On July 26th, a 5 man Eastern European credit card hacking ring was caught and broken. The defendants were discovered with over 160 million credit card and debit card numbers. Although this is the largest bust in US history, the proliferation of this type of crime is growing and understanding the tools that these criminals use once the card numbers are exposed is critical to curb the financial damage once the card has been breached.
Just as eCommerce merchants and financial institutions are targets for the initial theft of card numbers as well as the eventual financial fraud using the stolen card numbers, they are also key enabling tools for the criminals once the card numbers are stolen that help them to distill which cards are still active.
Once a list of stolen credit card numbers is marketed those numbers will continue to be resold until they are deemed inactive. The ability to understand if the numbers are still active is a valuable and critical piece of knowledge as the stolen card number ages.
So how does a seller of stolen credit card numbers prove that the numbers are still working without drawing attention to them? They use the power of anonymity on the internet and they prey on eCommerce sites to test the card number through what is called credit card cycling. The major players in this crime are typically organized and sophisticated. They use programs known as scripts that will take lists of credit card numbers and test each number against an eCommerce vendor making a fraudulent transaction or account creation to force the merchant to validate the card. All of the cards that have been validated by their respective payment processors now become a valuable commodity for either further fraudulent transactions or for resale.
The big losers here are the payment processors or the eCommerce merchants who could be subject to charge backs from the issuing banks as well as potential penalties making the original purchase a costly hit indeed especially if the script was testing hundreds or potentially thousands of cards, which is common.
The adoption of risk based authentication products that can identify this type of behavior is something that every eCommerce merchant should be looking at closely. The technology now exists to understand and specifically target credit card cycling scripts. It is important that the security control is able to look at behavior across sessions to be able to determine if behavior is happening in any type of systemic fashion. Strong products will also examine sessions across different merchant websites to understand behavior that may be targeting multiple eCommerce vendors to try to test extremely large lists of card numbers.
Timeliness is another key element to preventing losses due to credit card cycling in addition to accuracy. If you are able to accurately assess fraudulent behavior before it comes time to complete a transaction you will not only save your company the potential costs associated to that transaction but you will also be aiding the greater good by removing that card from further abuse by that particular criminal element.
Credit card theft is a crime that has been around since credit cards were brought into existence however technology and the internet have made the opportunity extremely attractive to the lone hacker and organized crime alike. Typical anti fraud software has been expensive and cost prohibitive to small to mid sized eCommerce companies but that dynamic is changing. Additionally some of these security controls are implemented with no impact to the customer community alleviating the worry of lost business due to customer abandonment.
Eliminating the ability for a criminal to test credit card numbers en mass is a key defense strategy that should be looked at closely not only by the eCommerce merchants themselves but also by the payment processors and banks alike. Until we put these types of security controls in place the very same websites that fall victim to this type of crime will continue to be enablers of the crime.