December 5, 2018
November 29, 2018
Posted August 7, 2018
Fraudsters target almost every industry, including healthcare, retail, financial institutions, travel and government. But when carrying out card testing for stolen credit cards, specific industries find themselves in the crosshairs- eCommerce merchants and media companies offering free trials to online subscriptions.
The 2018 Identity Fraud Study by Javelin Strategy & Research revealed some key global trends in fraud and identity abuse, including:
A key step in successfully carrying out fraud attacks with stolen identity and credit card information is testing freshly breached data in order to see if it will be successful on other sites. A key target for this mass credential testing activity is media companies offering free trials.
According to ComScore, there are more than 50 million households in the USA and more than half (53 percent) of Wi-Fi households in the U.S. use at least one streaming service. This implies there are more than 25 million digital identities using online subscription services. Most online subscription services provide a one-month free trial, but you need a credit card to initiate the trial. To ensure the validity of the credit card, cybercriminals initiate a test charge of a very small dollar amount, which often goes unnoticed by the card owner. More often than not, if the credit card details are incorrect, the merchant will share the detailed authorization error which makes it easy for the criminals to modify their strategy. This makes online subscription services an easy target for cybercriminals to test credit cards.
The Dark Web is full of stolen credentials from just credit card numbers to “fullz” profiles. A fullz profile is a full identity profile with name, Social Security number, address, date of birth, drivers license, mother’s maiden name, telephone number, credit report and background check. Depending on the credit score. Gender and geo-location, these profiles cost somewhere between $30 and $130. Often fraudsters buy cheap packages and use online subscription websites to test the validity of the card and these are called card testing attacks.
These attacks usually happen in two phases:
Once the fraudsters have access to the victim’s credentials they can indulge in fraud where they can use fraudulently obtained legitimate card details for CNP transactions.
It’s not all bad news though.
After the merchant has confirmed the fraudulent card testing activities, they can typically take two measures-
Fraud detection approaches are constantly evolving, and they are more data-driven than ever but even the fraudsters are adapting advanced strategies to outsmart the fraud detection tools and are becoming harder to detect.
The three major types of fraud detection techniques are:
The best fraud detection system should use these techniques and more. The nature of the merchant’s business will determine which technique to use first.
Stopping fraud before it occurs minimizes losses and discourages criminals. Accomplishing this requires a strong feedback loop. Newly detected and confirmed fraudulent activities are routed to the database so that predictive analytics can learn from the new patterns. In order to prevent fraud, the subscription companies need to collect more data at the point of sign-up. The data collected can then be a source of sociodemographic information and may correlate to fraudulent behavior. Fraud is dynamic. If the merchant adopts the right strategies, they can increase the fraud capture rate while reducing the false alarm rate.