Under Attack?
Search
Menu

What is Card Testing?

By Daniel SmithFebruary 9, 2023

Card testing, also known as card checking, is a form of fraud where criminals try to determine if stolen credit card information is valid by making small purchases or attempting to authorize a transaction. The preferred method for card testers is using authorizations, which is less likely to be noticed by cardholders. Card testers also use payments but typically choose small transactions to avoid detection. As a result, businesses that facilitate small-value purchases and donation pages are vulnerable targets for card testers.

Impacts

Card testing has become more prevalent in recent years with businesses shifting their operations online. The consequences of card testing can be severe and include disputes, higher decline rates, additional fees, infrastructure strain and damage to the overall health of the payment ecosystem. Conflicts occur when customers notice successful payments and report them as fraud. This results in costly and time-consuming resolution processes for merchants. Higher decline rates can also harm the reputation of a business with card issuers and networks, making all transactions appear riskier, which can potentially lead to an increase in declined, legitimate payments.

Additionally, network fees for each transaction can add up quickly when a site is used for thousands or millions of card tests. In just a few hours, small merchants can be financially devastated by card testing.

How Do Criminals Obtain Stolen Credit Cards?

There are several ways cybercriminals can obtain stolen credit card numbers, including, but not limited to, the following:

  • Phishing scams: Cybercriminals send out phishing emails or create fake websites that look like legitimate businesses to trick people into entering their credit card information.
  • Data breaches: Hackers break into a company’s databases and steal sensitive information, including credit card numbers.
  • Skimming: Criminals install skimming devices on payment terminals, such as ATMs or point-of-sale machines, to steal credit card information as it’s being entered.
  • Malware: Criminals use malware, such as information stealers, to infect a person’s computer and steal stored credit card information.
  • Dark web marketplaces: Stolen credit card information is bought and sold on the dark web, which is not indexed by search engines and is only accessible by using specialized software.
  • Social engineering: Criminals trick an employee of a business or financial institution into giving them access to credit card information.

Keep in mind that credit card information can also be compromised by insiders, such as employees, contractors or third-party companies that have access to credit card information. Businesses must implement strong security measures to protect customer credit card information and detect suspicious activity.

Recent Examples of Card Testing

In recent years, there have been several high-profile instances of card testing fraud attacks. The example below demonstrates the seriousness and prevalence of this fraud and the need for online businesses to take proactive measures to protect themselves and their customers before disaster strikes.

Powell Lacrosse

In December 2022, a Central New York-based lacrosse supply store called Powell Lacrosse was targeted by a card testing attack. The store received 22,000 orders over the New Year’s holiday, mainly for the same item that was priced at $12.71. The suspicious orders flooded the store on Friday, December 30th and only about 2,000 of the 22,000 orders were legitimate. This resulted in the store and its employees losing a significant amount of time answering phone calls from people seeking refunds. According to store owner Ryan Powell, most of the affected people used the same bank and were not existing customers.

How to Mitigate Card Testing Attacks

To safeguard your business from card testing fraud, it is essential to implement various protective measures. These include using fraud detection tools, regularly monitoring your account for unusual activities, implementing security measures like web application firewalls (WAF) and bot management and utilizing a payment gateway to provide an added layer of security for your transactions.

WAF combined with a good bot management solution effectively prevents card testing fraud by monitoring and screening transactions to a website or web application. It detects and blocks suspicious activity by analyzing network traffic for patterns associated with card testing fraud and distinguishing between humans and bots, both good and bad.

An adequate protection solution should provide:

  • Traffic Analysis: analyze traffic to detect patterns indicative of card testing fraud. For example, if a large number of requests are coming from the same IP address or if a large number of requests are for the same item and with small amounts.
  • Signature-based detection: detect and block requests that match a specific signature or pattern. This can be used to block requests known to be associated with card testing fraud.
  • Behavioral Analysis: use machine learning algorithms to analyze incoming traffic and detect behavior patterns indicative of card testing fraud. This can include analyzing the timing and frequency of requests, as well as the types of requests being made, to identify and block suspicious activity and users.
  • IP blocking: block traffic from specific IP addresses or ranges. This can be used to block traffic from known card-testing bots, anonymous proxies or from IP addresses that have been associated with previous instances of card-testing fraud.
  • Bot detection: ensure that the user is human and not a bot. CAPTCHA is a typical first barrier that is easy to implement. Just remember that more sophisticated bots are able to solve CAPTCHAs faster and more accurately than humans.
  • Geo-blocking: block traffic from specific countries or regions. If you are a local store (a pizza delivery shop, for example), you would not expect an order coming from outside the country.

By implementing and combining these methods, a WAF and bot management solution can be an effective tool for blocking card testing fraud. They detect and block suspicious activity before causing harm to merchants, card networks and payment infrastructure.

Closing Thoughts

Card testing fraud is a serious issue that affects the entire payments ecosystem. Merchants must understand how it works and proactively protect themselves and their businesses. You can reduce the risk of card testing fraud by using fraud detection tools, regularly monitoring your account for unusual activities, implementing security measures like WAF and Bot Management and utilizing a payment gateway. It’s also essential to stay up-to-date with the latest trends regarding fraudulent techniques and tactics leveraged by malicious actors.

Posted in: Threat IntelligenceTags:

Daniel Smith

Daniel is the Head of Research for Radware’s Threat Intelligence division. He helps produce actionable intelligence to protect against botnet-related threats by working behind the scenes to identify network and application-based vulnerabilities. Daniel brings over ten years of experience to the Radware Threat Intelligence division. Before joining, Daniel was a member of Radware’s Emergency Response Team (ERT-SOC), where he applied his unique expertise and intimate knowledge of threat actors’ tactics, techniques, and procedures to help develop signatures and mitigate attacks proactively for customers.

Related Articles

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Contact Us Now

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

CyberPedia

An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

CyberPedia
What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Blog
Security Research Center
Close

What are you looking for?