receives compensation from some of the companies listed on this page. Advertising Disclosure


The Ever-Changing Landscape of Bots and Credit Card Testing

John Canfield
John Canfield

Here's how to protect your business from the latest credit card threat – bot attacks.

As modern society continues to advance in technology, bot activity on the internet, good and bad, is growing alongside it. Many verticals are affected by bot traffic, such as gambling, social media, concert and sporting event ticketing, and e-commerce websites.

The fraud landscape continues to change as well, with advanced bots that make committing crimes easier for fraudsters. According to the 2018 Bad Bot Report by Distil Networks, 22.9 percent of all traffic on e-commerce sites consists of bad bots. Small-to-medium sized business (SMBs) that have e-commerce storefronts and may not have the budget to technologically protect themselves from bot activity should be educated on top fraud threats.

Credit card testing fraud, also known as carding and card cracking, is a fraud method that can be easily overlooked. Due to the nature of credit card testing, it often goes undetected by fraud detection solutions and is usually detected when it's too late. Without proper measurements in place, credit card testing fraud can be costly and damaging to SMBs and innocent credit card holders.

How do fraudsters get a person's credit card number?

In the age of the internet and data, security breaches and hacks into companies, data centers, and credit card agencies give a hacker access to numerous amounts of credit card numbers. Typically, the hacker will sell a bulk list of stolen card numbers on the darknet where a buyer (the fraudster) is lurking.

A fraudster can purchase a variety of lists, ranging from fresh (if the breach was recent), to three to six months, or even one year old. As time passes, the resale value of the list depreciates and the quality declines due to some cardholders and banks taking preemptive measures to shut down their card after hearing of a breach, but not all will have the initiative to do so.

How does credit card testing work?

Any function made available on your website for users to use, such as enabling payments, could potentially be abused by malicious fraudsters. Fraudsters test stolen credit card numbers by making small transactions on unsuspecting e-commerce sites. With the rise of bots, fraudsters can efficiently enable bots to do their work for them. A bot can automatically submit orders on multiple websites to check credit card validity faster than a fraudster inputting card numbers one by one.

The end goal for the fraudster is to find a valid credit card to make large purchases from another website or the one they already tested.

What are the ramifications for SMBs?

Credit card testing hurts SMBs with chargebacks, shipped goods that are never recovered, lost revenue from a fraudulent sale, and brand reputation damage. Operational costs rise as well, with customer service support calls taking up precious time.

The consequences of SMBs allowing fraud into the network only invite more fraudsters.

How does an SMB prevent and protect themselves from credit card testing?

If you are an SMB, follow these three tips:

  1. Scrutinize historical operational trends. An increase in customer support calls and chargebacks processed could mean you are being targeted by card testers. Also, look for spikes in the number of declined credit cards from the networks. Card testing of old breach lists have lots of declines, so seeing a big increase in the number of declines is a sure sign.

  2. Install automated blocking software for obvious bot attacks. Most engineering teams can put in simple blocking software for high-velocity attacks, but more sophisticated attacks need more specialized software. There are vendors who specialize in this type of real-time fraud detection. Make sure that your solution can quickly adjust to changing attack patterns and think about obfuscation strategies to make it harder for fraudsters to reverse engineer.

  3. Partner with a payments provider that has a strong fraud and risk management engine with bot protection. Detecting and preventing fraud must be a critical component of any merchant's business strategy.  Building or incorporating a third-party blocking code helps protect against malicious bots. Integrating with the right partner allows you to collect payments and solely focus on your business with peace of mind.
Image Credit: Paparacy/Shutterstock
John Canfield
John Canfield Member
John Canfield is the VP of Risk for WePay. WePay provides payments as a service tailored for online marketplaces and platform companies that want to enable many end users to accept credit cards, without taking on the fraud risk and operational burdens associated with payments. WePay powers some of the top platforms including GoFundMe, FreshBooks, StayClassy, CustomMade, and hundreds more. Prior to WePay, John was Sr. Director of Risk at eBay.