Insightful &
Helpful Articles

Here is what we're working on and
thinking at Hedgehog security.

How Criminals Test Stolen Cards

Over the past couple of weeks, we have seen a marked increase in the number of "odd" transactions by clients who use us to monitor the security of their systems. I use the word "odd" because a typical average transaction for many of the merchants is around the £20 mark, yet for two weeks the volume of £0.99 transactions has spiked dramatically.
The same can be said for the charities we monitor. While the average charitable donation is £2, these too have seen a marked increase in £0.99 transactions.
Stolen credit card information is a very big business. Criminals will purchase credit card information and use the stolen cards to make fraudulent purchases and then re-sell the stolen goods on mass market places.

Testing Stolen Card Information

When criminals buy stolen card information from the digital underground, they like to know that the information is valid and that the card will work. Sometimes the stolen card details may be missing card verification values (the 3-digit security numbers on the back of each card), cardholder name and the address information, as well as other key information that large retailers use to screen orders for fraud.
With this information missing, using the card is significantly harder. The criminals will often resort to trawling the popular social media channels to find the information. If this doesn't work they resort to having to guess the details until they get it right for each card number. So how do they test the card to find out if it is correct? This is where the criminals will hit the small businesses and the charities. The criminals will place small orders or make "charitable" donations to confirm that the CVV number and card holder address are correct. When they find a match that results in a purchase or donation, they use that card and tested data to go after bigger retail targets.

Why do card testers target small business and charities?

Because they will get away with it. Because small businesses and charities are unlikely to spot the trends in macros payments until the card schemes start to claw back the money. Large retailers and some smaller retailers have fraud detection services in place to screen their transactions, so using these to validate the card information is going to tip off the card providers and render the card useless to the criminal.
Many businesses mistakenly think they’re too small for criminals to notice, or they’re unaware that this type of fraud exists, so they go without fraud prevention programs. Charities, meanwhile, must balance the need for making giving easy for donors with the need to prevent fraudulent gifts that can skew budget planning and incur costly bank fees.

Does 99p matter?

Fake donations and fraudulent purchases are just the tip of the fraud-loss iceberg. When the owner of the stolen card number reports the fraud, the small business or charity loses the transaction amount, plus a chargeback fee is incurred for each fraudulent transaction, and this can be ridiculously, and unethically, high.
What makes it worse, is that these purchases aren’t usually isolated incidents perpetrated by people sitting at keyboards. Modern fraudsters use bots and scripted attacks to run what security firm ThreatMetrix describes as mass testing sessions. In the second quarter of 2016 alone, the company detected more than 400 million such bot attacks worldwide.
Think of the damage that a rapid-fire series of small fake purchases or donations can inflict on a business or nonprofit with a tiny budget and no reserves to cover multiple chargeback fees. In the worst-case scenario, a small merchant’s or nonprofit’s chargeback ratio can rise to the point where card companies and processors label them high risk, leading to account termination and the end of the business.

How can you guard against card-testing fraud?

There are specific steps small businesses and nonprofits can take to protect their transactions. One step is setting up the checkout process to limit the number of data entry attempts a customer can make, especially with respect to the CVV number and address information. Another is limiting the number of purchases or donations a customer can make within a short time, especially if they use different card numbers. Multiple orders by different customers placed on the same computer or device is a red flag, as well. Another security best practice is contacting customers or donors by phone when an order raises red flags. These steps will help in the short run.
Over the long term, because online fraud is evolving rapidly, it’s a good idea to follow e-commerce fraud news and know about the latest emerging threats. The ultimate security step is finding cost-effective fraud-prevention experts to screen orders and donations based on the most up to date fraud insights.