Back to Blog
Attack Prevention

How to Defend Your Organization Against a Card Testing Attack

May 13, 2022

eCommerce grew significantly in the aftermath of 2020 and the global pandemic. Unfortunately, so did financial fraud and payment-card-testing attacks.

In a recent report covered by PYMNTS, eCommerce growth accounted for nearly half of all retail growth in the United States over the first half of 2020. eCommerce sales were up 68% as of May 1, surpassing 40% of total retail sales.  

Regrettably, this unprecedented growth of eCommerce has fueled a similar expansion of financial fraud. Malicious actors are increasingly targeting eCommerce apps and websites to steal gift or stored value cards, pilfer account details, process fake returns, and commit a host of other fraudulent activities. One of the lesser-known but growing attacks is card testing.

Card testing happens when a fraudster uses a merchant’s website to “test” stolen credit card information to determine if the card is still valid. This is typically done via automated bots running stolen credit numbers through a merchant’s checkout page. If the merchant approves a transaction, the fraudster knows that the card is valid and that it can be used to make fraudulent high-value purchases elsewhere.

When this happens, the merchant is left with a high number of disputes, chargeback fees, and  interchange or authorization fees.

Card testing has become such a problem that all companies with eCommerce capabilities need to guard against it – even, and maybe in particular, SMBs.

Inside a Card Testing Attack

Card testing attacks are similar to a Primary Account Number (PAN) enumeration attacks although there are significant differences which make Card Testing dramatically more damaging than PAN attacks.

According to Privacy Today, a PAN attack begins when a malicious actor identifies an eCommerce website with unsophisticated rate limiting measures in place. Having found such a site, the attacker attempts to make low-dollar purchases to avoid triggering alerts. The attacker systematically inserts enumerated payment card values such as Primary Account Number (PAN), card verification value (CVV2), and expiration dates, hoping to derive valid numbers. Unless the attacker is detected and blocked, this process repeats until a working set of numbers are generated and the purchase succeeds. Using this procedure, an attacker can potentially obtain valid credit card credentials.  

In card testing attacks, malicious actors steal, or more often, purchase stolen credit card credentials from other cybercriminals or via the dark web. Armed with allegedly working credentials, attackers don’t need to systematically guess valid payment card numbers. They just need to see if the card is still operational, and card testing does exactly that.  

Once an attacker confirms that the credentials are valid, he can use the card to purchase high-end merchandise, or sell the credentials to other cybercriminals at a high price.

Sadly, a merchant that experiences a payment card testing attack is often left with an infuriating amount of payment disputes to resolve and chargeback fees to pay.  

SMBs and Large Enterprises at Risk of Attack

Malicious actors frequently target small and medium-sized businesses (SMBs) as their primary card testing victims. As noted by International Payments, such smaller organizations often lack rate limiting measures and other technologies to protect against automated attacks (bots), or other attacks. An organization’s failure to implement appropriate protection may be the result of limited resources. Or, it might be due to a lack of awareness or believing that they’re not large enough to be targeted.

However, SMBs aren’t the only card testing targets. Any organization that fails to implement adequate protection is at risk, including the largest of enterprises.  

Principles in Defending Against a Card Testing Attack

There are a number of telltale signs and key indicators that show fraudulent card testing is occurring. As stated by JPMorgan, some of these key indicators include:

  • An unusually high card authorization volume for low dollar amounts in rapid succession
  • A high volume of identical authorization requests
  • A sharp increase in declines and specific decline codes
  • A big increase in issuing bank/payment brand authorization mismatches

To spot these warning signs, organizations must apply protection technology and gateway solutions that can detect anomalies in these and other areas, and raise appropriate alerts.

Because a high percentage of fraudsters use automated attacks or bots to carry out their attacks, deploying advanced bot detection is also extremely important.

How hCaptcha Protects You From Card Testing Attacks

hCaptcha offers unparalleled, machine learning powered fraud detection solutions to protect online properties from sophisticated, automated attacks including card testing. Unlike other solutions, hCaptcha maintains broad privacy and security compliance for its customers and their end-users while leveraging a rapidly deployable, modern and scalable architecture to deliver security with minimal friction.

Click here to learn more about hCaptcha’s Enterprise Solution.

Subscribe to our newsletter

Stay up to date on the latest trends in cyber security. No spam, promise.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Back to blog