Criminals purchasing stolen credit card data know they have a short window of opportunity to cash in before the accounts are shut down. Manually sifting through the hundreds, even thousands, of accounts bought in bulk can take more time than criminals have, which is why they are increasingly relying on credit card testing. By loading card accounts into automated programs instructed to attempt small-dollar purchases, criminals can quickly test for which accounts are still active and use them to make larger purchases before they are closed and become worthless.
These days, card testing is proving to be such an effective tactic its use is exploding. During the first quarter of 2017, credit card testing increased two-fold compared to the same period in 2016, according to a study by Radial, a King of Prussia, Pa.-based omnichannel technology provider.
“Fraud rings are investing in racks of servers and developing software bots and scripts that they can use to quickly test large batches of stolen card accounts,” says Michael Graff, risk analytics manager for Radial. “For fraudsters, turning a profit depends on finding card accounts they can use to purchase items that can be turned into cash.”
Internet bots and scripts are software programs that perform simple and structurally repetitive tasks at lightning speed, such as attempting hundreds of credit card purchases online in minutes.
Merchandise favored by criminals includes consumer electronics, gift cards, sporting goods, and jewelry. “But criminals will target any merchant segment carrying merchandise they think they can resell,” Graff says.
While criminals favor e-commerce merchants for card testing because the card-not-present environment has fewer barriers to fraud, card testing is also a growing problem among charities.
“Charitable organizations tend to put up fewer barriers to fraud because they don’t want to decline the donation,” says Julie Conroy, research director for Boston-based Aite Group. “It’s leading to a lot of pain for them because of an increase in chargebacks.”
Chargebacks resulting from card testing can not only drive up merchants’ interchange fees, it can also damage their brand. Consumers that are victims of card tests are inclined to develop a negative opinion of the merchant’s ability to detect and prevent fraud, which can prompt them to take their business elsewhere, Graff says.
Even if a consumer does not shop with the merchant, he may still be inclined to spread negative opinions of the merchant to others through word of mouth or social-media channels, Graff adds.
Combatting test transactions is a tricky business. One stumbling block merchants want to avoid is implementing rules so draconian they wind up rejecting a significant percentage of legitimate transactions that appear suspect at first glance. To avoid these false positives, Graff recommends merchants supplement fraud-detection technologies with human-risk analysts to review transactions that may fall into the gray area between fraudulent and non-fraudulent transactions.
Some mobile carriers, for example, will use the same IP address to connect mobile users to a merchant’s Web site, which can make that traffic appear like an automated fraud attack. “Without an analyst to review the traffic, the merchant’s fraud prevention rules may reject those transactions even though they are legitimate,” Graff says. “Merchants can’t afford to turn down good business, because it can hurt customer loyalty too.”
False positives across all merchant categories in the United States totaled $264 billion in 2016, Conroy says. In addition, the approval rate for card-not-present transactions is 80% to 85%, compared to 97% in the card-present world.
“There’s a lot of room to improve sales in the card-not-present world by reducing false positives,” Conroy says.