Card testing: stay ahead of fraudsters’ malicious botnet attacks
April 02, 2020
This is the second part of our card testing series. For more background about what card testing is and who’s at risk, check out part one.
More and more, fraudsters are using botnets to superpower their card testing schemes.1 In these automated attacks, fraudsters run thousands of low-value transactions on a merchant’s site to “test” the validity of card details. By the time merchants notice, they often face a staggering number of authorization fees, and the chargebacks may jeopardize their standing with major processors.
Fortunately, best practices, coupled with a strong fraud management platform, can help detect and prevent these attacks. Since no single component can stop card testing fraud, the key is implementing multiple layers of protection.
How to protect yourself from card-testing attacks
1. Perform risk reviews.
Fraudsters often target the point when cardholders add payment methods to their online accounts on merchant sites. Therefore, it’s important to perform risk reviews for this step, including Account Verifications of the payment being added, and basic velocity checks over specified timeframes.
2. If you accept donations or other custom payment amounts, be sure to set minimum thresholds.
In a card testing attack, fraudsters aim to validate if a credit card is good while avoiding the likelihood of the cardholder noticing and reporting it. The smaller the charge, the less likely it is to attract attention or result in a chargeback. It is common to see transactions for very low amounts, often less than $5. If possible, it’s best to set a minimum value that is as high as possible while still being appropriate for most donors.
3. Be vigilant, identify anomalies early on.
- If you see an unsuspected or sudden spike in your average daily transactions—research it.
- A sudden increase in the number of credit card declines can be a serious signal that your business is being targeted.
- Have a variety of velocity tools to track not only transaction totals, but also other specific data elements (including email, IP address, device fingerprint, etc.)
How tools can help
Adding the right technologies to your checkout and card addition pages (as well as any other pages where cards are validated) is key to protecting yourself from botnet attacks. Some tools include:
- Firewalls – typically include basic tools for botnet detection, prevention, and removal. Tools like Network Intrusion Detection Systems (NIDS), rootkit detection packages, network sniffers, and specialized anti-bot programs may be used to provide more sophisticated botnet protection
- CAPTCHA – visual challenges designed to distinguish humans from automated scripts
- Device fingerprinting with proxy piercing capabilities – code designed to identify multiple contacts with the same device, along with technology to detect the originating device in the case of a botnet
- Velocity thresholds – limits on the number of transactions permitted within a specified timeframe, Including HTTP session velocities, which limit the number of operations per user session
- Anomaly detection – detects sudden or unusual spikes in traffic to your webpage or unusual patterns in shopping or form entry behaviors
- Time out of user session - sets HTTP sessions to expire after periods of inactivity
- Cross Site Request Forgery (CSRF) detection – allows user progression to sensitive pages that originate from your expected user flow, and invalidate used tokens
- Guest checkouts – if you allow guest checkouts, make sure to add data validation
And, of course, we’re here to help
In addition to ensuring your website includes technologies to fend off botnet attacks, Cybersource fraud tools can also help protect you from card testing.
Options to assist with defense
- For merchants offering an option for customers to create online accounts, Cybersource’s Account Takeover Protection (ATP) helps authenticate account creations and logins by detecting mismatches in locations, behaviors, devices and accounts. It also includes device fingerprinting with proxy-piercing technology and a bot-detection identifier. Implementing fraud checks during account creation and login can help to identify and block bots or fraudsters prior to logging in and prior to attempting to load and test cards.
- For merchants selling through an eCommerce platform, velocity rules implemented through a fraud management platform, can track, count, and reject repeated transaction attempts that share common data elements or that exceed total transaction volume limits. At Cybersource, we offer two fraud management options. Our Decision Manager (DM) solution is designed for enterprise businesses with worldwide customers, while our Fraud Management Essentials (FME) solution – now available in North America and Europe – provides a lightweight alternative designed to support businesses as they grow. Amount thresholds set in DM or FME can help limit transactions to those appropriate for your business.
Not sure which tools are right for your business? If you’re new to Cybersource, please reach out to our sales team, and we’ll get you started. If you’re an existing customer, contact your Cybersource representative, who can help put together a management plan that works for you.
Remember, a multi-layered approach is best
No single component can prevent card testing fraud. Businesses should use a combination of best practices and risk tools at every stage of the transaction flow, from account events to card loading to transaction requests. With a multi-faceted approach, you can gain peace of mind and help protect yourself from card testing fraud.
1 The Ever-Changing Landscape of Bots and Credit Card Testing, by John Canfield, April 26, 2018, business.com, https://www.business.com/articles/bots-credit-card-testing/