Sift Trust and Safety Architect Jane Lee discusses how fraudsters are automating consumers’ ‘card hopping’ approach to credit cards to test stolen payment data, make unauthorised purchases, and more effectively avoid detection.
Banks and consumers have always shared a symbiotic relationship. Financial institutions need customers to open checking and savings accounts, invest in the portfolios they manage, and open lines of credit—giving them enough cash on-hand to fund loans, balance books, and maintain necessary currency reserves.
The sign-on offers available, such as zero-interest APR, travel points, and cash advances, are enticing enough to make ‘card hopping’ (or ‘card churning’) a popular strategy. By applying to several lines of credit, or rapidly opening and closing accounts, consumers can capitalise from multiple promotions to earn bonuses, cash advances, and other rewards, all while building a diverse collection of payment options. It’s a clever way to game a willing system.
For fraudsters that card hop, the goal is still to obtain cash benefits and free goods. But rather than opening various new lines of credit, they’re cycling through stolen payment cards for their own gain. Unlike large-scale, automated card testing attacks that hit businesses with an explosion of activity, card hopping happens at a more natural, human pace, even when the actions are run on automation.
Card testing typically has a different purpose than hopping, too: proving that hacked payment methods are active at scale, by attempting a series of rapid, low-value transactions, and slowly upping the amount until a beneficial withdrawal or purchase can be made (often on a different site than the one that was attacked). Card hopping, on the other hand, involves both confirming that payment methods work and using those valid cards to make unauthorised purchases or withdrawals more slowly, but worth much higher values.
As a result, card hopping may not necessarily share the same risk characteristics as high-volume testing and gives fraudsters more time to get what they came for—in addition to better camouflage while they’re working. This can help bad actors subvert security systems and models that are trained to identify abnormally frequent transactions or unusual values.
It’s worth noting that fraudsters don’t like to come through the front gate if they don’t have to. It’s easier to remain undetected when a system or team is overwhelmed or under-resourced; common conditions for today’s merchants as the world tries to recover from ongoing disruption. As 2020 sank into global turmoil and upended online consumer behaviour, Sift found that large-scale card testing had become a popular method of attack, regardless of the business type. Fraudsters targeted donation sites, quick-service restaurants (QSRs), and retailers—organisations being flooded with unexpected traffic and spending—with automated, accelerated card testing and credential stuffing efforts. A year later, Sift data scientists unearthed another bot-savvy fraud ring applying automation to perform rapid credential stuffing and IP address rotation against multiple merchants at once.
Fraud detection platforms and risk experts adjusted swiftly to this changing risk, fighting blitz attacks with machine learning that acts in real-time to find and block behaviour that’s clearly programmed. In response, fraudsters not only created bots that could get the job done faster; they created bots that could get the job done like a human.
Businesses have to acknowledge that cybercriminals are refocusing from outpacing fraud detection to outsmarting it. Here are four primary red flags that analysts can use to surface and snuff out card-hopping activity:
Card hoppers typically are shown to cycle through 5+ unique stolen payment cards in rotation.
Each card being used has been issued from disparate providers often from different countries.
IP and mailing addresses will remain the same across cards, despite being issued from different countries/areas, due to merchants not implementing proper address verification (AVS) checks.
Each of the cards is tied to a higher-than-usual number of failed transactions.
Consumers underscore that this type of purchasing behaviour and activity isn’t common. Sixty-four percent report that they only use 1–2 payment cards during a normal month, with fewer than 5% using at least five.
Last year, payment fraud siphoned billions of dollars from ecommerce companies and consumers, compromising millions of customer credentials in the process. Every breach exposes new personal and financial details prized by fraudsters, who can easily purchase collections of stolen data on the deep and dark web in order to commit successful card testing and hopping attacks.
This element of how CNP and other payment fraud happens is nothing new, and neither is the method. Businesses are fully aware that fraudsters use bots and other sophisticated programming to support their efforts, and many invest in trust and safety platforms that are able to accurately recognise that risk.
But losses from financial abuse are still expected to jump 17% in 2023, hitting USD 48 bln by the end of this year. These projections demonstrate agility and determination in the global Fraud Economy and the criminals who populate it. Recent reports from across markets point to emerging schemes around fake payment card forms, e-skimmers, used HTTP referrer headers, recycled payment data, compromised ordering platforms, targeted account takeover attacks leveraging personally identifiable information (PII), and of course, card testing. In 2022, the complete account numbers of over 20.5 million compromised payment cards were posted as plaintext or images to various locations on the web, making access to valuable data and funds incredibly simple for nearly anyone who wants it.
Additionally, almost half of the consumers surveyed by Sift have experienced payment fraud within the past two years—with 62% of victims defrauded at least 2-4 times. That’s problematic on its own, with 74% of consumers saying they’d permanently abandon a brand due to experiencing fraud on their site or app. But we also found that 16% of consumers admit to having committed payment fraud at some point (or knowing someone who has).
This rapid evolution and democratisation of fraud threaten businesses with the risk that adapts to a company’s unique vulnerabilities. Paired with unmitigated access to malware, hacked data, and how-to fraud instructions, anyone anywhere can present risk to merchants and their users. But trust and safety teams are responsible for accommodating and accepting trusted users in addition to stopping nefarious ones and can’t apply zero-trust to every transaction without hampering revenue.
Fraudsters aren’t going to stop committing payment abuse, and consumers are going to adapt their behaviour depending on market conditions and opportunities. Analysts need to fully understand the landscape of diverse digital fraud threatening their business and be able to take complete control of the insights and tools they use to fight it. Without control and transparency, proactive growth will take a backseat to reactive fraud prevention, costing merchants a lot more than money in the end.
About Jane Lee
Jane Lee is a Trust & Safety Architect at Sift, who specialises in spam, account/content abuse, and payments risk. Prior to joining Sift, she was on fraud teams at Facebook and Square and spent some time as a Private Investigator. She is passionate about designing and operationalizing systems for the detection and enforcement of fraud at scale.
About Sift
Sift is the leader in Digital Trust & Safety, empowering digital disruptors to Fortune 500 companies to unlock new revenue without risk. Sift dynamically prevents fraud and abuse through industry-leading technology and expertise, an unrivaled global data network of one trillion (1T) events per year, and a commitment to long-term customer partnerships. Global brands such as DoorDash, Twitter, and Wayfair rely on Sift to gain a competitive advantage in their markets. Visit us at sift.com, and follow us on LinkedIn.
https://www.linkedin.com/company/getsift/
https://twitter.com/GetSift
https://www.facebook.com/GetSift/
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now