Dealing with carding attacks
Carding attacks happen when fraudsters use stolen credit card numbers to buy things from online stores. They try many different card numbers quickly, hoping that some will work.
If a fraudulent transactions does go through
- The rightful cardholder will likely request a chargeback.
- You will lose money on the goods you shipped.
- Your acquirer might impose penalties.
- You might could face a criminal investigation if this happens frequently.
To minimise the potential damages, let us guide you through by explaining how to
- Detect carding attacks.
- Implement effective precautions and countermeasures.
You might have outsourced the management of your transaction business and/or the maintenance of some of your applications to third parties (i.e. software developers). Make sure they follow these guides lines as well.
Detecting carding attacks
You can identify card attack attempts in your transaction overview: A large number of declined transactions (status="REJECTED"/statusOutput.statusCategory="UNSUCCESSFUL"/statusOutput.statusCode=2) in a short time is a red flag. Worldline can automatically detect these patterns and will contact you accordingly.
Precautions and countermeasures
The most efficient way of dealing with card attacks are preventive measures. These can reduce the potential damage for both you and the rightful card owners:
- Implement 3-D Secure.
- Use one of our Fraud Prevention tools.
On top of that, certain security measurements implemented on your side reduce the risk of
- Overlooking fraudulent activities.
- Unauthorised third party access to your server or security keys.
- Exploiting security weaknesses in your server scripts.
- Use separate devices for work and private use
- Keep your contact details in your account up-to-date
- Use MFA (Multi-Factor-Authentication)
- Implement the most recent (security) updates
- Use a password safe application
- Change passwords in case of proven security incidents
Use separate devices for work and private use
Avoid visiting/using third party websites/application – Their weaknesses might be used against you. If you are hacked, a strict separation ensures that potential invasion of your personal data does not extend to your professional data.
Keep your contact details in your account up-to-date
Empower us to contact you in real-time in case of card attack incidents. To do so,
• Access the legacy console in the Merchant Portal via Menu > Back Office.
• Go to Configuration > Account > Your administrative details.
• Update your contact data and confirm by clicking on the "SAVE" button.
Use MFA (Multi-Factor-Authentication)
Most established services you might be using (i.e. Google/Microsoft) offer this additional security layer, preventing unauthorised access, and so does the Merchant Portal.
Implement the most recent (security) updates
Potentially, every application you use can be exploited. To minimise this risk, always update your applications such as
- Your devices (computers, cell phones etc.).
- The platform/server hosting your webshop.
- The shopping cart system itself. Check our plugin guides for the newest versions.
Use a password safe application
Weak passwords are one of the biggest security flaws. Strong passwords might be tedious, but are much safer. Password safe applications ease the use of strong passwords. A lot of them are free, and with some research, you will find the right one for your business. Mobile phones with Apple iOS and Google Android typically already have secured password retention present on the device.
Change passwords in case of proven security incidents
If we or any other trusted party informs you that your system's security is compromised, take these immediate measures:
- Change all your passwords stored in your password safe application. Consider even changing the password to your password safe application.
- Change both your API / webhooks keys/secrets.
- ANZ Worldline Payment Solutions employees will never ask for your passwords or other credentials. Consider such requests from any individual/company illegitimate and ignore them!
- If you have a case of a confirmed unauthorised server access/use of security credential, we strongly recommend the following actions:
- Unauthorised server access: See 4, 5 and 6.
- Unauthorised use of security credentials: See 4 and 6.