If you are a merchant accepting credit card payments over the web, you should be sensitive to how criminals can use your website to “test” stolen cards.
One of the biggest challenges for bad guys who have a lot of stolen card data is finding out whether the cards are still “good” and have not been reported as stolen by their owners. What they need is access, anonymously, to someone’s merchant account, where they can run card after card for a small “token” amount.
If a card comes back with an approval code, then they know they can use that card number to make purchases, which they will fence or convert to cash. If the transaction comes back “decline” or “hold card,” then they know that the theft has been discovered and to discard that card number.
The end result of these types of transactions is that you, as a merchant, might come in one morning and discover that “you” have run hundreds or thousands of 10¢ transactions for which the cardholder did not authorize the transaction. Usually, numerous phone calls, emails, and letters follow this discovery from cardholders about the inappropriate use of their card data. In some cases, you will also start to see chargebacks from those same cardholders.
While you, as a merchant, would not stand at your register and run transaction after transaction for 10¢ with one customer, your website, if not properly configured, allows just that.
At Michigan Retailers, we have seen an uptick in the number of merchants noticing large numbers of transactions for small individual amounts from their websites.
If you allow a consumer to go to your website and pay a bill or order merchandise, you should make sure that you have implemented procedures and processes to prevent bad guys from using your account as a test account.
While the criminals can do this one transaction at a time, most of them are lazy and design a web bot to do it. In its simplest form, a web bot automates a series of keystrokes or mouse clicks.
If you find yourself in this situation, or want to prevent it from happening in the first place, you should work with your webmaster to develop processes and procedures to validate that it is a human on the other end of the web transaction.
The simplest tool is a CAPTCHA, which is a challenge-response test. CAPTCHA was a term coined by a group of computer engineers at Carnegie Mellon University and stands for “Completely Automated Public Turing test to tell Computers and Humans Apart.” This is the “gibberish” – usually you’re asked to type in the distorted letters you see – on the bottom of forms on the Internet that collect data.
This simple act will dramatically reduce the opportunity for a bad guy to use your website as a test account.
If you suspect that your account may have been used as a test of stolen card data, make sure that you contact your merchant-processing provider right away. Your processor also can help clear up the transactions and prevent the situation from happening again.