What is a valid credit card number worth to the bad guys? A lot, it seems.
Imagine having a ‘customer’ come into your physical store and stand at the cash wrap station asking you to run one card after another, one thousand times or five thousand or ten thousand?
Obviously you wouldn’t allow that in a face-to-face environment but, depending on how your website is set up, the bad guys could be doing that right now ‘in your store.’
Card tumbling or Card Enumeration/Account testing is when someone uses a legitimate merchant account (not their own) to test thousands of cards, one right after another. This practice is used to figure out if the card numbers the bad guy has access to are ‘good’ and can be sold on the dark web to other people who will commit fraud with those accounts.
Besides the obvious protection of the card processing ecosystem, the biggest issue for a merchant that suffers this type of attack is that they will incur transaction fees for each of those attempts. While, individually, these transaction fees may only be a few pennies, when multiplied by 10,000 or 20,000, it results in a big monthly bill on the merchant processing statement.
There are a number of ways to prevent this type of thing from happening to your website. The easiest is to establish a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart). This is the process that you, as a website visitor, have to view or read something on the page and retype it or click on images. These extra steps prevent a bot from using the website and completing the transaction without human intervention.
Another way to restrict card tumbling is to measure velocity. In a face-to-face situation, you wouldn’t allow one of your store clerks to try five or 10 different cards to make a sale, you can configure your shopping cart to restrict card transaction attempts from the same computer during a specific timeframe (minutes, hours, days, etc.). This will prevent someone from (if they evade your CAPTCHA) tumbling a large number of card transactions against your merchant account.
There are a number of other measurements that you can utilize, through your back office suite of tools on your website or shopping cart.
- Transaction alerts for a large number of attempts that fail, regardless of card number or IP address that is generating the attempt.
- Analyze time zones that originate transactions. Most of these fraud attempts are coming from an IP address that is not consistent with your location or usual customers’ location.
- Watch for matching data elements on each transaction. Example: is the same email address being provided for multiple transactions?
- Watch for authorization attempts with small dollar amounts ($1, $2 or $5). The bad guys just want to see if the card is ‘good,’ they don’t want to trigger any fraud flags with the issuer.
These types of fraud protections only work if you have them turned on via the tools that you have for your website back office. Because of this, make sure that you are protecting your login credentials and that you are using Multi Factor Authentication for logging into the set up portion of your website. Just like your physical store, your virtual store needs to be secured and you need to control access to the ‘office.’
You should also make sure your staff (that have login credentials) are aware and trained to prevent phishing attacks. They need to be able to protect those credentials to keep the bad guys out.
You also need to make sure that your web developer is applying all of the appropriate security patches in a timely fashion.
During a conversation with a merchant we discovered that they had missing website ‘patch’ that allowed someone to get into their back office and change the amount of an item that they then purchased online for a severe discount. This is the digital equivalent of changing the price tag before the clerk rings up the order. Thankfully, they had just set their website up and were watching the transaction process very closely and were able to stop the order before shipping.
While it is great to have a second sales channel (your website), you need to always think of it as an additional store front. That additional location has the same risks and security concerns as your primary store.
As always, if we can help you with this type of issue, or any other payment processing issue, please feel free to contact our team.