Fraud: Credit Cards Cycling
Before I embraced the Fraud Manager position, I was an undisputed and stubborn geek. As I was spending all of my savings on the latest video games, I would make the most of them. I would not only finish the actual history line, but I would also accomplish all the hidden missions which in the end let me boast even more.
To accomplish this, I would have analyzed everything that could be analyzed. The reaction time of the BOTs, their weaknesses, the field of intervention, the AI of the characters, and everything else in the game that might be helpful.
I was conducting multiple suicide attacks to understand the BOT and to collect all relevant information to optimize my main attack plan. I would keep track of everything when I was attacking the BOTS, I would note how far away it was, how many blows it took to kill it, which attack caused the most damage, how many bullets would it take for them to die, where the dead points were, etc. Today, I would call this method “attack cycling”.
When my analysis was consistent enough to know the BOTs of the game at my fingertips, I would actually start the game by inflicting destructive damage on the BOTs.
This method is effective not only in games but also in our sensitive area:
The wonderful world of Online Fraud.
Indeed, Fraudsters are executing this very same method extensively at our expense. This is called Credit Cards Cycling.
In the same way as the young Geek Olivier, the fraudster will multiply “suicide attacks” on e-commerce sites to understand the Fraud Management of that site. So much the worse, if in passing, he sacrifices a few stolen credit cards.
They multiply purchases with the same card to understand when the site will block payments, for which amount, when the 3DS is triggered, from what amount or velocity the manual review is triggered, which products require less checking. They even try to see from which country it is easier to buy. The analysis is done on several cards as well. How many cards is it possible to use on the site? Is it possible to create several accounts with one card and conversely, is it possible to use several cards with the same account? The fraudster will find the answers to those questions.
He will also attempt payments at different times of the day. By that, he will know when the transaction review is most efficient. Often at night, you might say. Then he will attack at night. As you have understood, the fraudster’s analytical perspectives are multiple.
Once the tests are done with their Credit Card Cycling method, the fraudster would be able to move on to the serious stuff.
Just like my young geek times, the fraudster is only in the preparation phase because once he has fully understood how the site works in terms of fighting fraud, he will launch the main attack(s) and that will be devastating. In return, the Fraud Manager will adapt and modify his rules to counter the fraudster in his future attempts, but then again, like the good geek I was, the fraudster will start over from the beginning with other objectives and other results.
Today I am no longer the player who challenges the BOT but I became the BOT itself (hopefully smarter this time).
How can I react to this clever guy who is examining me, the BOT 2.0? The first thing to do is to arm up your BOT with intelligence. This can be done by changing rules and scorings daily or by constantly reviewing the behavior of fraudsters on the site. It is necessary to create alerts that are triggered according to patterns that the Fraud Manager will have identified beforehand.
For example, if one day I set the payment limit to credit cards per account for a ten-hour period, the next day I will set the limit to two cards per day. If I allow two purchases per week for a single customer, the following week I will limit the rights to one purchase of more than two hundred € per month. Our possibilities are multiple as well. The goal is to make them unpredictable to cover our tracks.
Let’s be clear, this will not prevent the fraudster from continuing his purchases with stolen cards but it would at least lessen the damage and its efficiency.
According to McAfee’s researchers, a stolen credit card would cost about $5 in the USA and between $25 and $30 in Europe. Note also that according to Sixgill’s study, 23 million credit cards were on sale on the dark web in the first half of 2019.
This means that it is easy to access them. It will be difficult to stop credit card theft overnight but it is possible to limit the damage with judicious and agile methods.
Let’s adapt, be flexible, and on the lookout, but above all, let’s not be the BOT .
Olivier Erol
Fraud Manager at Back Market
