opinion

How to Halt Hackers as Fraud Attacks Rise

How to Halt Hackers as Fraud Attacks Rise

For hackers, it’s often a game of trial and error. Bad actors will perform enumeration and account testing, repeating the same test on a system to look for vulnerabilities — and if you are not equipped with the proper tools, your merchant account could be the next target.

This kind of attack is most frequently conducted using automated software, trying as many different combinations as possible until they get a hit uncovering a user’s sensitive information. When it comes to credit card hacking, leaving this risk unmitigated could lead to extensive authorization fees for each attempt and even the merchant account being shut down.

The best approach is to institute as many safety measures as possible on your site, and leverage all the robust tools your service provider has in place to fight these types of fraud.

This month, we will talk about how these fraud attacks work and how you can guard your accounts.

The Threat Is Real

Over the last year, we’ve seen an increase in enumeration attacks and account testing, and we’ve seen it firsthand. Recently, one of our merchants processing through another gateway was subjected to an attack that lasted two days and resulted in close to 4 million attempted authorizations. Neither the merchant nor the gateway provider had tools in place to combat the attack.

The results were not good. The merchant identification number (MID) — the unique code that identifies a business’s merchant account used for processing debit and credit payments — had to be shut down, and the merchant was hit with exorbitant authorization fees. After the MID was turned back on 24 hours later, the merchant added additional code to their checkout flow and the gateway added additional tools to help block future attacks.

Our acquirers are also seeing an increase in these types of attacks. Even Visa now has a solution in place as part of its new Visa Acquiring Monitoring Program (VAMP), which we will share more about next month.

What to Look For

If you haven’t experienced one of these attacks yourself, you may be wondering: “How will I know if this is happening to me? What happens during an attack?” Let’s break down and define the different types of attacks.

An enumeration attack is when fraudsters systematically submit card-not-present (CNP) authorization attempts. These attacks are concentrated on a single bank identification number (BIN) or multiple BINs, and iterate through various combinations of payment values such as a primary account number (PAN), expiration date, card verification value 2 (CVV2) or postal code. These attacks succeed when the right combination of payment values returns an approval response.

Account testing attacks occur when fraudsters submit one or two low-amount transactions to test whether a payment account is active. If the account is confirmed active, the fraudsters will later use it to commit fraud. In most cases, the attack happens on multiple payment accounts with the same issuing BIN. In some instances, payment accounts that have been successfully tested are sold to others to commit fraud. This attack is also known as BIN testing, card stuffing, card tumbling or a credit master attack.

Don’t Panic, Prepare

As a merchant, there are some best practices you can put in place to protect yourself. Here are some tips directly from Visa:

  • Implement anomaly detection, which identifies anomalies early. Sudden spikes in the daily average and declined transactions should be investigated. These spikes could indicate that the business has become a target.
  • Put an alert on transactions with a large volume of approvals or declines from a similar BIN. Also have an alert on any increase in reversals being sent. Occasionally, fraudsters will immediately send a reversal after an authorization receives an approval.
  • Analyze time zone differences and browser language inconsistency with the cardholder’s IP address and device. Classify these transactions as higher risk and perform a more stringent review.
  • Make sure to include IP addresses with multiple failed card payment data in a fraud detection blacklist database for manual review, and look for multiple tracking elements in a purchase linked to the same device — for example, multiple transactions with different payment accounts that use the same email address and same device ID. These may be a trigger for fraud classification or review.
  • Look for logins for a single payment account coming from many IP addresses.
  • Review logins with suspicious passwords, or unique encrypted hashes of passwords, that hackers commonly use. Some merchants can detect fraud based on a gray list with a set or combinations of passwords used in fraudulent transactions.

Be in Control

Velocity controls are also helpful in the fight against fraud. Monitor the velocity of small and large transactions, in particular low-amount authorization-only transactions. Account testing transactions are often less than $10. Thresholds should also be set on the number of transactions within a specified timeframe. Also, always monitor the velocity on various data elements such as an IP address, device or email.

Keep an eye on things right from the start during user account creation. Make sure to limit the number of cards that can be added per account and per session, and limit the number of accounts that can be created per IP within a set time frame. Monitor the frequency of payment method changes on accounts. Be sure to utilize Captcha for user registration, since it enables web hosts to distinguish between human and automated access to websites. Lastly, terminate guest user sessions that are pending for longer than a designated amount of time.

