What is an enumeration attack?

An enumeration attack involves fraudsters systematically submitting card-not-present (CNP) authorization attempts, iterating through various combinations of payment values to find a successful one.

Fraud Attacks Surge: Businesses Face Enumeration & Account Testing

Q: What is an account testing attack?

Account testing attacks involve fraudsters submitting one or two low-amount transactions to verify if a payment account is active, often targeting multiple payment accounts with the same issuing BIN.

Automated fraud, including enumeration and account testing, is rising, posing risks like high fees and data exposure. Learn about attack types and solutions.

Fraud attacks, including enumeration and account testing, are increasing, posing significant risks to businesses, particularly those in the adult industry. These attacks can lead to substantial authorization fees, merchant account shutdowns, and exposure of sensitive customer data, necessitating robust security measures and continuous monitoring.

Rising Threat of Automated Fraud Attacks

Hackers are increasingly employing automated software to conduct enumeration and account testing attacks, seeking vulnerabilities in merchant systems. These methods involve repeating tests on a system to uncover sensitive user information. Unmitigated, these risks can result in extensive authorization fees for each attempt and even the shutdown of a merchant account.

Over the last year, an increase in enumeration attacks and account testing has been observed. One merchant, processing through a different gateway, experienced a two-day attack that resulted in nearly 4 million attempted authorizations. Neither the merchant nor the gateway provider had tools in place to combat this attack. The merchant identification number (MID) had to be shut down, and the merchant incurred exorbitant authorization fees. After the MID was reactivated 24 hours later, the merchant implemented additional code in their checkout flow, and the gateway added tools to help block future attacks.

Acquirers are also reporting an increase in these types of attacks. Visa has introduced a solution as part of its new Visa Acquiring Monitoring Program (VAMP).

Understanding Attack Types

An enumeration attack involves fraudsters systematically submitting card-not-present (CNP) authorization attempts. These attacks focus on a single bank identification number (BIN) or multiple BINs, iterating through various combinations of payment values such as a primary account number (PAN), expiration date, card verification value 2 (CVV2), or postal code. Success occurs when the correct combination of payment values yields an approval response.

Account testing attacks, also known as BIN testing, card stuffing, card tumbling, or a credit master attack, involve fraudsters submitting one or two low-amount transactions to verify if a payment account is active. If an account is deemed active, fraudsters may later take it over to commit fraud. These attacks often target multiple payment accounts with the same issuing BIN. In some cases, successfully tested payment accounts are sold to others for fraudulent activities.

Proactive Measures to Combat Cyber Threats

Protecting businesses from hackers requires proactive security measures, employee awareness, and continuous monitoring. While firewalls, antivirus tools, and multi-factor authentication (MFA) are essential, they may not be sufficient against escalating threats, as attackers can bypass surface-level defenses. The most damaging activity often occurs when there is no continuous visibility over cybersecurity.

Severe attacks often do not begin with sophisticated zero-day exploits. Instead, they can start with a single phishing email, a neglected server, a misconfigured cloud service, or a stolen credential. Once attackers gain a foothold, they may explore the environment quietly before acting. Without round-the-clock monitoring, early signs can go unnoticed, increasing business risk.

Merchants can implement several best practices to protect themselves. Visa recommends implementing anomaly detection to identify sudden spikes in daily average and declined transactions, which could indicate a business has become a target. Alerts should be set for transactions with a large volume of approvals or declines from a similar BIN, and for any increase in reversals. Fraudsters sometimes send a reversal immediately after an authorization receives an approval. Analyzing time zone differences and browser language inconsistency with the cardholder’s IP address and device can help classify transactions as higher risk, warranting a more stringent review. IP addresses with multiple failed card payment data should be included in a fraud detection blacklist database for manual review. Merchants should also look for multiple tracking elements in a purchase linked to the same device, such as multiple transactions with different payment accounts using the same email address and device ID, which may trigger fraud classification or review. Monitoring logins for a single payment account from many IP addresses and reviewing logins with suspicious passwords or unique encrypted hashes commonly used by hackers can also help. Some merchants use a gray list of passwords associated with fraudulent transactions for fraud detection.

Velocity controls are also useful. Monitoring the velocity of small and large transactions, and using velocity checks for low-amount authorization-only transactions, is advised, as account testing transactions are often less than $10. Thresholds should be set on the number of transactions within a specified timeframe, and velocity should be monitored across various data elements like IP address, device, or email.

During account creation, merchants should limit the number of cards that can be added per account and per session, and restrict the number of accounts created per IP within a set timeframe. Monitoring the frequency of payment method changes on accounts is important. Utilizing Captcha for user registration helps distinguish between human and automated access. Terminating guest user sessions pending for longer than a designated time is also recommended.

Many technical tools are available, often provided by payment facilitators or gateways, designed to prevent enumeration and testing attacks. These tools help quickly identify and block attacks, stopping garbage transactions before they reach acquirers and issuers, thereby preventing unwanted authorization fees. Merchants should consult their providers about available protection tools.

Cathy Beardsley, president and CEO of Segpay, a merchant services provider, states that Segpay offers secure turnkey solutions for online payments, guaranteeing fund safety and protection with its proprietary Fraud Mitigation System and customer service. Segpay is one of four companies approved by Visa to operate as a high-risk internet payment services provider.

Key Facts

Enumeration and account testing attacks are increasing, often using automated software.
One merchant experienced a two-day attack with nearly 4 million attempted authorizations, leading to MID shutdown and high fees.
Visa has a solution in place as part of its new Visa Acquiring Monitoring Program (VAMP).
Best practices include anomaly detection, velocity controls, and secure account creation processes.
Segpay, led by Cathy Beardsley, offers a proprietary Fraud Mitigation System and is a Visa-approved high-risk internet payment services provider.