February 20, 2019
How to Recognize Card Testing and Enhance Fraud Detection
Posted August 7, 2018
Fraudsters target almost every industry, including healthcare, retail, financial institutions, travel and government. But when carrying out card testing for stolen credit cards, specific industries find themselves in the crosshairs- eCommerce merchants and media companies offering free trials to online subscriptions.
The 2018 Identity Fraud Study by Javelin Strategy & Research revealed some key global trends in fraud and identity abuse, including:
- In 2017, 6.64% of digital users became victims of identity fraud – an increase of over 1 million victims from the previous year.
- Account takeover grew significantly, tripling over the past year and reaching a four-year high. Account takeover losses reached $5.1 billion and ATO victims paid an average of $290 out of pocket and spent 15 hours on average in resolving fraud.
- Online shopping presents the greatest fraud risk – card not present fraud is now more prevalent than point of sale fraud.
A key step in successfully carrying out fraud attacks with stolen identity and credit card information is testing freshly breached data in order to see if it will be successful on other sites. A key target for this mass credential testing activity is media companies offering free trials.
According to ComScore, there are more than 50 million households in the USA and more than half (53 percent) of Wi-Fi households in the U.S. use at least one streaming service. This implies there are more than 25 million digital identities using online subscription services. Most online subscription services provide a one-month free trial, but you need a credit card to initiate the trial. To ensure the validity of the credit card, cybercriminals initiate a test charge of a very small dollar amount, which often goes unnoticed by the card owner. More often than not, if the credit card details are incorrect, the merchant will share the detailed authorization error which makes it easy for the criminals to modify their strategy. This makes online subscription services an easy target for cybercriminals to test credit cards.
The Dark Web is full of stolen credentials from just credit card numbers to “fullz” profiles. A fullz profile is a full identity profile with name, Social Security number, address, date of birth, drivers license, mother’s maiden name, telephone number, credit report and background check. Depending on the credit score. Gender and geo-location, these profiles cost somewhere between $30 and $130. Often fraudsters buy cheap packages and use online subscription websites to test the validity of the card and these are called card testing attacks.
These attacks usually happen in two phases:
- First phase – The goal is to find the website where card testing is easy. Fraudsters perform slow sophisticated attacks to blend into the normal traffic for weeks and understand the lay of the land.
- Second phase – The aim of these attacks is to find legitimate credit card details. These are usually high velocity attacks.
Once the fraudsters have access to the victim’s credentials they can indulge in fraud where they can use fraudulently obtained legitimate card details for CNP transactions.
It’s not all bad news though.
After the merchant has confirmed the fraudulent card testing activities, they can typically take two measures-
- Corrective measures by retrospectively analyzing the historical data searching for and addressing similar fraud
- Preventive measures by harvesting the expert knowledge obtained by extensive data analysis and adapting the rules engine
Fraud Detection for a Digital World
Fraud detection approaches are constantly evolving, and they are more data-driven than ever but even the fraudsters are adapting advanced strategies to outsmart the fraud detection tools and are becoming harder to detect.
The three major types of fraud detection techniques are:
- Anomaly based – This aims at finding behavior that deviates from the norm. The fraudsters are trying to look legitimate and the merchants are trying to find anomalies.
For example, the user uses an entirely new device which was never associated with the login credentials, or an old device but with a new combination of device and login credentials. Merchants should be able to detect these subtle changes in the digital identity.
- Predictive analytics – This requires learning from past behavior to predict new fraud. Often merchants use machine learning techniques to predict behavior. The only limitation is that models are only as good as the data going into them, so the merchant should make sure they are inputting proven parameters. Also, the data available to train these models is highly imbalanced (a small percentage of the total data is fraud). Due care must be taken on which data influences training so that the merchant remains compliant with red lining laws etc.
For example, based on past behavior, predictive tools can suggest if a device is associated with a low value transaction of less than $5, followed by a high value transaction of more than $100 within 7 days then the likelihood of the transaction being fraudulent is 80% higher.
- Social network analysis – This is new to the fraud detection technique toolset. It allows the merchant to study the relationship between different entities.
For example, if the telephone number is new and the user has less than 5 relatives and has a new Facebook profile with less than 50 friends with no other online presence, it indicates potential fraud.
The best fraud detection system should use these techniques and more. The nature of the merchant’s business will determine which technique to use first.
Stopping fraud before it occurs minimizes losses and discourages criminals. Accomplishing this requires a strong feedback loop. Newly detected and confirmed fraudulent activities are routed to the database so that predictive analytics can learn from the new patterns. In order to prevent fraud, the subscription companies need to collect more data at the point of sign-up. The data collected can then be a source of sociodemographic information and may correlate to fraudulent behavior. Fraud is dynamic. If the merchant adopts the right strategies, they can increase the fraud capture rate while reducing the false alarm rate.