Enumeration Attack

Enumeration Attack

Credit cards are susceptible to attacks via a number of avenues. A recent type of attack is called “enumeration attack,” where fraudsters employ automated trial-and-error authorization attempts on credit card numbers at unwitting merchants. The attack roughly follows this pattern:

The attacker attempts a low dollar authorization with a random, valid-looking card number at a merchant identified to have unsophisticated rate limiting. The authorization is attempted without including a “card verification value” (CVV or CVC2) or expiration date. Although it may seem counterintuitive, this is a valid authorization request and, unfortunately, many utility companies run authorizations without this card metadata included.

If the attacker receives a decline code for “invalid card number,” they repeat the first step with a new card number. If the attacker receives any other response code, they know this is likely an actively provisioned card number and can continue.

  • In February 2023, a U.S. bank observed nearly one million address verification service (AVS) $0 debit card authorizations come through per day, from a merchant in Brazil.
  • The belief is the fraudsters are cycling through combinations of card numbers and expirations until they find a match.
  • Monetization is primarily taking place through a merchant out of Brazil that facilitates international money transfers.
  • Multiple fraud strategies were implemented to decline the authorizations in Brazil.
  • Fraudsters are continuously shifting to other merchants as cards get declined and find new testing and monetization merchants.
  • No one bank was the target. Several financial institutions experienced the same attack.
  • Banks were also working closely with Visa to see what actions they could take from a network perspective.

William J. Voorhees; MFA, C.F.E., CAMS, senior vice president, head of Enterprise Fraud Management, Truist Financial, editor@acams.org

Leave a Reply