Stolen credit card data is regularly sold in bulk to people looking to score expensive purchases at your expense. After purchasing this data, fraudsters will look for ways to test their cards to see which ones actually work. Very few of the stolen cards will work, but that’s okay because fraudsters only need one or two working cards to start their shopping spree.
Two Types of Ecommerce Credit Card Fraud
the big, big purchase
Any e-commerce store can be a target stolen card use. If you sell expensive consumer electronics like computers and HDTV’s, you’re likely to be targeted for use of one of these few stolen credit cards that actually work. This is the type of fraud that, as store owners, we’re all on the lookout for. This is the $2,000 purchase shipped with overnight delivery to a shipping address that is different from the billing address.
With an understanding of AVS responses and credit card declines, the fraudster will likely use the correct billing address while shipping to an address where they can access the shipment. Fortunately, store owners have been programmed – either through education or through being victimized – to look out for these suspicious orders.
credit card testing
If your store sells small and inexpensive items like keychains, stickers, and trinkets, then you are not likely to be the victim of one of these large orders paid for by a stolen card. Who needs 800 disco ball keychains shipped across the country on the next business day anyway? That said, your store can be the testing ground for vetting these stolen cards.
This fraud is much harder to spot because the goal isn’t to have you ship a huge order. The goal is to identify a working credit card by having an order created. You aren’t going to spot these with a simple glance at your orders, or a more thorough look at the billing and shipping addresses. In fact, many orders generated as a result of card-testing use the addresses associated with the card because, why unnecessarily raise a red flag by using a different shipping address?
So how do we spot credit card testing if the result is a small unambiguous order that passes AVS and ships to the billing address? To find these, we go to the payment gateway and look at raw order attempts. Take a look at the screenshot below.
Raw Onion Diner
no aid or winner :(
Aside from Irwan Noordien being an anagram for “Raw Onion Diner” and “No Aid or Winner” what looks suspicious here?
First, we have 10 authorization attempts within 30 minutes, some of which are just two minutes apart. Next we see the card type switch from VISA, to MasterCard, and then back to VISA. Finally we see all of the orders having a “Failed” status. Not “Review,” or “Partial Match,” but “Failed.” A total failure on a credit card authorization attempt almost always means that the account has been suspended or disabled, usually for fraud or because it was reported lost or stolen. Taking a closer look at one of these orders reveals more information…
There we go: “Do Not Honor.” So here we have someone testing a stolen card, finding that it’s already been disabled, and moving on to another card.
Not easily discouraged, our fraudster comes back a week and a half later and gets what he’s looking for after only 4 attempts in 4 minutes – an “Authorized” transaction. He doesn’t care where this little $65 order goes to or if it ever makes it out of the store owner’s warehouse. All he cares about is finding a working credit card number and billing address. Now he can get that $2500 3D TV shipped overnight.
Protecting Your Store from Credit Card Testing
Bad news: there is no way to prevent people from testing their collection of recently-purchased stolen credit card data on your ecommerce store. :( Your best defense in this case is to be educated on the matter, which hopefully you now are. Consider these tips:
1) Scan through your authorizations and look for attempts that stand out in frequency, quantity, and changing card type.
2) Make this part of your daily routine.
3) Reject identified fraudsters by canceling orders, disabling accounts, and banning IP addresses.
4) Send cancellation emails to let fraudsters know that you know what’s going on, and that your store is not a safe place for testing stolen credit cards.