When cyber criminals steal credit cards or buy stolen credit cards, they are buying somewhat of an unknown.
Small time crooks test small numbers of cards by trying to use them at self service gas pumps in the middle of the night, but that doesn’t scale up and you run the risk of getting caught.
In addition, what if all the data isn’t there. Maybe an address is missing. Or a zip code. Maybe the crook didn’t get the CVV code.
So what is a better way to do that?
You run a small dollar transaction on a small business or small charity web site. These businesses don’t have the fancy anti-fraud measures that Amazon or The Home Depot have.
Sometimes new businesses haven’t learned their lessons yet either.
Let’s assume that the crook make a $5 contribution to a small charity. The web site asks for a zip code that you don’t have so you start guessing. The web site isn’t smart enough to stop you after 5 tries. Or a hundred tries or any number of tries. It turns out that the merchant’s credit card front end doesn’t stop you either. Eventually you get the right zip code and the person who’s card was stolen gets hit with a $5 charge.
However because this is online and no one is watching, the crooks automate the process. A “bot” can test all 99,999 zipcodes in a few seconds – as fast as the web site can respond. There are only 999 possible CVV numbers for a Mastercard or Visa card, so that goes even quicker.
Now here is the rub.
When the person who’s card was stolen disputes the charge, the bank charges the merchant or the charity back for the $5. BUT, they also charge the merchant or charity a chargeback fee of maybe $100.
For a small business, if they get hit with a dozen $5 charges and those get reversed, they lose $60. But, they might also get hit with a thousand dollars (or more) in charge-back fees.
If instead of a dozen cards, it is a hundred cards, then the charge-back fees can be in the many thousands.
Some things that merchants can do –
Limit the number of attempts to complete a charge – after say 3 or 4 tries the entire transaction gets wiped and the crook has to start over. A limited number of failed transactions from a single IP address in a period of time also helps. Anything to slow the crooks down.
If there are multiple transactions (more than say, 2 or 3) from the same computer from different people in a short period of time, that is another red flag.
I have even seen web sites that don’t even ask for the card verification number.
Another possibility is to outsource the fraud detection process to experts.
This is a rapidly evolving world and small businesses are a target just because they think they are not a target. What works to protect you today may not protect you tomorrow.
Information for this post came from Small Biz Daily.