receives compensation from some of the companies listed on this page. Advertising Disclosure
BDC Hamburger Icon


BDC Logo
Search Icon
Updated Jan 30, 2024

The Ever-Changing Landscape of Bots and Credit Card Testing

It's essential for small and midsize business owners with e-commerce storefronts to understand the potential threats and damage of bot activity.

John Canfield, Community Member
Verified CheckEditor Verified
Verified Check
Editor Verified
A editor verified this analysis to ensure it meets our standards for accuracy, expertise and integrity.

Table of Contents

Open row

As technology advances, internet bot activity — both good and bad — is growing. Unfortunately, advanced bots have made it easier for fraudsters to commit crimes. According to the 2023 Imperva Bad Bot Report, 22.7 percent of all internet traffic on e-commerce and retail websites in the prior year was attributable to bad bots. Because bot traffic affects many verticals, small and midsize businesses (SMBs) need to understand the potential threats posed by bots. Here’s a look at bot-driven credit card testing fraud, how these attacks work, and how you can protect your business and customers from this e-commerce threat.

What is credit card testing?

Credit card testing fraud, also known as carding and card cracking, is when cybercriminals make a small online purchase to test whether a stolen credit card number is valid.

Credit card testing often goes unnoticed by fraud-detection solutions and is usually discovered only when it’s too late. Without proper measurements in place, credit card testing fraud can be costly and damaging to both SMBs and cardholders.

Did You Know?Did you know

How does a credit card testing attack work?

Fraudsters can potentially abuse any user-related function on your company’s website, such as the ability to enable payments. Once the scammer purchases a list of stolen credit card numbers, they test them to see which ones are valid by making small transactions on unsuspecting e-commerce sites.

Fraudsters can enable bots to do this work efficiently. A bot can automatically submit orders on multiple websites to check credit card validity much faster than a fraudster inputting card numbers one by one could.

The fraudster’s end goal is to find valid credit cards they can use to make large online purchases or sell the list of validated credit cards to other cybercriminals.

Example of a carding attack

In 2019, a carding bot called the Canary Bot was was discovered by PerimeterX, a provider of solutions designed to curb online fraud. The Canary Bot was designed to to target e-commerce platforms. Mimicking a real shopper, the bot added products to an online shopping cart, set shipping information and completed the sale on multiple businesses within the platform.

The bot was discovered because its pattern differed from that of human shoppers. For example, activity increased before the holiday shopping season, which isn’t typical, since people usually wait for sales. The bot’s transactions also didn’t follow the usual human shopping time patterns; instead, the transactions happened randomly throughout the day.

FYIDid you know
Carding attacks are on the rise, but they're far from the only fast-growing business scams. Beware of common business scams involving employment agencies, credit bureaus and charitable solicitations. Check out these 10 scams that prey on small businesses to learn more.

What are the ramifications of credit card testing for small businesses?

Bot-driven credit card testing hurts your SMB with charge-backs, shipped goods that are never recovered, lost revenue from fraudulent sales and damage to your brand reputation. Additionally, operational costs rise, while customer service calls take up precious time. If your business unintentionally allowed fraudsters to enter the networks, it’s likely other cybercriminals will follow.

TipBottom line
Aside from stopping bot-driven carding attacks, other ways to avoid charge-backs include hiring a charge-back management service, being transparent with your product descriptions, and posting customer service contact information prominently.

How do fraudsters get a person’s credit card number?

In the age of security breaches and hacks, data centers and credit card agencies unintentionally give hackers abundant access to credit card numbers. Typically, hackers sell a bulk list of stolen card numbers on the dark web, where a buyer — the fraudster — is lurking.

A fraudster can purchase lists of credit card numbers; the list’s resale value depreciates over time. Many cardholders and banks take preemptive measures to shut down credit cards if there is a breach, but a small, unauthorized purchase may go unnoticed.

How do you identify credit card fraud?

Luckily, you can spot red flags when carding attacks occur. Here are some things to look for:

  • Unusually high shopping cart abandonment rates and charge-backs
  • Small shopping-cart sales
  • High proportion of declined payments
  • Disproportionate use of the payment step in the shopping cart
  • Multiple payments from the same customer within seconds or minutes
  • Too many transactions with the same bank identification number (BIN), which is the first six digits of every credit and debit card
  • Multiple declined transactions from the same user, IP address or session
TipBottom line
Using two-factor authentication when users log in to your site is one of the best ways to thwart bots and protect your company when taking payments online.

How can you protect your business from credit card fraud?

If you’re a small business owner, follow these tips:

  • Scrutinize historical operational trends. Increased customer support calls and charge-backs could mean card testers are targeting you. Also, look for spikes in the number of declined transactions. When fraudsters test older stolen credit card lists, many declines will occur.
  • Install automated blocking software. Most engineering teams can use simple blocking software for high-velocity attacks, but more sophisticated attacks need specialized software. Some vendors specialize in this type of real-time fraud detection. Make sure your solution can quickly adjust to changing attack patterns and deliver obfuscation strategies to make it harder for fraudsters to complete a sale.
  • Partner with a secure payment processor. The best credit card processing services have strong fraud and risk management engines with bot protection. Integrating with the right partner allows you to collect payments and focus on your business with peace of mind.
  • Utilize device fingerprinting. This technology combines data from the user’s browser and device to identify a source. Because carding involves multiple attempts and the fraudsters have limited devices at their disposal, fingerprinting can identify the source of carding attacks and shut them down.
  • Enable browser validation. Bots hide their tracks by pretending to run a certain browser and then using multiple user accounts. Browser validation analyzes the browser’s JavaScript and activity to ensure that an account acts like an actual human.
  • Familiarize yourself with purchasing patterns. Human behavior and purchasing habits conform to specific patterns, including URLs, mouse movements and site engagement. When behavior deviates from the norm, it’s a red flag that a bot may be involved.
  • Analyze your traffic. There are certain technical and behavioral patterns common to bots and specific IPs where they tend to originate. By keeping a keen eye on your traffic patterns, you may be able to nip a carding attack in the bud.
  • Use AVS responses. An address verification service (AVS) matches the billing address input at checkout with the address on file with the credit card company. If it doesn’t match, the credit card company will still let the transaction go through, but you can set safeguards or use other fraud prevention tools to research the matter.
  • Require card security codes. When companies store credit card information, they can’t store the CSV or CVV codes, and cybercriminals will typically not have this information. By requiring the code at checkout, you can ward off criminals.
  • Challenge your purchasers. You are probably aware of the many “prove you’re not a robot” challenges online, like checking a box, typing in a captcha or identifying images with a specific item. These measures prevent bots from proceeding.

Jennifer Dublino contributed to this article.

John Canfield, Community Member
John Canfield is the VP of Risk for WePay. WePay provides payments as a service tailored for online marketplaces and platform companies that want to enable many end users to accept credit cards, without taking on the fraud risk and operational burdens associated with payments. WePay powers some of the top platforms including GoFundMe, FreshBooks, StayClassy, CustomMade, and hundreds more. Prior to WePay, John was Sr. Director of Risk at eBay.
BDC Logo

Get Weekly 5-Minute Business Advice

B. newsletter is your digest of bite-sized news, thought & brand leadership, and entertainment. All in one email.

Back to top