From startups to legacy brands, you're making your mark. We're here to help.
Key Links
Prepare for future growth with customized loan services, succession planning and capital for business equipment.
Key Links
Serving the world's largest corporate clients and institutional investors, we support the entire investment cycle with market-leading research, analytics, execution and investor services.
Key Links
Providing investment banking solutions, including mergers and acquisitions, capital raising and risk management, for a broad range of corporations, institutions and governments.
Your partner for commerce, receivables, cross-currency, working capital, blockchain, liquidity and more.
Key Links
A uniquely elevated private banking experience shaped around you.
Whether you want to invest on your own or work with an advisor to design a personalized investment strategy, we have opportunities for every investor.
For Companies and Institutions
From startups to legacy brands, you're making your mark. We're here to help.
Serving the world's largest corporate clients and institutional investors, we support the entire investment cycle with market-leading research, analytics, execution and investor services.
Your partner for commerce, receivables, cross-currency, working capital, blockchain, liquidity and more.
Prepare for future growth with customized loan services, succession planning and capital for business equipment.
Providing investment banking solutions, including mergers and acquisitions, capital raising and risk management, for a broad range of corporations, institutions and governments.
For Individuals
A uniquely elevated private banking experience shaped around you.
Whether you want to invest on you own or work with an advisor to design a personalized investment strategy, we have opportunities for every investor.
Explore a variety of insights.
Key Links
Insights by Topic
Explore a variety of insights organized by different topics.
Key Links
Insights by Type
Explore a variety of insights organized by different types of content and media.
Key Links
We aim to be the most respected financial services firm in the world, serving corporations and individuals in more than 100 countries.
Key Links
By Una Ryan Kearns
VICE PRESIDENT OF FRAUD, J.P. MORGAN
By Una Ryan Kearns
Fraudulent card testing has emerged as a growing threat due to COVID-19 driving a significant increase in online and mobile transaction volume. Relatively difficult for some merchants to detect, unmitigated card testing attacks can be very expensive – increasing transaction costs, reducing valid authorization performance and potentially exposing merchants to additional fraud.
A fraudulent card testing attack begins with fraud actors acquiring stolen partial or full card credentials. The fraud actor will then use various digital tools, including bots or scripts, that can rapidly submit hundreds of thousands of card-not-present (CNP) transaction authorization requests on an e-commerce site. If left undetected, this can result in thousands of dollars of fees for declined transactions.
The fraud actor’s main objective is quickly identifying a valid card and/or revealing a card’s missing security elements. With valid card credentials, they can then proceed to make fraudulent large ticket purchases on the targeted merchant’s website or at other online merchants.
Key indicators of fraudulent card testing include an unusually high card authorization volume for low dollar amounts in rapid succession, high identical authorization request volume, a sharp increase in declines and specific decline codes and finally a big increase in issuing bank/payment brand authorization mismatches.
"No single factor can prevent card testing fraud, however, a multilayered approach can help merchants prevent card testing fraud attacks."
Una Ryan Kearns
VICE PRESIDENT OF FRAUD, J.P. MORGAN
Merchants that have identified ongoing card testing activity can use internal data analytics to change defined rule logic in their fraud solution to combat the attack. If the majority of declines are coming from the same card number, then it is probable that the fraud actor has the correct card number and is testing to identify the security elements. In this case, the merchant should immediately block the card.
Similarly, if the card testing attack shares the same email, phone, IP address and device ID, then these customer attributes should be blocked. When blocking an IP address or device tag, it is vital to verify that this action will not impact false positives.
01 Establish and maintain effective internal transaction data monitoring and control.
Monitoring and controls can help merchants detect key indicators of a card testing attack. These indicators include unusually high authorization request volume with the same attributes, low ticket values, a sudden spike in authorization declines that generate specific decline codes and attempts on the same issuing bank with multiple card brands.
02 Increase the number of required matching security elements.
Requiring address verification service, card verification value, expiration date and card authentication verification value data elements in online authorization requests can make it far more difficult for fraud actors to succeed in identifying and using valid card credentials.
