Card testing? Carders? What are those
The general picture
Around 35% of US credit cardholders experienced credit card fraud in 2019. Over 46% of the world's credit card fraud happens in the US. More than $24.2 billion was lost globally due to payment card fraud in 2018. The Federal Trade Commission returned $232 million to victims of fraud and identity theft in 2019. (from legaljobs)
Card testing
Following Stripe's documentation, card testing is a type of fraudulent activity where someone tries to determine whether stolen card information is valid so that they can use it to make purchases. A fraudster may do this by purchasing stolen credit card information and then attempting to validate or make purchases with those cards to determine which cards are still valid. Other common terms for card testing are “carding”, “account testing”, and “card checking.”
Carders
Carding is a term describing the trafficking and unauthorized use of credit cards. The stolen credit cards or credit card numbers are then used to buy prepaid gift cards to cover up the tracks. Activities also encompass the exploitation of personal data and money laundering techniques. (from Wikipedia)
How to protect your Business
We have created this help article to provide you with precise guides on what to do should you be a victim of those attacks.
Stripe
Sellix partners with Stripe to process credit card payments amongst many other gateways, such as Apple Pay, Google Pay, and regional banking methods.
First off, these settings are a must
Enable Stripe Radar, which detects and blocks fraud using machine learning that trains on data across millions of global companies.
Create automatic blocking rules (more on that soon) through radar and customize it as best as possible based on your business base data
The Golden Rule
This rule is a must-have for Stripe Radar and you should configure it immediately.
It rejects any attempt done with Credit/Debit Cards that have an invalid CVC; in short, it rejects everyone trying to use leaked credit card numbers.
Block if :cvc_check: in ('fail', 'unchecked', 'unavailable') and :digital_wallet: != 'apple_pay' and :digital_wallet: != 'visa_checkout' and :digital_wallet: != 'android_pay'
Stripe Radar rules
Always require 3DS on all credit card purchases; it's required by EU regulations, and it tremendously helps against fraud attempts.
Be sure to enable both
Request 3DS if 3D Secure is recommended for card
Request 3DS if 3D Secure is supported for card
Blocking failed CVC attempts
One of the most important rules you can enable is blocking payments if the CVC verification fails.
This essentially requires card testers to not only know the Card number and expiration date, but to also guess the CVC, and they'll get either rate-limited or blocked before they are able to get the correct value.
Block if CVC verification fails
Additional rules
If you still see carding attempts happening on your store, you can enable the following rules through your Radar dashboard.
Block if :risk_level: = 'highest'
Block if payment matches one or more values in default Stripe block lists
Block if :risk_score: > 50 and :card_country: = 'US' and :card_count_for_customer_daily: > 1
Block if (:ip_country: in ('ID','TR') or :is_anonymous_ip:) and :risk_score: >=60
Block if :is_disposable_email: and :is_anonymous_ip:
Block if :total_charges_per_card_number_hourly: > 10 and :card_country: != 'US'
Blocking BINs
The BIN, or the Bank Identification Number, is the first six digits on a credit card. These are always tied to its issuing institution – usually a bank. In a BIN attack, fraudsters use these six numbers to algorithmically try to generate all the other legitimate numbers, in the hopes of generating a usable card number.
Add the following rules to block the known BINs used by fraudsters.
Block if :card_bin: includes '402' and :risk_score: >= 0
Block if :card_bin: includes '420' and :risk_score: >= 0
Block if :card_bin: includes '4355' and :risk_score: >= 0
Block if :card_bin: includes '478' and :risk_score: >= 3
Block if :card_bin: includes '440' and :risk_score: >= 3
Block if :card_bin: includes '461' and :risk_score: >= 3
Stricter Rules
If carding attempts keep going through, there are a few additional ones you can add.
Block if :total_charges_per_card_number_hourly: > 3
Block if :risk_score: > 85
Block if :blocked_charges_per_ip_address_hourly: > 2
Block if :total_charges_per_ip_address_hourly: > 3
Block if :card_funding: = 'prepaid' OR :card_funding: = 'unknown'
Block if :card_country: != :ip_country:
Block if :is_disposable_email: and :card_funding:= 'prepaid'
Block if :card_3d_secure_support: = 'not_supported' and :is_anonymous_ip:
Block if :cvc_check: in('fail', 'unchecked', 'unavailable') and :is_anonymous_ip:
Card Testing
We have recently released (August 21 2022) an improved system to prevent card testing on Sellix stores.
A ReCaptcha (first invisible, then manual) is required at each credit card payment submission and the invoice is voided if too many attempts fail.
Thanks to our partnership with Stripe, we will also soon have additional methods such as forcing a threshold on payment intent confirmations and blocking any subsequent requests.
In order to create custom blocking rules and completely block card testing attempts, take a look at Stripe's guidelines on the issue.
Apple Pay, Google Pay, Banking methods
If you're seeing high fraud attempts or fraudulent payments going through when customers use additional payment methods with Stripe, you can disable them directly on your Stripe dashboard.
Sellix will automatically hide the APM you disable from your customers within 24 hours.
Additional Guide
You can take a look at this other guide on additional rules and potential things you might want to know.
Evaluation period
After you have added all these new rules, take a few weeks with them activated and wait for feedback from your customers.
You can then tweak, remove, tighten or improve them as you see fit.
PayPal
Sellix partners with PayPal to accept payments from other PayPal accounts and to provide regional banking methods.
Card Testing and Carding
Currently, PayPal does not have an efficient system as Stripe does, if you're seeing frequent carding attempts on your account, our suggestion is to disable "Guest Payments", where users can pay through PayPal even if they do not have an account and they can use credit cards without signing up.
Sellix Pro and Business plans
We do our best to keep our systems up to date and talk with our payment partners in order to provide you with the best possible experience and protect your business from online attacks.
Currently, our Pro and Business plans also feature additional checks and security factors that could help your activity against bad actors.
Get immediate help if your business is targeted
If you're experiencing these types of attacks, get in touch with our support ASAP. You can find more information on how to contact us here.