When you’ve got something hot like stolen credit card numbers, you have only a brief opportunity to cash in before they go cold.
Manually sifting through hundreds, even thousands, of card accounts bought in bulk can take more time than criminals have, which is why they increasingly are relying on credit card testing. By loading card-account data into automated programs instructed to attempt small-dollar purchases, criminals can quickly test for which accounts are still active and use them to make larger purchases before the rightful cardholders close the accounts, rendering the stolen data worthless.
These days, card testing is proving to be such an effective tactic that its use is exploding. During 2017’s first quarter, credit card testing increased 200% compared to the same period in 2016, according to a study by Radial, a King of Prussia, Pa.-based omnichannel technology provider.
“Fraud rings are investing in racks of servers and developing software bots and scripts that they can use to quickly test large batches of stolen card accounts,” says Michael Graff, risk analytics manager for Radial. “For fraudsters, turning a profit depends on finding card accounts they can use to purchase items that can be turned into cash.”
Internet bots and scripts are software programs that perform simple and structurally repetitive tasks at lightning speed, such as attempting hundreds of payment card purchases online in minutes.
Criminals favor items that can be quickly sold for cash, including consumer electronics, gift cards, sporting goods, and jewelry. “But criminals will target any merchant segment carrying merchandise they think they can resell,” Graff says.
While criminals favor e-commerce merchants for card testing because the card-not-present environment has weaker defenses than the card-present channel, card testing also is a growing problem among charities.
“Charitable organizations tend to put up fewer barriers to fraud because they don’t want to decline the donation,” says Julie Conroy, research director for Boston-based Aite Group. “It’s leading to a lot of pain for them because of an increase in chargebacks.”
Combatting test transactions is a tricky business. One stumbling block merchants want to avoid is implementing rules so draconian they wind up rejecting a significant percentage of legitimate transactions that appear suspect at first glance. To avoid these so-called false positives, Graff recommends merchants supplement fraud-detection technologies with human analysts to review transactions that may fall into the gray area between fraudulent and non-fraudulent transactions.
Some mobile carriers, for example, will use the same Internet Protocol (IP) address to connect mobile users to a merchant’s Web site, which can make that traffic appear like an automated fraud attack.
“Without an analyst to review the traffic, the merchant’s fraud-prevention rules may reject those transactions even though they are legitimate,” Graff says. “Merchants can’t afford to turn down good business, because it can hurt customer loyalty too.”
False positives across all merchant categories in the United States totaled $264 billion in 2016, Conroy says. In addition, the approval rate for card-not-present transactions is 80% to 85%, compared to 97% in the card-present world.
“There’s a lot of room to improve sales in the card-not-present world by reducing false positives,” Conroy says.