Card Tumbling and Credit Card Testing

Card Tumbling and Credit Card Testing is when fraudsters have a list of stolen credit cards and are using your site to test which ones are still active [and not reported lost or stolen] using small $ amounts.

Nonprofit Organizations are often on the receiving end of such abuse because amounts accepted can be small. They are annoying to deal with because they involve time an money:

  • Failed Contributions and fake Contacts to be cleaned up.
  • Completed Contributions must be refunded [you must do so quickly to avoid chargeback fees/penalties].
  • Your payment processing company will likely charge you transaction fees for every failed transaction.

1. Characteristics of latest card testing events:

  • $10 transactions: fraudsters aim to validate if a card is good without the cardholder noticing and reporting it. The smaller the charge, the less likely it is to attract attention. Set a minimum value that is as high as possible while still being appropriate for most donors.
  • No more than 2 attempts from a single IP address: this makes it almost impossible for a server side firewall to detect and block. Real people could type in their CVV incorrectly twice.
  • USA/California billing addresses.
  • Slow (lots of time between transactions): this makes it almost impossible for a server side firewall to detect and block. Real people are slow(er) than bots.
  • Mostly during the night: fraudsters appear quite aware of Canada timezones.
  • Successfully solved the Google Captcha v2 check (‘select the bicycles’): while v2 still deters fraud, it can no longer be considered effective.

2. Be proactive:

  • Set a minimum Amount > $10 (on Contribution pages where you can do so).
  • Disable all old Contribution pages that are no longer in use.
  • Log in to your payment processor and check your Fraud mitigation tools.
  • Remove countries select that are rarely used from your localization settings / options.
  • Monitor: make sure you monitor your database for Failed attempts daily.

3. If you’re seeing evidence of tumbling:

  • Identify it. Do not ignore suspicious activity.
  • Email us right away.
  • Disable your payment processor. This is only very temporary until we can connect with you and help sort out which pathway was used and block it.