Megson said. 

For reprint and licensing requests for this article, click here.
Payments
MORE FROM AMERICAN BANKER