Nothing is sacred to online criminals. They’ll attack hospitals for data, turn holiday cheer into stress, and are even willing to try to leverage an election season for their own financial gain. One of the often overlooked aspects of an election cycle is the opportunity it represents for fraudsters to double down on card testing.
What is that, why is it a problem, and what should you be doing about it? Let’s dive in.
Why Card Testing is a Growing Problem
Card testing is when fraudsters get access to a large number of stolen cards and then run through them on a site or sites, trying them out to see which cards are still in use and can be used for further fraud.
The card is being used fraudulently, but typically only for a small amount, say maybe a dollar (or even less). It’s not the main theft; it’s a preliminary stage so the fraudster can narrow down which cards they will use once they really get down to it.
When I put it that way, I know it doesn’t sound that serious, but card testing is a problem because when fraudsters find a site they can use for it, they attack at scale:
- In Forter’s experience, card testers attack nearly 100% of subscription services.
- An average card testing attack includes upwards of 500 credit cards attempted.
- Sometimes, tens of thousands of cards might be attempted in a single attack, especially since bots and scripts have become common.
It matters to merchants: If the low dollar amounts lull you into a false sense of security and don’t take steps to prevent card testing pre-auth, card testing might cause 20-80% of your company’s bank declines for initial purchases. That’s terrible for your reputation, and you can get fined by the payment processor for sending bad traffic.
It matters to consumers: If you miss the initial purchase made by the fraudster as card testing, their attempts to spend much more of your money soon after are less likely to be flagged and blocked. Not to sound paranoid, but constant vigilance is your friend.
Watch Out for Card Testing in Election Season
Card testing is typically carried out for small dollar value orders (because these are less suspicious) and often against sites where fraudsters do not intend to hit with their primary attack once they have filtered out the burnt cards. That way, they can maintain the element of surprise for their real goal.
Popular card-testing targets include subscription services, digital goods marketplaces, food delivery services, and crowdfunding or donation sites. During an election season, more of these sites pop up, and more donations are often made, which means fraudsters have the ideal opportunity to hide among the crowd.
Fraudsters particularly like to test cards against sites with little investment in fraud prevention. As always, it’s about ROI; they want to spend as little effort as possible to successfully complete this stage of sorting through their stolen cards.
Sites set up for donations connected to an election or political cause may not consider fraud before launching. And in a sense, they’re right. It’s very unlikely that there will be significant fraud on these sites, and card testing is, as we said, for small amounts. Banks may also be less likely to be suspicious since it’s not uncommon for consumers to donate to relevant new causes at this time.
There are real downsides for the donation sites themselves:
- It costs money to process payments, even small ones. If you have to handle hundreds of payments of a dollar each because of card testing, that might not make financial sense.
- If issuers decide a site has too much fraudulent traffic, they’ll gradually reduce the bank approval rate.
- There’s the potential for reputational damage, which is especially important in an arena where trust is vital.
- If the legitimate cardholders catch on to what’s happening, there may be chargebacks.
How much the site cares about this probably depends on whether it aims to be a popup just for this election cycle or if it’s part of something much longer-lasting. Regardless, card testing affects the entire online ecosystem, and merchants and consumers must take care.
Card Testing: Advice for Merchants
Merchants should be prepared for the downstream effects of card testing during election season. At the risk of sounding like a broken record, tackling this effectively is really something that comes down to identity intelligence.
In this case, the key is to identify when the same identity makes a series of payment attempts, even when measures are in place to obfuscate the identity and the connections.
It won’t matter how many cards a fraudster has tested if you can tell that they’re a returning fraudster trying their luck again. The fact that the card still works won’t help the criminal if you can identify them as such and stop them in their tracks.
Card Testing: Advice for Consumers
Don’t rely on the bank catching something that looks unusual; be proactive about checking. Most banks and cards offer the ability to receive a notification when a purchase is made on a card. Check out whether that’s an option for you, and if it is, set it up.
Be conscious about where you’re spending your money. If you are making small donations now, ensure you’re keeping track of how much, to whom, and where so that you can differentiate these legitimate spendings from fraudulent attempts.
If you suspect fraud, call the bank immediately. Don’t wait for them to contact you.
Card Testing Shows How Interconnected Online Commerce Is
One of the fascinating things about card testing is that it highlights how intertwined everything in digital commerce is.
Fraudsters get stolen card data from another criminal and are then likely to attack one type of site with card testing before filtering out the good cards and using those in an attack on a different kind of site. Sometimes, they’ll even use account takeover for the initial card testing because they don’t care about the purchase itself and whether they can access it or information about it afterward.
From the consumer perspective, their card information has been stolen from one place, passed on to another criminal in another, tested on one site, and then leveraged for full fraud on a second site. After that, it’s a question of whether the fraud attempt was caught or whether they are responsible for initiating a chargeback.
The payments and digital commerce ecosystem is intricate and complex. Fraudsters will look to exploit any vulnerability they can find — including elections.
Doriel Abrahams is the Principal Technologist at Forter, where he monitors emerging trends in the fight against fraudsters, including new fraud rings, attacker MOs, rising technologies, etc. His mission is to provide digital commerce leaders with the latest risk intel so they can adapt and get ahead of what’s to come.
