As financial institutions work to make credit card transactions impervious to attacks by criminals, the fraudsters are changing their approach to weasel their ways past security barriers.
One type of attack is account testing. In this scenario, thieves submit one or two low value transactions to determine if a payment account is active. If the small transactions get through, the criminals later use the account to purchase large items. This attack targets multiple payment accounts with the same bank identification number (BIN), the first six digits of a credit card number. This type of attack is known as BIN testing, card stuffing, card tumbling or a credit master attack.
Another attack is a scheme where thieves methodically submit card-not-present (CNP) authorizations. These are called enumeration attacks and they focus on a single BIN and work through sequential combinations and payment characteristics such as a primary account number, expiration date, Card Verification Value 2 (CVV2) or postal code. When an active combination of details is uncovered, the fraud ensues.
As a merchant, you can play a major role by monitoring your customers' account (as well as your personal accounts) and take immediate action to thwart these attacks. How? Here are some ways you can help:
Insist on authentication and CAPTCHA controls to prevent automated transaction initiation by bots or scripts
Monitor the frequency of small and large transactions
Use velocity checks for small amounts or authorization-only transactions. Account testing transactions are usually less than $10 USD
Include IP address with multiple failed card payment data in a fraud detection blacklist database for review and analysis
Alert your merchant services provider if you have a large volume of approvals or declines from transactions with a similar or the same BIN range
Look for logins on a single account coming from several different IP addresses
Review logins with suspicious passwords that hackers are known to use commonly
Lock out an account if a user guesses the username/password and any account authentication data incorrectly on XX number of login attempts
Contact Mike at Sales Sense Payments to learn more about the types of attacks fraudsters are perpetrating to ensure that your business is protected. Call Mike at (305) 723-1234 or mike@salessensepayments.com. Please also visit SalesSensePayments.com for more information on honest, simple credit card processing that saves you money.