03 Deploy and monitor transaction velocity and script attack rules.
The fraud actor will use bots or scripts that can run thousands of authorizations at a time. Velocity rules that include counting of customer attributes (e.g., email, device, IP, payment, address and phone) in a defined period may be implemented in a fraud solution to prevent a card testing attack.
04 Implement device fingerprinting to detect returning customers.
Merchants can use a device recognition solution to establish a unique identifier for every work machine or mobile device that is accessing their website. This enables merchants to develop and keep track of devices that are associated with fraudulent patterns and block further access.
05 Integrate security tools like Captcha into the payment experience.
The key is to utilize specific variables that are present in automation. If there is a specific fraud pattern (e.g., specific VPNs, ISPs, BINs and names), have the captchas populate based off these parameters. Leveraging reCaptcha on all mainstream VPN providers helps minimize the ability for these fraud actors to bypass the system.
06 Deploy 3-D Secure protocols to authenticate card payments.
3-D Secure (3DS) offers an additional layer of security that can significantly reduce fraud for card-not-present transactions and also reduce fraudulent chargebacks. In addition, 3DS transaction authentication can further reduce risk by shifting fraudulent chargeback liability to the issuing bank.
Una Ryan is Vice President of Fraud in J.P. Morgan Merchant Services Data & Analytics group. Una has more than 10 years of international fraud mitigation experience that spans merchant, fintech and acquiring segments. Her areas of expertise include PSD2 fraud regulations, consultancy in fraud detection and rule management, chargebacks/disputes and card-not-present fraud insights.
J.P. Morgan’s Safetech Fraud Tools seamlessly integrates J.P. Morgan transaction processing expertise with Kount’s scalable fraud detection platform. This powerful fraud mitigation solution features multi-layer device fingerprinting, proxy piercing, dynamic order linking, dynamic risk scoring, custom rules management and auto-decisioning.
Safetech's Identity Trust Global Network and machine learning algorithms can immediately alert merchants of signs of card testing attacks. Best of all, Safetech can be implemented quickly and rapidly provide e-commerce fraud protection.
To learn more, please contact your J.P. Morgan representative.
Payments
J.P. Morgan Payments and Elastic highlight the importance of supporting developer relationships
Nov 12, 2024
Developers often have a direct influence on technology choice and are key in business decision-making.
Payments
Introducing Kinexys by J.P. Morgan, formerly Onyx
Nov 06, 2024
Onyx is now Kinexys. With growing transaction volumes, client adoption and product expansion, we’re poised to accelerate the adoption of blockchain technology and tokenization into mainstream financial services.
Payments
Mapping the road ahead for electric vehicle charging providers
Oct 24, 2024
At this pivotal juncture for the electric vehicle industry in Europe, we’ve prepared a report that analyzes key trends and strategies for the future that may pave the path for improved customer adoption and sustainable industry growth.
Payments
Going global: Revolutionizing international workforce payments with Papaya Global
Oct 22, 2024
Here’s how the pioneering global workforce management platform transformed its payment capabilities with J.P. Morgan Payments cross-currency solutions.
Payments
Making cross-border payments faster, safer and less costly for financial institutions
Oct 21, 2024
To help their clients send money all over the world, banks must adapt with the times.
Payments
Virtual cards for online travel agencies
Oct 18, 2024
To support the merchant model for OTAs, virtual cards deliver a robust B2B solution and strategy that facilitates payment, provides end-to-end visibility, maximizes revenue streams and helps mitigate fraud.
Payments
Fighting fraud in the public sector
Oct 11, 2024
Federal agency CFOs face significant challenges in the battle against fraud and cyberattacks in the public sector. Here’s how you can stay ahead of the risk.
Payments
Oct 08, 2024
Learn how the retailer improved its ROI on advertising spend and aligned staffing with sales to increase its EBITDA margins by 110bps.
You're now leaving J.P. Morgan
J.P. Morgan’s website and/or mobile terms, privacy and security policies don’t apply to the site or app you're about to visit. Please review its terms, privacy and security policies to see how they apply to you. J.P. Morgan isn’t responsible for (and doesn’t provide) any products, services or content at this third-party site or app, except for products and services that explicitly carry the J.P. Morgan name.