LAST UPDATED February 4, 2022
Who Bears the Cost of CC Fraud?
Credit card fraud has been an ongoing problem for online merchants for many years now. When ordinary users shop online, credit card purchases are indemnified by the card issuer, meaning the individual card users are not responsible for fraudulent charges made on their card as long as the user reports those charges in a timely manner, typically within one billing period. In fact, US Law limits cardholders’ liability to $50.
Due to the popularity of online shopping, card issuers have well-established programs to communicate card holder liability. What is less commonly known is that when a criminal completes a successful online purchase, and the card issuer later reverses the charge, the merchant is often responsible for the loss. Most merchants have resigned themselves to writing off this fraud as a cost of doing business online. However, loss from stolen cards can place a significant financial drain on merchants who may only make a small markup on goods. In particular, fraud loss is especially high for goods that are easily fenced or resold on Craigslist/eBay.
The cat and mouse game.
Cyber gangs and independent hackers obtain credit, debit and gift cards using various methods such as breached POS systems or identity theft. Those cards are then sold on the Dark Web (accessible via the TOR network), including on several established and highly-developed marketplaces for such information. Until just recently, there was even a marketplace on Facebook!
To maintain demand, criminals sell with a guarantee that a certain percentage of cards are valid. The available data includes PANs (Primary Account Number) CVVs (Card Verification Value), names, addresses, and even answers to verification questions.
Over time, card issuers have developed more sophisticated anti-fraud programs, which quickly inactivate most cards once they make it onto the dark web. Unfortunately, enough remain active to make this crime viable. As anti-fraud efforts identify and close marketplaces, card sellers simply find other locations. This causes a cat and mouse game between the fraudsters and card issuers, leaving the merchants stuck in the middle.
With their block of purchased cards and a full online shopping cart, fraudsters enter one PAN after another, receiving decline after decline, until one succeeds, even if it takes 20 tries. Today, merchants simply pass the payment processing logic onto the processor and can only deduce if a transaction succeeds or fails. This lack of visibility, plus the current limitations of traditional web application firewall technology, leaves merchants essentially helpless.
How can WAAPs protect merchants?
From a legacy Web Application Firewall perspective, it’s not possible to identify a bad transaction as a stand-alone event because the request itself doesn’t have any malicious indicators. The fraudster is using a normal web browser and card decline messages come across as valid web responses “200 OK”. Not to mention, there are plenty of card declines from valid users who maxed out their cards or entered incorrect information. The difference is that a valid user has one or two card declines whereas a fraudster easily has ten or more card declines.
This key difference in behavior can be used to intelligently identify fraud when multiple card decline events are tracked over time. The ThreatX WAAP has the ability to do this easily without any knowledge of the PAN or CVV, and without false positives. How?
1. When multiple card decline responses are detected over a short period of time, ThreatX blacklists the fraudster, preventing them from accessing the shopping cart and completing the transaction.
2. ThreatX injects a cookie, enabling us to identify the fraudster even if they pivot to another IP address. Unlike many bots, card fraudsters typically enable cookies so they can keep their shopping cart session active.
3. Best of all, this is all accomplished without code changes to the website since we are only tracking decline responses.
The occasional user with one or two declines can seamlessly complete a transaction since they are below the block threshold, while malicious users are blocked. ThreatX delivers a big win for our customers who see loss from card fraud drop dramatically.
You can learn more about ThreatX’s intelligent approach to detection and neutralization of credit card fraudsters and other malicious threats by requesting a demo now.