Card testing attacks are a common type of online fraud. If you’re running an eCommerce store or taking payments online in any capacity, there’s a good chance that you’ve been, or will soon be, a target for this type of fraudulent activity.
When that happens, there can be severe consequences. These can range from the hassle of dealing with lots of fraudulent transactions to having your banking or payment processor account suspended. Should that happen, you’ll be unable to accept legitimate payments.
Due to this, it’s vital that you know what card testing attacks are and that your store is set up to prevent this type of online fraud.
In this article, you’ll learn what card testing attacks are, why you should be concerned about it, and what you can do to identify and prevent WooCommerce card testing fraud.
What are Card Testing Attacks?
Card testing attacks are a type of fraudulent activity that’s used to determine if stolen payment methods, such as credit cards, are valid.
Once a fraudster determines if the stolen card details are valid and that there are funds in the account, they can then sell them or use them themselves at a later date for a bigger purchase.
Fraudulent card details can come in many forms, including physically stolen credit and debit cards, generated card details, and card information stolen from online retailers.
The preferred method of card testing is using the stolen details to perform an online authorization, such as a hotel booking, rather than making a purchase or payment.
The benefit of authorizations over purchases and payments is that they don’t always show up on cardholder statements; if they do, they’ll usually take longer to show up in apps and online banking systems. This means they’re less likely to be noticed and reported by the cardholder, giving the scammer more time to use the card before it’s blocked.
While authorizations are a popular choice for card testers, making purchases is a common method, too. Fraudsters typically opt for low-priced items when purchases are used for card testing. That’s because they’re less likely than high-priced items to draw suspicion or be noticed by the cardholder.
Therefore, if your store sells low-ticket items, it will be especially attractive to card testers.
Furthermore, if your WooCommerce store security isn’t as good as it could be, then not only will your store be even more attractive to fraudsters, there’s a higher chance those fraudulent payments will go through successfully.
Card testing attacks can also be carried out in bulk by bots rather than humans, resulting in hundreds of transactions being made at your store in quick succession. However, as you’ll see later in this article when this happens, you have a few more options for protecting your WooCommerce store from card testing fraud.
Why You Should Be Concerned About Card Testing Attacks
Card testing attacks can harm your business in many ways, from being a frustrating drain on your resources to having your payment processor account suspended, preventing you from taking payments from genuine customers.
Our company account has been supsended because of card testing now we are blocked form using stripe e are locking for replacement
— Essa Jamal (@EssaJMahmood) June 6, 2023
Some of the main ways card testing can harm your business include the following:
- Lost Inventory — If your store sells physical products, they could end up being shipped and the payment refunded to the legitimate cardholder, leaving you with no product and no payment.
- Extra Fees — Some payment processors will collect transaction fees, even if they’re fraudulent. As scammers can use bots to test 100s of cards quickly, these fees can add up.
- Drain on Resources — Dealing with disputes arising from card testing, such as contacting payment processors and trying to improve security, will consume time, energy, and money.
- Legitimate Transactions Being Declined — Fraudulent transactions associated with card testing usually result in a higher decline rate at your store. This can harm your reputation with your bank or payment processor, causing them to be overly cautious and decline legitimate card payments.
- Higher Fees — Fraudulent transactions could cause your account to be flagged as high risk by your bank or payment processor, which can lead to increased fees.
- Account Suspension or Closure — Your bank or payment processor might suspend or even close your account if there are too many fraudulent transactions, preventing you from accessing funds or taking payments.
- Increased Card Fraud — If fraudsters identify your store as a good place to test cards, you may get targeted by more scammers, creating a vicious cycle.
- Overwhelmed Store — If your eCommerce store does become a target for card testing, the extra transactions can overwhelm your infrastructure (both in terms of system and human resources), preventing legitimate transactions from being processed.
- Harms the Economy — Due to the interconnectedness of eCommerce businesses, an increase in card fraud at your store can have repercussions throughout the financial ecosystem, potentially harming the economy as a whole.
Now that we know what card testing attacks are and why it’s such a problem let’s look at how to prevent this type of fraudulent activity at your WooCommerce store.
