Are you seeing more declined transactions than expected or receiving small donations that don’t look legitimate?
You may be the latest victim of card testing spam.
Online payment processor Stripe gives an excellent definition on their website:
Card testing is a type of fraudulent activity where someone tries to determine if stolen card information can be used to make purchases. Other common terms for card testing are “carding”, “account testing”, and “card checking”.
It’s an unfortunate reality that credit card information is sold on the dark web every day. Verified card numbers are worth more to buyers, so generally get verified before being used sold.
Smaller web stores and donation forms are a low-risk way for criminals to test these cards in bulk, as they often lack the sophisticated fraud and abuse detection systems larger merchants employ.
Countermeasures you can take
There are strategies you can use to limit your risk of being a victim of this type of attack:
- Enable/increase the fraud detection settings at your credit card processor
- Enable AVS if not enabled, and ask for a Zip/Postal Code on your payment form
- Stripe offers Radar – which uses Machine Learning to block attacks
- Add a captcha
- Google offers recaptcha for free, and many plugins offer support for it
- Add an anti-spam plugin
- Akismet integrates with many plugins and offers crowd sourced spam detection
- Add rate limiting
- Most attacks are bulk verification attacks: plugins like WordFence, reverse proxies like Cloudflare and Web Application Firewalls (WAF) can detect abusive behavior and block attacks by IP
- Require a login
- Disable guest checkout or guest donations
A combination of approaches is often best — just make sure you don’t block legitimate users or add hurdles that hurt conversions.
Need help?
Our experts can help you determine the best countermeasures to put into place for your business, and can configure them for you. Let’s talk!
Resources
- Card Testing: Learn about this fraudulent activity and how to prevent it. from Stripe
- Spam Donations and What to do About Them from GiveWP
- Suspicious Transactions and What To Do from Authorize.net
- Is your e-commerce site being used to test stolen card data? from Sophos
Photo by Dylan Gillis on Unsplash
Nick Ciske – CTO / CISO
Nick has a degree in Multimedia Design and over 20 years of experience working in web development and digital media. In his career he’s built or rebuilt just about every kind of website, including many content management systems (before WordPress), several custom e-commerce systems, and hundreds of websites.