By Rafael Lourenco
Stolen credit card data is big business, and it’s no secret that criminals use this information to target online retailers by making fraudulent purchases and then re-selling the merchandise. What’s less widely known is how small mom-and-pop businesses and charities fall victim to the same criminals who go after big retailers. These small entities can least afford the damage fraudsters can cause, but they’re also the most vulnerable to a particular kind of fraud known as card testing. Here’s what every non-profit organization and small business should know about this common and disruptive type of fraud.
What is card-testing fraud?
When criminals buy stolen card data on the dark web, there’s no guarantee that the card numbers are still valid, and the card data is often incomplete. It may be missing card verification values (the 3-digit security numbers on the back of each card), name and address information, and other key information that large retailers use to screen orders for fraud.
Without this information, criminals have to guess until they get it right for each card number. So they “test” by placing small orders with small online retailers or making donations to charities to see if the CVVs and billing zip codes they guess at are the right ones. When they find a match that results in a purchase or donation, they use that card and tested data to go after bigger retail targets.
Why do card testers target small business and charities?
In short, they do it because they’re most likely to get away with it. Major retailers, and even many small to midsize online sellers, have in-house and/or third-party fraud detection services to screen their transactions. Many also follow best practices that limit the number of times a customer or donor can enter card information incorrectly before the order is closed.
Many new and small businesses mistakenly think they’re too small for criminals to notice, or they’re unaware that this type of fraud exists, so they go without fraud prevention programs. Charities, meanwhile, must balance the need to making giving easy for donors with the need to prevent fraudulent gifts that can skew budget planning and incur costly bank fees.
If the amounts are small, why does it matter?
Fake $5 donations and fraudulent $3 purchases are just the tip of the fraud-loss iceberg. When the owner of the stolen card number reports the fraud, the small business or charity loses the transaction amount plus a chargeback fee of up to $100 for each fraudulent transaction. Worse, these purchases aren’t usually isolated incidents perpetrated by people sitting at keyboards. Modern fraudsters use bots and scripted attacks to run what security firm ThreatMetrix describes as mass testing sessions. In the second quarter of 2016 alone, the company detected more than 400 million such bot attacks worldwide.
Think of the damage that a rapid-fire series of small fake purchases or donations can inflict on a business or nonprofit with a tiny budget and no reserves to cover multiple chargeback fees. In the worst-case scenario, a small merchant’s or nonprofit’s chargeback ratio can rise to the point where card companies and processors label them high risk, leading to account termination and the end of the business.
How can charities and small businesses guard against card-testing fraud?
There are specific steps small businesses and nonprofits can take to protect their transactions. One step is setting up the checkout process to limit the number of data entry attempts a customer can make, especially with respect to the CVV and billing zip code. Another is limiting the number of purchases or donations a customer can make within a short time, especially if they use different card numbers. Multiple orders by different customers placed on the same computer or device is a red flag, as well. Another security best practice is contacting customers or donors by phone when an order raises red flags. These steps will help in the short run.
Over the long term, because online fraud is evolving rapidly, it’s a good idea to follow e-commerce fraud news and know about the latest emerging threats. The ultimate security step is finding cost-effective fraud-prevention experts to screen orders and donations based on the most up to date fraud insights.
Rafael Lourenco is the VP of US Operations at ClearSale, a Card-Not-Present fraud prevention operation that protects e-commerce merchants against chargebacks. The company’s flagship product, Total Guaranteed Protection, is an end-to-end outsourced fraud detection solution for online retailers. Follow on twitter at @ClearSaleUS or visit http://clear.sale/