As technology advances, internet bot activity — both good and bad — is growing. Unfortunately, advanced bots have made it easier for fraudsters to commit crimes. According to the 2023 Imperva Bad Bot Report, 22.7 percent of all internet traffic on e-commerce and retail websites in the prior year was attributable to bad bots. Because bot traffic affects many verticals, small and midsize businesses (SMBs) need to understand the potential threats posed by bots. Here’s a look at bot-driven credit card testing fraud, how these attacks work, and how you can protect your business and customers from this e-commerce threat.
Credit card testing fraud, also known as carding and card cracking, is when cybercriminals make a small online purchase to test whether a stolen credit card number is valid.
Credit card testing often goes unnoticed by fraud-detection solutions and is usually discovered only when it’s too late. Without proper measurements in place, credit card testing fraud can be costly and damaging to both SMBs and cardholders.
Fraudsters can potentially abuse any user-related function on your company’s website, such as the ability to enable payments. Once the scammer purchases a list of stolen credit card numbers, they test them to see which ones are valid by making small transactions on unsuspecting e-commerce sites.
Fraudsters can enable bots to do this work efficiently. A bot can automatically submit orders on multiple websites to check credit card validity much faster than a fraudster inputting card numbers one by one could.
The fraudster’s end goal is to find valid credit cards they can use to make large online purchases or sell the list of validated credit cards to other cybercriminals.
In 2019, a carding bot called the Canary Bot was was discovered by PerimeterX, a provider of solutions designed to curb online fraud. The Canary Bot was designed to to target e-commerce platforms. Mimicking a real shopper, the bot added products to an online shopping cart, set shipping information and completed the sale on multiple businesses within the platform.
The bot was discovered because its pattern differed from that of human shoppers. For example, activity increased before the holiday shopping season, which isn’t typical, since people usually wait for sales. The bot’s transactions also didn’t follow the usual human shopping time patterns; instead, the transactions happened randomly throughout the day.
Bot-driven credit card testing hurts your SMB with charge-backs, shipped goods that are never recovered, lost revenue from fraudulent sales and damage to your brand reputation. Additionally, operational costs rise, while customer service calls take up precious time. If your business unintentionally allowed fraudsters to enter the networks, it’s likely other cybercriminals will follow.
Aside from stopping bot-driven carding attacks, other ways to avoid charge-backs include hiring a charge-back management service, being transparent with your product descriptions, and posting customer service contact information prominently.
In the age of security breaches and hacks, data centers and credit card agencies unintentionally give hackers abundant access to credit card numbers. Typically, hackers sell a bulk list of stolen card numbers on the dark web, where a buyer — the fraudster — is lurking.
A fraudster can purchase lists of credit card numbers; the list’s resale value depreciates over time. Many cardholders and banks take preemptive measures to shut down credit cards if there is a breach, but a small, unauthorized purchase may go unnoticed.
Luckily, you can spot red flags when carding attacks occur. Here are some things to look for:
If you’re a small business owner, follow these tips:
Jennifer Dublino contributed to this article.