Kevin Gosschalk, Founder/CEO of Arkose Labs is an industry expert on bot attacks and the evolving cybercrime landscape.
The sneaky cyberattack known as card testing often takes a back seat to more notorious ones. However, card testing against online businesses is now on the rise and poised to deliver financial headaches. According to Juniper Research, the larger threat of online payment fraud is projected to result in merchant losses surpassing a staggering $206 billion by 2025. For perspective, that is almost 10 times the net income Amazon generated in 2020.
Businesses need to be aware of how this form of payment fraud can impact security strategies and consumers. The first step in identifying this threat is to recognize some of the lesser-known aspects. Once digital enterprises better understand card testing, it’s possible to forge a solution.
Card Testing Fraud Is Often Misunderstood
Card testing is a technique where fraudsters attempt to validate stolen credit cards by making small transactions on digital platforms. These efforts aim to determine whether the stolen card details are genuine and usable before moving on to larger fraud.
A cybercriminal might use a stolen credit card number to make a series of small purchases on a website to see if the transactions are approved. It’s possible to purchase verified credit cards online for the right price. Fraudsters then make larger unauthorized purchases or sell the verified card information to others. Once the numbers are in the wild, they can be used to mount all sorts of crimes—both cyber and real.
Losses from card testing are exacerbated by the costs associated with investigating the attack, implementing security enhancements and potentially facing regulatory fines for failing to protect consumer data. Enterprises often underestimate the impact of these innocuous transactions, which can lead to significant financial losses and regulatory penalties.
What Businesses Don’t Know About Card Testing
Card testing attacks harbor intricacies that can potentially cripple operations, tarnish reputations and harm customer trust. Here, clarity is key:
• Card testing is a preliminary phase of larger attacks. This threat is typically the initial phase of a more extensive attack. Bad actors employ card testing to validate stolen credit card information before committing to more significant fraudulent activities such as making large purchases or selling verified card details on the dark web. Indirectly, something as simple as card testing can potentially lead to all sorts of heavy-duty crimes, including money laundering and human trafficking.
• Automation is common. Attackers use bot tools and scripts to quickly validate stolen credit card data across various e-commerce sites. The bots use the data and randomize the rest until the card is blocked or it works. This automation allows them to test numerous card details, making it challenging for businesses to detect and mitigate these attacks manually.
• Geographic patterns matter. Card testing attacks often exhibit geographic patterns. Attackers may focus their efforts on specific regions or countries, and these patterns can be crucial for identifying and preventing these attacks.
• Regulatory and legal ramifications. Failing to adequately protect consumer data can lead to regulatory fines and legal consequences for businesses. Compliance with data protection laws is crucial, and businesses must understand that negligence in this regard can be costly.
Why Card Testing Is New Again
Unlike in the past, where fraudsters had to develop their own attack tools, today’s cybercriminals can readily access a plethora of prebuilt, advanced kits. This resurgence in card testing is closely intertwined with the broader landscape of this “cybercrime as a service.” This emerging model involves individuals or groups offering criminal tools and services to other malicious actors for a fee. Card testing has now seamlessly integrated into this ecosystem, further amplifying its impact and reach within the criminal underworld.
The enhancement of attack technology has now outpaced the capabilities of detection mechanisms. Bots, automated software programs that perform online tasks, have become increasingly sophisticated in their ability to mimic human behavior and evade security measures—one of the key challenges. Bots can simulate the way a legitimate user interacts with a website, making it difficult for security systems to differentiate between malicious and genuine traffic. As a result, card testing has evolved into a much more refined and formidable threat.
How Businesses Can Respond To Card Testing
While bot mitigation solutions are critical, businesses can (and should) complement these technological measures with internal strategies, training initiatives and policy/procedural changes to strengthen their defenses. Here are some specific steps organizations can implement in these areas:
Training The Workforce
1. Educate employees. Start by educating your workers about the dangers of card testing. Ensure all staff members are aware of the signs and implications of these attacks.
2. Incident response training. Develop and conduct regular training sessions on incident response protocols. Train your team to recognize and report suspicious activities promptly, fostering a proactive and vigilant work culture.
3. Cross-departmental collaboration. Encourage different departments such as IT, security and customer service teams to work together to quickly identify and mitigate card testing threats.
Policy And Procedural Changes
1. Data-handling policies. Enforce data-handling policies to safeguard cardholder information. Clearly define who has access to sensitive data and when strict controls should be implemented.
2. Access control. Strengthen access controls to limit access to payment data. Use role-based permissions, and regularly review and update user privileges.
3. Incident response plan. Implement a well-defined incident response plan. Ensure all employees know their roles in case of a card testing incident and regularly rehearse the response procedures.
Challenges In Incorporating Technology
1. Integration complexity. Integrating new technology into existing systems is challenging. Ensure that your solutions can integrate with your current infrastructure and applications.
2. False positives. Automated prevention systems may produce false positives, blocking legitimate transactions. Regularly fine-tune the systems and establish procedures for addressing false alarms.
3. Resource constraints. Implementing new technology can strain resources, both in terms of time and budget. Allocate adequate resources for the transition and ongoing maintenance.
The resurgence of card testing looms as a formidable challenge for businesses. Ignoring this insidious threat is no longer an option, and businesses must act proactively to protect themselves, their customers and their bottom line in an increasingly complex landscape.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
