Card Testing Fraud

Introduction to Card Testing Fraud

Credit card fraud is a prominent problem in the United States. The Federal Trade Commission (FTC) received almost 390,000 reports of credit card fraud in 2021, making it one of the most common types of fraud. However, this number doesn’t give a complete picture of the issue.

According to the Nilson Report, which monitors the payments industry, the U.S. is expected to lose $165.1 billion due to card fraud over the next decade, affecting people of all ages and residing in all states. Card-not-present fraud (CNP fraud), which involves online, over-the-phone, and mail-order transactions, is one of the most common types of credit card fraud, and it caused approximately $5.72 billion in losses in 2022, as per Insider Intelligence.

What is Card Testing Fraud?

Card testing fraud, also known as carding, is a type of credit card fraud where fraudsters attempt to validate stolen credit card information by making small, low-risk transactions or “test” purchases before conducting larger fraudulent transactions. The primary goal of card testing is to determine if a stolen credit card is still active and whether the cardholder or financial institution is likely to detect and block unauthorized transactions.

How Card Testing Fraud Works

Fraudsters want to acquire as many stolen credit cards as possible to validate and assess their viability for fraudulent transactions. Here’s how a credit card testing scheme typically works.

1. Acquisition of stolen credit card data. Cybercriminals obtain credit card information through various means, including:
   • Data breaches: Hackers breach the security of organizations and steal databases of credit card data.
   • Phishing: Fraudsters trick individuals into revealing their credit card details through deceptive emails or websites.
   • Card skimming: Criminals use skimming devices to capture card information from physical card readers, such as ATMs or point-of-sale terminals.
   • Dark web purchases: Criminals can purchase stolen credit card data from underground markets on the dark web.
2. Compilation of card data. Once the criminals have collected significant credit card data, they compile it into a list or database. This data may include credit card numbers, expiration dates, cardholder names, and CVV (Card Verification Value) codes.
3. Test transactions. To determine whether the stolen credit card data is valid and whether the cardholders or financial institutions are likely to detect unauthorized transactions, cybercriminals initiate small, low-risk transactions or “test” purchases. These test transactions typically involve:
   • Online purchases: Criminals use the stolen card details to make small online purchases, such as digital goods, gift cards, or low-value items.
   • Subscription services: They may sign up for subscription services, where the initial transaction is minimal.
   • Donations: Criminals may make small donations to charities or crowdfunding campaigns.
4. Monitoring for flags or detection. After conducting test transactions, the fraudsters closely monitor the credit card accounts to see if any of the following events occur:
   • Immediate account block: The test fails if the financial institution or cardholder detects the unauthorized transaction and blocks the card.
   • Flags for suspicious activity: Multiple small transactions or unusual purchase patterns may trigger fraud detection systems or alerts, leading to further investigation.
   • No detection: If the test transactions go unnoticed, the cybercriminals gain confidence that the stolen card data is valid ,usable, and valuable.
5. Monetization of validated data. Once they have successfully validated the stolen card data through testing, cybercriminals can:
   • Sell the validated credit card information on the dark web, where other criminals can purchase it.
   • Use the stolen data for more significant fraudulent transactions, such as purchasing high-value items, using the card to commit subscription fraud, making cash withdrawals, and other illegal activities.

How to Prevent Card Testing Fraud

To combat card testing fraud, merchants must employ sophisticated fraud detection systems and monitoring mechanisms to identify unusual patterns, monitor transaction velocity, and promptly block or investigate suspicious transactions. Cardholders are encouraged to monitor their account statements for unauthorized activity and promptly report any suspicious charges to their card issuer. Additionally, strong authentication measures, such as multi-factor authentication (MFA) and CVV requirements, are used to enhance security during online transactions. However, each single method cannot stand on its own, and a robust fraud detection and prevention solution is required to combat unauthorized credit card use effectively.

Take the following measures to prevent card testing fraud and protect your eCommerce store against unauthorized transactions.

Implement a Fraud Prevention System That Learns Patterns and Detects Anomalies

Utilize advanced fraud detection systems that can identify unusual patterns and behaviors associated with card testing and other fraudulent activities. A great fraud prevention solution will use advanced algorithms, machine learning and data analytics to identify suspicious and fraudulent transactions in real-time. 

Be sure to customize your fraud detection rules and machine learning models within your fraud prevention solution to adapt to evolving fraud patterns and specific risk factors in your industry or business. And finally, set alert thresholds that trigger investigations or further actions when suspicious transactions or patterns are detected.

Find a fraud prevention solution with robust transaction monitoring that uses advanced algorithms to detect anomalies and deviations from established transaction norms. For card testing fraud prevention, they look for:

• Rapid and repetitive small transactions from the same card
• Transactions originating from unusual or unexpected locations
• Large transaction volumes in a short period
• Multiple failed transaction attempts within a short time frame
• Transactions with suspicious merchants or merchant categories

Multi-Factor Authentication (MFA)

Require MFA for online transactions to provide an additional layer of security, making it more difficult for fraudsters to use stolen card information. Choose the MFA methods that best fit your organization’s needs and user preferences. Common MFA methods include:

• One-time passwords (OTP) sent via SMS, email, or mobile apps
• Biometric authentication, such as fingerprint or facial recognition
• Hardware tokens or smart cards
• Knowledge-based authentication (KBA), involving security questions or personal information
• Push notifications to mobile devices for approval

Consider implementing adaptive authentication, which assesses the risk associated with a transaction or login attempt and selects an appropriate level of MFA based on the perceived risk. Higher-risk transactions can trigger stronger authentication.

Set Up Velocity Rules 

Velocity checks, also known as velocity limits or velocity rules, are an essential component of fraud prevention systems. They are designed to monitor the frequency and volume of certain activities, such as transactions or login attempts, within a specified time frame. Velocity checks are particularly effective in detecting and preventing card testing fraud, account takeover attempts, and other types of fraudulent activities characterized by rapid, repetitive actions.

Consider a Pre-Gateway Fraud Prevention Solution

Pre-gateway fraud prevention works to maximize approvals and reduce false declines by working in sync with a dynamic checkout before the customer gets to the payment gateway. It prompts shoppers to fix typos or incorrect information in real-time, rather than screening orders post-gateway when the opportunity to redeem a rejected order is lost. See NoFraud Checkout to learn more.

Card testing fraud is a significant concern for financial institutions, merchants, and cardholders alike. By implementing robust security measures and monitoring systems, it’s possible to detect and prevent card testing fraud, reducing the risk of financial losses and protecting consumers’ sensitive information.