Credit cards are susceptible to attacks via a number of avenues. A recent type of attack is called “enumeration attack,” where fraudsters employ automated trial-and-error authorization attempts on credit card numbers at unwitting merchants. The attack roughly follows this pattern:
The attacker attempts a low dollar authorization with a random, valid-looking card number at a merchant identified to have unsophisticated rate limiting. The authorization is attempted without including a “card verification value” (CVV or CVC2) or expiration date. Although it may seem counterintuitive, this is a valid authorization request and, unfortunately, many utility companies run authorizations without this card metadata included.
If the attacker receives a decline code for “invalid card number,” they repeat the first step with a new card number. If the attacker receives any other response code, they know this is likely an actively provisioned card number and can continue.
- In February 2023, a U.S. bank observed nearly one million address verification service (AVS) $0 debit card authorizations come through per day, from a merchant in Brazil.
- The belief is the fraudsters are cycling through combinations of card numbers and expirations until they find a match.
- Monetization is primarily taking place through a merchant out of Brazil that facilitates international money transfers.
- Multiple fraud strategies were implemented to decline the authorizations in Brazil.
- Fraudsters are continuously shifting to other merchants as cards get declined and find new testing and monetization merchants.
- No one bank was the target. Several financial institutions experienced the same attack.
- Banks were also working closely with Visa to see what actions they could take from a network perspective.
William J. Voorhees; MFA, C.F.E., CAMS, senior vice president, head of Enterprise Fraud Management, Truist Financial, email@example.com