[BreachExchange] Fraud Targets Charities and Small Businesses: Here’s How to Fight it

Thu Jan 19 19:32:24 EST 2017

http://www.smallbizdaily.com/fraud-targets-charities-small-
businesses-heres-fight/

Stolen credit card data is big business, and it’s no secret that criminals
use this information to target online retailers by making fraudulent
purchases and then re-selling the merchandise. What’s less widely known is
how small mom-and-pop businesses and charities fall victim to the same
criminals who go after big retailers. These small entities can least afford
the damage fraudsters can cause, but they’re also the most vulnerable to a
particular kind of fraud known as card testing. Here’s what every
non-profit organization and small business should know about this common
and disruptive type of fraud.

What is card-testing fraud?

When criminals buy stolen card data on the dark web, there’s no guarantee
that the card numbers are still valid, and the card data is often
incomplete. It may be missing card verification values (the 3-digit
security numbers on the back of each card), name and address information,
and other key information that large retailers use to screen orders for
fraud.

Without this information, criminals have to guess until they get it right
for each card number. So they “test” by placing small orders with small
online retailers or making donations to charities to see if the CVVs and
billing zip codes they guess at are the right ones. When they find a match
that results in a purchase or donation, they use that card and tested data
to go after bigger retail targets.

Why do card testers target small business and charities?

In short, they do it because they’re most likely to get away with it. Major
retailers, and even many small to midsize online sellers, have in-house
and/or third-party fraud detection services to screen their transactions.
Many also follow best practices that limit the number of times a customer
or donor can enter card information incorrectly before the order is closed.

Many new and small businesses mistakenly think they’re too small for
criminals to notice, or they’re unaware that this type of fraud exists, so
they go without fraud prevention programs. Charities, meanwhile, must
balance the need to making giving easy for donors with the need to prevent
fraudulent gifts that can skew budget planning and incur costly bank fees.

If the amounts are small, why does it matter?

Fake $5 donations and fraudulent $3 purchases are just the tip of the
fraud-loss iceberg. When the owner of the stolen card number reports the
fraud, the small business or charity loses the transaction amount plus a
chargeback fee of up to $100 for each fraudulent transaction. Worse, these
purchases aren’t usually isolated incidents perpetrated by people sitting
at keyboards. Modern fraudsters use bots and scripted attacks to run what
security firm ThreatMetrix describes as mass testing sessions. In the
second quarter of 2016 alone, the company detected more than 400 million
such bot attacks worldwide.

Think of the damage that a rapid-fire series of small fake purchases or
donations can inflict on a business or nonprofit with a tiny budget and no
reserves to cover multiple chargeback fees. In the worst-case scenario, a
small merchant’s or nonprofit’s chargeback ratio can rise to the point
where card companies and processors label them high risk, leading to
account termination and the end of the business.

How can charities and small businesses guard against card-testing fraud?

There are specific steps small businesses and nonprofits can take to
protect their transactions. One step is setting up the checkout process to
limit the number of data entry attempts a customer can make, especially
with respect to the CVV and billing zip code. Another is limiting the
number of purchases or donations a customer can make within a short time,
especially if they use different card numbers. Multiple orders by different
customers placed on the same computer or device is a red flag, as well.
Another security best practice is contacting customers or donors by phone
when an order raises red flags. These steps will help in the short run.

Over the long term, because online fraud is evolving rapidly, it’s a good
idea to follow e-commerce fraud news and know about the latest emerging
threats. The ultimate security step is finding cost-effective
fraud-prevention experts to screen orders and donations based on the most
up to date fraud insights.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170119/6ba2b6c9/attachment.html>