Carding Fraud

Empower Yourself to Fight Fraud

—But Get Help If You Need It

Card Testing/Carding Fraud Is on the Rise

Sometimes, a cyber thief gets his hands on a stolen credit card number but doesn’t know if it’s valid, or how high the credit limit is. They might make small test purchases to garner information about the card. Card testing can scale up in a big way, with organized criminals using bot networks to test thousands of stolen cards at once. This type of fraud is particularly dangerous for merchants, who might get hit with separate chargebacks for many small purchases, incurring fees for each one. This type of fraud is on the rise, growing by over 200% in 2017.

This summer, we encouraged our merchants to add the reCAPTCHA tool to their online payment portals in order to prevent fraud attacks known as carding or brute force attacks. We also suggested adding our iSpy Fraud tool to their websites as an added level of protection.

Unfortunately, one of our merchants was recently the victim of a fraud attack that breached the reCAPTCHA tool—hackers are finding ways to get around the reCAPTCHA. Luckily, this was caught right away, and we were able to add additional security to their gateway to prevent any further access. However, the risk of additional fraud attacks to any merchants taking online payments via a website or portal requires immediate action. Our IT company has confirmed that reCAPTCHA is not infallible, and it is important for merchants to protect themselves by doing everything they can to stay ahead of these brute force attacks. 

In our notifications about adding reCAPTCHA, we also encouraged the addition of velocity checks to your gateway, which gives an added level of protection by preventing the rapid-fire transactions involved in a brute force attack.  The gateway offers a service called iSpy Fraud, which can be used by adding filters and blocking suspicious transactions. This service is now necessary more than ever.

In addition to the standard interchange costs for each fraud card processed, MasterCard has now added a new fee:

MasterCard Excessive Auth Attempts US Fee:

MasterCard introduced a Transaction Processing Excellence program fee of $0.10 per item.  This fee will be assessed on the 21st MasterCard transaction after 20 previously declined attempts on the same account number within a 24-hour period.

A Carding Attack on a merchant account can cost hundreds to thousands of dollars in added fees.  These fees are not refundable by the processors.  Therefore, it is important that merchants step up and take the necessary steps to protect their online stores and payment portals.  Talk to your website developers or IT company to ensure that they doing all they can to protect you from a brute force attack.  All it takes is one attack to put the merchant out of business.  Fees can be astronomical if not caught or stopped immediately. 

Feel free to reach out to our customer service department or your sales consultant to learn more about how you can protect your business.