Skip to content


Card testing attacks, also known as card checking attacks, are a form of fraud where criminals try to determine if stolen credit card information is valid by making small purchases or attempting to authorise a transaction. The preferred method for criminal card testers is using authorisations, which are less likely to be noticed by cardholders. Card testers also use payments but typically choose small transactions to avoid detection. As a result, businesses that facilitate small-value purchases and donation pages are vulnerable targets for card testers.

Between February and August last year, stripe tracked a surge of credit card fraud where threat actors spammed stores and online shopping apps/websites with millions of low/zero-dollar transactions. This allows the threat actors to verify which cards still work; this can cripple both businesses and individuals. During this time period, stripe blocked more than 20 million of these testing attempts per day!

Figure 1:

Verifying Stolen cards

Card testing plays a crucial role in the process threat actors use to extract value from stolen credit card details. When they purchase a list of fraudulently obtained credit card details, they don’t know which cards are still active. Some might have been cancelled and others might have expired. This makes it hard to understand the real value of the list.

This is where card testing comes in. Card testers create programs that automatically attempt to make a small payment with each card in a set or to save it on a site as a validated payment source. Cards that are used or saved successfully can be sold to other criminals who can use them to make larger purchases or manufacture counterfeit cards.

How to Protect Yourself

To safeguard your organisation from card testing fraud, it is recommended to implement various protective measures. These include using fraud detection tools, regularly monitoring your account for unusual activities, implementing security measures like web application firewalls (WAF) and utilising a payment gateway to provide a layer of security for your transactions.

An adequate protection solution should provide the following:

  • Traffic Analysis: analyse traffic to detect patterns indicative of card testing fraud. For example, if a large number of requests are coming from the same IP address or if many requests are for the same item and with small amounts.
  • Signature-based detection: detect and block requests that match a specific signature or pattern. This can be used to block requests associated with card testing fraud.
  • Behavioural Analysis: use machine learning algorithms to analyse incoming traffic and detect behaviour patterns indicative of card testing fraud. This can include analysing the timing and frequency of requests and the types of requests being made to identify and block suspicious activity and users.
  • IP blocking: blocking traffic from specific IP addresses or ranges. This can be used to block traffic from known card-testing bots, anonymous proxies or IP addresses that have been associated with previous instances of card-testing fraud.
  • Bot detection: ensure that the user is human and not a bot. CAPTCHA is a typical first barrier that is easy to implement. Just remember that more sophisticated bots can solve CAPTCHAs faster and more accurately than humans.
  • Geo-blocking: block traffic from specific countries or regions. For example, if you are a local store (a pizza delivery shop), you would only expect an order from within the country.
  • Setting a minimum purchase price: this should stop micropayments from being processed.  

Understanding how these crimes are committed, what to look out for, and organisations making minor changes to their payment processes can target an organisation. A WAF and bot management solution can be an effective tool for blocking card testing fraud. They detect and stop suspicious activity before causing harm to merchants, card networks and payment infrastructure.

Related Links