How to Identify and Prevent WooCommerce Card Testing Attacks
As mentioned, fraudsters look for stores with weak security to conduct card testing attacks.
While much of the work to identify and prevent card testing attacks happens at the payment processor you’re using, you should still be proactive when it comes to identifying and preventing card testing attacks.
Some steps you can take include:
Regularly Monitor Transactions
Your first course of action should be regularly monitoring transactions at your store. This will help you to identify any suspicious activity taking place quickly.
For example, an increase in declined payments could be a sign that your site is being used for card testing attacks.
Another sign is receiving multiple transactions from customers with the same name — something users on Twitter whose sites have been targeted by card testers have reported.
We are also facing the same for the past few days😐
It is probably mass card testing.
Did blocking by billing country “PH” help? pic.twitter.com/oaanYGLB3X
— Shyjal (@shyjal) June 5, 2023
As soon as you notice any suspicious activity, seek assistance from your payment processor.
Quickly refunding fraudulent transactions can help avoid disputes with the legitimate cardholder. As disputes can negatively impact your relationship with your payment processor, they should be avoided if possible.
WooCommerce Card Testing Fraud Prevention Solutions
When it comes to preventing WooCommerce Card Testing Fraud, there are, thankfully, a few solutions.
You should then check to see if the WooCommerce extensions you’re using are compatible with those fraud prevention features. If not, it might be worth switching to a similar tool that is.
Turn Off Guest Checkout
Another step you can take is turning off guest checkout at your store. Doing so requires customers to register at your store before making a purchase. This adds an extra step at checkout that can deter scammers looking for a quick and easy way to test cards.
To do this, click WooCommerce → Settings from the sidebar menu of your WordPress dashboard.
Then click the Accounts & Privacy tab, and then uncheck the Allow customers to place orders without an account box. Hit the Save changes button at the bottom of the screen.
Use WooCommerce Anti-Fraud Extensions
Although not explicitly built for preventing card testing, there are also fraud-fighting WooCommerce extensions that you might want to consider using.
CleanTalk is a good example of such a tool. To prevent card testing, CleanTalk stops spam registrations and orders at WooCommerce stores. The anti-spam protection doesn’t use conversion-killing captchas or similar features that require customers to prove they’re human. Instead, it runs in the background to prevent bots from carrying out automated card testing and other activity at your WooCommerce store.
CleanTalk also maintains a database of spam IPs and emails to block suspicious activity at your store. With prices starting at $9/year, it’s an affordable solution.
Enable Extra Verification and Protection
Depending on your eCommerce configuration, you might also be able to enable CCV and zip/postal code verification at checkout. Registration via email or SMS is another option.
Ensuring that the country the order is being placed from matches the country of the cardholder can also help prevent some card testing fraud.
A security service like Cloudflare Pro ($20/mo) gives you the ability to create custom rate-limiting rules that can prevent suspicious activity, such as multiple checkouts in a short space of time from the same IP.
For a free tool, check out WooCommerce Checkout Rate Limiter. While not as feature-rich as Cloudflare Pro, this extension can prevent card attacks by rate-limiting checkout attempts by IP address.
You might be tempted to enable a captcha or similar features at checkout. However, this can significantly reduce conversion rates, leading to abandoned carts and missed sales from legitimate customers.
As you can see, some of the measures you can put in place to prevent WooCommerce card testing fraud run in the background, detecting and blocking suspicious activity before it becomes a problem.
Other measures, however, put the burden on the customer to prove they’re not a scammer or bot. While effective, these measures can reduce legitimate transactions due to the extra effort required by customers during checkout.
As you’ve just seen, card testing attacks are a serious issue for eCommerce store owners. If you process authorizations or sell low-priced items, then your store will be particularly attractive to card testers.
If your store does get targeted by card testers, it can have dire consequences for your business.
However, there are some measures you can put in place to prevent this from happening, including looking out for suspicious activity, enabling features provided by your payment processor, and installing WooCommerce extensions that can fight fraud.
For more information on this topic, this WooCommerce fraud protection article on our site covers other types of fraud you might experience at your store and how to prevent them.