By Una Ryan Kearns
VICE PRESIDENT OF FRAUD, J.P. MORGAN
By Una Ryan Kearns
Fraudulent card testing has emerged as a growing threat due to COVID-19 driving a significant increase in online and mobile transaction volume. Relatively difficult for some merchants to detect, unmitigated card testing attacks can be very expensive – increasing transaction costs, reducing valid authorization performance and potentially exposing merchants to additional fraud.
A fraudulent card testing attack begins with fraud actors acquiring stolen partial or full card credentials. The fraud actor will then use various digital tools, including bots or scripts, that can rapidly submit hundreds of thousands of card-not-present (CNP) transaction authorization requests on an e-commerce site. If left undetected, this can result in thousands of dollars of fees for declined transactions.
The fraud actor’s main objective is quickly identifying a valid card and/or revealing a card’s missing security elements. With valid card credentials, they can then proceed to make fraudulent large ticket purchases on the targeted merchant’s website or at other online merchants.
Key indicators of fraudulent card testing include an unusually high card authorization volume for low dollar amounts in rapid succession, high identical authorization request volume, a sharp increase in declines and specific decline codes and finally a big increase in issuing bank/payment brand authorization mismatches.
"No single factor can prevent card testing fraud, however, a multilayered approach can help merchants prevent card testing fraud attacks."
Merchants that have identified ongoing card testing activity can use internal data analytics to change defined rule logic in their fraud solution to combat the attack. If the majority of declines are coming from the same card number, then it is probable that the fraud actor has the correct card number and is testing to identify the security elements. In this case, the merchant should immediately block the card.
Similarly, if the card testing attack shares the same email, phone, IP address and device ID, then these customer attributes should be blocked. When blocking an IP address or device tag, it is vital to verify that this action will not impact false positives.
01 Establish and maintain effective internal transaction data monitoring and control.
Monitoring and controls can help merchants detect key indicators of a card testing attack. These indicators include unusually high authorization request volume with the same attributes, low ticket values, a sudden spike in authorization declines that generate specific decline codes and attempts on the same issuing bank with multiple card brands.
02 Increase the number of required matching security elements.
Requiring address verification service, card verification value, expiration date and card authentication verification value data elements in online authorization requests can make it far more difficult for fraud actors to succeed in identifying and using valid card credentials.
03 Deploy and monitor transaction velocity and script attack rules.
The fraud actor will use bots or scripts that can run thousands of authorizations at a time. Velocity rules that include counting of customer attributes (e.g., email, device, IP, payment, address and phone) in a defined period may be implemented in a fraud solution to prevent a card testing attack.
04 Implement device fingerprinting to detect returning customers.
Merchants can use a device recognition solution to establish a unique identifier for every work machine or mobile device that is accessing their website. This enables merchants to develop and keep track of devices that are associated with fraudulent patterns and block further access.
05 Integrate security tools like Captcha into the payment experience.
The key is to utilize specific variables that are present in automation. If there is a specific fraud pattern (e.g., specific VPNs, ISPs, BINs and names), have the captchas populate based off these parameters. Leveraging reCaptcha on all mainstream VPN providers helps minimize the ability for these fraud actors to bypass the system.
06 Deploy 3-D Secure protocols to authenticate card payments.
3-D Secure (3DS) offers an additional layer of security that can significantly reduce fraud for card-not-present transactions and also reduce fraudulent chargebacks. In addition, 3DS transaction authentication can further reduce risk by shifting fraudulent chargeback liability to the issuing bank.
Una Ryan is Vice President of Fraud in J.P. Morgan Merchant Services Data & Analytics group. Una has more than 10 years of international fraud mitigation experience that spans merchant, fintech and acquiring segments. Her areas of expertise include PSD2 fraud regulations, consultancy in fraud detection and rule management, chargebacks/disputes and card-not-present fraud insights.
J.P. Morgan’s Safetech Fraud Tools seamlessly integrates J.P. Morgan transaction processing expertise with Kount’s scalable fraud detection platform. This powerful fraud mitigation solution features multi-layer device fingerprinting, proxy piercing, dynamic order linking, dynamic risk scoring, custom rules management and auto-decisioning.
Safetech's Identity Trust Global Network and machine learning algorithms can immediately alert merchants of signs of card testing attacks. Best of all, Safetech can be implemented quickly and rapidly provide e-commerce fraud protection.
To learn more, please contact your J.P. Morgan representative.
Enhancing capital efficiency and fuelling long-term growth with working capital optimization
Dec 01, 2023
Through insights derived from the analysis of working capital metrics, this report aims to help treasury and finance professionals for Japanese companies track working capital trends and guide their initiatives to optimize working capital management for recovery and growth.
Supporting future strategies: Working capital index Latin America 2023
Nov 30, 2023
Through insights derived from the analysis of working capital metrics, this report aims to help treasury and finance professionals for Latin American companies track working capital trends and guide their initiatives to optimize working capital management for recovery and growth.
Data helps ease the pain of cross-border payments for Financial Institutions (FIs)
Nov 30, 2023
There are several challenges involved in cross-border payments, but the data that is associated with each transaction can help alleviate those obstacles for financial institutions.
Payments do more than you think for insurers
Nov 28, 2023
Delivering efficient, dependable solutions at scale with the security you’d expect from a trusted payments innovator.
How AI will make payments more efficient and reduce fraud
Nov 20, 2023
Artificial intelligence (AI) is expanding the payment capabilities of non-bank financial institutions, according to a panel at this year’s J.P. Morgan NBFI Leaders Forum in Sydney.
Enhance your social commerce strategy with payments innovation
Nov 07, 2023
Social commerce has become an integral strategy supporting all business globally across industries.
Driving advanced cross-currency payments for financial institutions
Nov 06, 2023
See how this one innovative global solution can help you rethink the way you do cross-border business.
Real value real time payments.
Oct 31, 2023
End-to-end simplification solves for longstanding workarounds.
You're now leaving J.P. Morgan
J.P. Morgan’s website and/or mobile terms, privacy and security policies don’t apply to the site or app you're about to visit. Please review its terms, privacy and security policies to see how they apply to you. J.P. Morgan isn’t responsible for (and doesn’t provide) any products, services or content at this third-party site or app, except for products and services that explicitly carry the J.P. Morgan name.