As the United States advances in technology, internet bot activity – good and bad – is growing. Bot traffic affects many verticals, including gambling, social media, concert and sporting event ticketing, and e-commerce websites.
The fraud landscape continues to change with advanced bots that make committing crimes easier for fraudsters. According to the 2021 Imperva Bad Bot Report, 25.6% of all internet traffic on e-commerce websites in the prior year consisted of bad bots.
It’s essential for small and midsize business (SMB) owners with e-commerce storefronts to understand the threats and damage bot activity can yield. Here’s a look at bot-driven credit card testing fraud, how these attacks work, and how you can protect your business and customers from this e-commerce pitfall.
Credit card testing fraud – also known as carding and card cracking – is when cybercriminals make a small online purchase to test whether a stolen credit card number is valid.
Credit card testing often goes unnoticed by fraud-detection solutions and is usually discovered only when it’s too late. Without proper measurements in place, credit card testing fraud can be costly and damaging to both SMBs and cardholders.
More than 155.8 million records were exposed in 2020, and an enormous number of credit cards may be subject to fraudulent charges.
In the age of data, security breaches and hacks into companies, data centers and credit card agencies give hackers abundant access to credit card numbers. Typically, hackers will sell a bulk list of stolen card numbers on the darknet where a buyer – the fraudster – is lurking.
A fraudster can purchase lists of credit cards recently stolen, or up to a year old. As time passes, the list’s resale value depreciates. Many cardholders and banks take preemptive measures to shut down credit cards if a breach impacts them, but a small, unauthorized purchase may go unnoticed.
Malicious fraudsters can potentially abuse any user-related function on your company’s website, such as enabling payments.
Once the scammer purchases a list of stolen credit card numbers, they test the stolen credit card to see which ones are valid by making small transactions on unsuspecting e-commerce sites.
Fraudsters can enable bots to do this work efficiently. A bot can automatically submit orders on multiple websites to check credit card validity much faster than a fraudster inputting card numbers one by one.
The fraudster’s end goal is to find valid credit cards they can use to make large online purchases or sell the list of validated credit cards to other cybercriminals.
In 2019, a carding bot called the Canary Bot targeted a top e-commerce platform. Mimicking a real shopper, the bot added products to an online shopping cart, set shipping information and completed the sale on multiple businesses within the platform.
The bot was discovered because its pattern was different from that of human shoppers. For example, activity increased before the holiday shopping season, which isn’t typical since people usually save and wait for sales. The bot’s transactions also didn’t follow the usual human shopping time patterns; instead, the transactions happened randomly throughout the day.
Carding attacks are on the rise, but they’re far from the only fast-growing business scam. Beware of scams involving employment agencies, credit bureaus and charitable solicitations.
Bot-driven credit card testing hurts your SMB with chargebacks, shipped goods that are never recovered, lost revenue from a fraudulent sale and damage to your e-commerce brand reputation. Additionally, operational costs rise while customer service support calls take up precious time. If your business unintentionally allowed fraudsters to enter the networks, it’s likely other cybercriminals will follow.
Aside from stopping bot-driven carding attacks, other ways to avoid chargebacks include hiring a chargeback management service, being transparent with your product descriptions, and posting customer service contact information prominently.
Luckily, you can spot red flags when carding attacks occur. Here are some things to look for:
Using two-factor authentication when users log in to your site is one of the best ways to thwart bots and protect your company when taking payments online.
If you’re a small business owner, follow these tips:
Jennifer Dublino contributed to the writing and research in this article.