Security reminder - Identify fraud and protect your business

Fraud is an ever-growing problem, continuing to threaten businesses as the attacks develop and become more sophisticated. A recent study found that the total cost of ecommerce fraud to merchants will exceed $48 billion USD globally in 2023* and Visa has recently seen an increase in fraudulent activity in the form of enumeration (BIN) attacks. In response to this, Visa has recommended adopting a layered approach to tackle fraud, using as many fraud protection methods as you can.

Along with passing on Visa’s advice, Checkout.com would also like to remind you of best practices to help prevent these attacks and other types of fraud across all card schemes.

What is an enumeration attack?

An enumeration attack, also known as a BIN attack or brute force attack, is when a fraudster systematically submits Card Not Present (CNP) purchases through an ecommerce website targeting a specific account range or issuer Bank Identification Number (BIN). Software is used to run a script of BIN numbers, usually at high velocity and often with a low value. These transactions are often in large bursts within a short period of time, gathering information on which accounts are real.

The fraudster uses the authentication response to identify legitimate and active account numbers, leading to other higher value fraudulent purchase attempts using the payment account information they have gathered.

What can you do to prevent attacks?

1. Make sure your business is aware of the risks associated with accepting payments online
2. Have incident response plans tested and in place ready to use should you need them
3. Contact your service provider quickly if fraudulent activity occurs
4. Implement fraud prevention tactics:

• Monitor and review the language and time zone of cardholders’ IP addresses and devices. This near-real-time authorization monitoring can help you detect anomalies or inconsistencies in the data and flag these transactions as higher risk
• Add any IP addresses that have regularly failed payment attempts to your fraud block list for review
• Use EMV 3DS (3DS2) checks
• Lock a user’s account when multiple incorrect password/username attempts have been made
• Monitor the IP address of a single account login. If the account is being used across multiple IP addresses, review and analyze if this is legitimate
• Block the use of common or suspicious passwords and review any logins that use these currently
• Review customer sessions for excessive bandwidth consumption. You can also monitor tracking elements for multiple transactions using the same email address and device ID but with multiple different cards
• Use random pauses (throttling) on account checking and increase these checks on BINs that see higher fraud attempts
• Implement CAPTCHA and RECAPTCHA controls along with botnet detection and fingerprint authentication
• Think about implementing velocity checks on lower transaction values as well as large value items
• Use Address Verification Service (AVS) and Card Verification Code (CVC) checks
• Use anomaly detection to monitor transactions and sales patterns

How Checkout.com can help

Our Fraud Detection tool lets you control the type of payments you accept and reduce the risk of fraud. This includes pre-configured setup and block list, pre-set fraud rules, and Machine Learning (ML) with fixed thresholds to decline, approve, or send transactions for 3D Secure authentication.

The tool lets you make minor edits to some pre-set rules and add further rules from a pre-set list. You can test these changes before implementation using our shadow-mode testing feature and access a full suite of analytics and reports within the tool.

We are regularly releasing new Fraud Detection features and making improvements to suit the developing fraud landscape.

If you would like any further information or have any questions, please contact your Checkout.com support team who will be happy to help.

*https://www.businesswire.com/news/home/20221011005739/en/Juniper-Research-eCommerce-Losses-to-Online-Payment-Fraud-to-Exceed-48-Billion-Globally-in-2023-as-Fraud-Incursions-Evolve