Know Your Tools

There are many technical tools out there that can help, and most likely at least some of these are already in place through your payment facilitator or gateway. Most are set up to prevent merchants from being hit by enumeration and testing attacks, and to make it easy to quickly identify an attack and block it. With a block, garbage transactions are stopped before they are sent to acquirers and issuers, which also stops unwanted authorization fees.

Take the time to talk to your provider and ask them what tools they have in place to protect you. The best approach is to institute as many safety measures as possible on your site, and leverage all the robust tools your service provider has in place to fight these types of fraud.

Cathy Beardsley is president and CEO of Segpay, a merchant services provider offering a wide range of custom financial solutions including payment facilitator, direct merchant accounts and secure gateway services. Under her direction, Segpay has become one of four companies approved by Visa to operate as a high-risk internet payment services provider. Segpay offers secure turnkey solutions to accept online payments, with a guarantee that funds are kept safe and protected with its proprietary Fraud Mitigation System and customer service and support. For any questions or help, contact sales@segpay.com or compliance@segpay.com.

Related:  

Copyright © 2025 Adnet Media. All Rights Reserved. XBIZ is a trademark of Adnet Media.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.

More Articles

profile

WIA Profile: Lexi Morin

Lexi Morin’s journey into the adult industry began with a Craigslist ad and a leap of faith. In 2011, fresh-faced and ambitious, she was scrolling through job ads on Craigslist when she stumbled upon a listing for an assistant makeup artist.

Women In Adult ·
profile

Still Rocking: The Hun Celebrates 30 Years in the Game

In the ever-changing landscape of adult entertainment, The Hun’s Yellow Pages stands out for its endurance. As one of the internet’s original fixtures, literally nearly as old as the web itself, The Hun has functioned as a living archive for online adult content, quietly maintaining its relevance with an interface that feels more nostalgic than flashy.

Jackie Backman ·
opinion

Digital Desires: AI's Emerging Role in Adult Entertainment

The adult industry has always been ahead of the curve when it comes to embracing new technology. From the early days of dial-up internet and grainy video clips to today’s polished social media platforms and streaming services, our industry has never been afraid to innovate. But now, artificial intelligence (AI) is shaking things up in ways that are exciting but also daunting.

Steve Lightspeed ·
opinion

More Than Money: Why Donating Time Matters for Nonprofits

The adult industry faces constant legal battles, societal stigma and workplace challenges. Fortunately, a number of nonprofit organizations work tirelessly to protect the rights and well-being of adult performers, producers and industry workers. When folks in the industry think about supporting these groups, donating money is naturally the first solution that comes to mind.

Corey D. Silverstein ·
opinion

Consent Guardrails: How to Protect Your Content Platform

The adult industry takes a strong and definite stance against the creation or publication of nonconsensual materials. Adult industry creators, producers, processors, banks and hosts all share a vested interest in ensuring that the recording and publication of sexually explicit content is supported by informed consent.

Lawrence G. Walters ·
opinion

Payment Systems: Facilitator vs. Gateway Explained

Understanding and selecting the right payment platform can be confusing for anyone. Recently, Segpay launched its payment gateway. Since then, we’ve received numerous questions about the difference between a payment facilitator and a payment gateway. Most merchants want to know which type of platform best meets their business needs.

Cathy Beardsley ·
opinion

Reinventing Intimacy: A Look at AI's Implications for Adult Platforms

The adult industry has long revolved around delivering pleasure and entertainment, but now it’s moving into new territory: intimacy, connection and emotional fulfillment. And AI companions are at the forefront of that shift.

Daniel Keating ·
profile

WIA: Sara Edwards on Evolving Clip Culture and Creator Empowerment

Though she works behind the scenes, Sara Edwards has had a front-row seat to the evolution of adult content creation. Having been immersed in the sector since 1995, she has a unique perspective on the industry.

Jackie Backman ·
profile

Segpay Marks 20 Years of High-Risk Triumphs

Payment processors are behind-the-scenes players in the world of ecommerce, yet their role is critical. Ensuring secure, seamless transactions while navigating a rapidly changing regulatory landscape requires both technological expertise and business acumen.

Jackie Backman ·
opinion

The SCREEN Test: How to Prepare for Federal Age Verification

For those who are counting, there are now 20 enacted state laws in the United States requiring age verification for viewing online adult content, plus numerous proposed laws in the works. This ongoing barrage has been exhausting for many in the adult industry — and it may be about to escalate in the form of a potential new AV law, this time at the federal level.

Corey D. Silverstein ·
Show More