Before monetizing the stolen credit card credentials, bad actors try to ascertain their validity. They use scripts, bots, fraud farms, and a host of other tools to automate numerous small CNP transaction requests and achieve scale. Successful requests confirm the validity of the compromised card credentials and open up the path for big ticket purchases. Bad actors may also monetize the valid cards by reselling them or buying gift cards, cryptocurrencies, or criminal services from the dark web. Declined purchases are confirmation that the card is no longer in use.
What is Card Cracking?
What to know about card testing
Sometimes known as carding, card checking, or card cracking, card testing can be performed on physical debit, credit, and prepaid or gift cards. Their clones can be generated with scraped data, as well as with stolen credit card details. However, card testing shouldn’t be confused with a test credit card, which is provided by credit card companies to businesses and is used to check if the card readers are working fine and compatible with particular credit cards.
Card testing fraud is a real and growing problem, affecting businesses regardless of their size or scale. Given the surge in the volumes of digital transactions in recent years, card testing has grown into a huge challenge for businesses. Failure to mitigate card testing attacks can prove expensive for businesses and expose them to repeat fraud. It is, therefore, in the interest of the businesses to implement robust fraud detection solutions that can detect card testing early in the tracks and protect businesses and consumers from losses later.
The two ways of card testing
Bad actors use scripts and bots to achieve scale and speed. They usually adopt two methods for card testing as described below:
- Small payments: Bad actors use harvested credentials to make small payments. If the transaction is approved, they know the card is valid. Even if the transaction gets rejected, bad actors come to know of the reason for rejection and take countermeasures to fool the system in their next attempts. However, bad actors take precaution to avoid too many rejections on the card, as the issuer might deactivate the card, which can jeopardize their monetization efforts.
- Authorization: This is a more subtle method, which involves checking whether the customer has enough funds to complete the transaction. Since this process takes longer to appear on the card statement, it provides bad actors with enough time to max out the card.
In both cases, however, when the affected customer notices the transactions and disputes them, it results in chargebacks and additional fees for the business. If left undetected, it can adversely impact authorization processes and result in higher transaction costs.
Card testing can have far-reaching consequences
Card testing affects all businesses that facilitate online purchases through CNP transactions. It equally affects consumers with compromised accounts or stolen card details.
Whether the transaction is approved or rejected, businesses must bear the transaction fees. Further, disputed transactions result in chargebacks and associated fees. Thousands of fraudulent CNP transactions can, therefore, add up significantly to the losses for the businesses. Higher decline rates may cause the business to be flagged as high-risk and result in paying higher fees to payment processors as well as exposure to dispute monitoring programs. In worst cases, a huge number of disputes can result in the business losing its payment processing capabilities.
Affected businesses face operational disruption due to additional strain on the infrastructure. They must also allocate resources to deal with chargeback fraud as well as irate customers to settle the disputes. Negative publicity can result in damage to brand equity and affect customer retention and new customer acquisition.
Effective ways to mitigate card testing fraud
The first step to mitigating card testing fraud is to identify it. There are certain telltales that can help businesses identify card testing fraud. These include unexplained increase in successive card authorization requests for small amounts, high volumes of identical authorization requests, a sudden spike in declines, and sharp rise in mismatches between issuing bank or payment brand authorization.
Data-driven solutions can be useful in mitigating card testing fraud by defining or tweaking the rules. This helps businesses review the incoming requests and take appropriate decisions whether to further review the request or block the user. In addition, businesses may bolster their security by requiring customers to register, providing CVV (card verification value) numbers, enabling Address Verification Service (AVS) to check addresses and ZIP codes, blocking multiple transactions from the same IP address or specific geographical locations, limiting the number of checkout attempts, using robust fraud analytics software, and ongoing monitoring.
Some of the methods that businesses can consider implementing to prevent card testing fraud include: data enrichment, PCI-DSS standards for enhanced security of card payments, device fingerprinting, fraud risk assessment, velocity checks, additional card authentication data elements, SCA protocols, 3D Secure protocols, and targeted friction, among others.
It is worth noting that bad actors are increasingly relying on automated bot attacks to run thousands of authorizations and achieve scale. Businesses must deploy effective bot mitigation solutions to counter a card testing attempt.
Partner with Arkose Labs to thwart card testing attempts
Several Fortune 100 companies and global brands trust Arkose Labs with long-term protection from known and evolving threats. With its consumer-centric approach, Arkose Labs thwarts automated card testing attempts early in the tracks, which enables businesses to continue enjoying consumer trust.
Arkose Labs does not block any incoming user, as it may filter out potentially revenue generating customers. Instead, the uniquely designed Arkose Bot Manager delivers targeted friction depending on the real-time risk assessment of every incoming user.
The proprietary challenge-response authentication mechanism, Arkose Matchkey, is a repository of unassailable 3D challenges that are easy for genuine consumers but sap the time and resources of bad actors. Automated scripts and even the most advanced human-like bots cannot clear these challenges at scale. Persistent malicious actors must face more challenges that keep becoming more complex. Efforts to create automated solvers for Arkose Matchkey challenges is next to impossible given the large number of variations of every given challenge. Dwindling return on investment means defeat for bad actors, who must abandon the attack and move on to unprotected targets.
With 24x7 SOC support, Arkose Labs ensures that its partners can mitigate risks as and when they are detected. Further, businesses benefit from data-backed actionable risk intelligence, raw signals and attributes, and network-wide threat intel, which allows them to keep pace with the evolving risks in a dynamic threat landscape, while maintaining consumers’ account security.
To benefit from Arkose Labs trusted protection from automated card testing fraud attempts, book a demo now.
Introducing the industry's first Card Testing Warranty for online businesses, designed to safeguard them from the growing threat of card testing.
Card Testing Warranty