Testing 1, 2, 3 … cents? Why you shouldn’t shrug off those tiny charges
March 12, 2024 | By Melanie GerstenA colleague of mine logged into her banking app and noticed a few unusual transactions — a few cents paid to a variety of businesses in other states, including a charge for one cent to a restaurant in Minnesota, where she had never been.
Because of her background in the payments industry, she immediately recognized the charge for what it was: the work of a card testing syndicate.
Over the years, data breaches have impacted hundreds of millions of payment cards, with hackers selling the card information on criminal marketplaces on both the publicly accessible internet as well as the dark web. Their customers — fraudsters — expect these cards to work, so hackers use card testing services to ensure the cards are still valid and active. (Good customer service is key, even among criminals.)
When a card testing transaction is successful, it can result in disputed purchases, creating headaches for the cardholder, the merchant and their banks. Unsuccessful attempts — when the cards are declined — are still problematic for the merchant, because higher decline rates can make these businesses seem risky to their acquiring banks. The banks may then be more prone to denying purchases, costing the merchants more sales. And, most troubling, card testing is the precursor to actual fraud — essentially a dry run for criminals.
The economics of card testing
In the technology world, the “as a service” business model is growing fast, and criminal syndicates have followed suit, with ransomware as a service and malware as a service among their offerings. Card testing enterprises are no different. They cater to the cybercriminals who buy stolen credit card numbers off the dark web, selling access to automated software to test which compromised cards are still valid and have funds available.
In one recent case uncovered by the U.S. Department of Justice, the card testing service Try2Check — described as the “gold standard” of illegal credit card verification platforms — offered a menu of different testing transactions. The service would then run millions of preauthorization attempts on the stolen cards, which are less likely to trigger fraud rules or be noticed by legitimate cardholders. An approval confirms that the card is valid. Once the compromised card data is sold, its new “owners” can use that card information to make fraudulent purchases.
In May, the Justice Department identified the alleged mastermind behindTry2Check, charging him with access device fraud, computer intrusion and money laundering. The platform performed tens of millions of checks each year, earning the defendant — who remains a fugitive — at least $18 million in bitcoin.
Even with the indictment and takedown of a major testing service like Try2Check, testing activity remains an inevitable and critical pillar of the payment card cyber-fraud life cycle. Millions of testing transactions are run every year, and criminals continue to adapt their techniques as the payment ecosystem evolves.
Short-circuiting the cyber-fraud life cycle
Understanding patterns and quick detection are key to stopping the cycle of card testing.
At Mastercard, the Cyber & Intelligence team monitors vulnerabilities and threats and can detect this testing activity in real time — like a huge influx of authorization requests for low-dollar values in a short amount of time. The team alerts issuing banks if their cards appear to be involved in a testing scheme, and Mastercard Safety Net, which monitors transactions on a global network level, can detect large-scale testing attacks immediately and decline the transactions.
The team also reaches out to the merchants’ banks, which can alert their customers that their businesses are being used for testing. And as technology advances and criminals evolve their tactics, the team at Mastercard is driving new thinking and constantly expanding its capabilities to detect and prevent fraud.
For cardholders, vigilance is key. You may already be reviewing your monthly statements, but mobile banking customers can check their accounts at the touch of a button. Reach out to your bank if you see a charge you don’t recognize, no matter how small — or in the case, especially if it’s small.