PCI SSC's Troy Leach and NCFTA's Matt LaVigna share guidance and information on protecting against Account Testing Attacks.
Why are you issuing this industry threat bulletin?
Troy Leach: We have heard from many of our stakeholders in the payment community that account testing attacks are a growing trend for many businesses, large and small. We felt, as a leader in payment security, now was the time to issue a bulletin with our friends and colleagues from the NCFTA who’s industry battle these threats daily.
What are Account Testing Attacks?
Matt LaVigna: Account testing attacks – also referred to as payment account enumeration, card testing, and BIN attacks involve a cybercriminal testing payment account numbers in order to validate cardholder information to perpetrate fraud. The two main testing techniques involve testing a full card number or brute forcing an incomplete card dataset. Once an account number is validated, it can then be monetized by being sold on the Dark Web or immediately utilized to commit fraudulent transactions.
So how exactly do these attacks work?
Matt LaVigna: There are different methods that criminals can use to undertake account testing, and each has a different impact on merchants and other entities in the payment lifecycle. The cardholder data in these types of attacks are obtained through two primary techniques – a Point of Interaction (POI) malware or system intrusion data breach within the cardholder data environment or by account number enumeration for fraudulent purposes. An overwhelming majority of attacks today utilize automated software to simply enable account testing to be undertaken on a massive scale in a very short timeframe. The assumption for all of these attacks is that the criminal has obtained a very large number of Primary Account Numbers, along with Expiry dates and the Card Verification Code or Value. Where these types of Sensitive Authentication Data (SAD) are not known, then certain account tests can be undertaken to identify and validate this data.
What businesses are at risk of this devious attack?
Troy Leach: Account testing attacks pose risks to issuers, acquirers and merchants, and the threat exists across many acceptance channels. The consumer also could become the victim of financial/identity theft as a result of a successful attack. Everyone involved in the payment chain is potentially a source of exposure and it is the responsibility of all involved to be vigilant and, on the look-out for this type of attack. Good payment security practices need to be a priority for the merchant, the payment processors as well as issuers and the acquirers. Defeating this ever-growing attack requires a team effort from all involved parties.
What are some detection best practices to detect these threats before they can cause damage?
Troy Leach: The ability to detect these threats before they can cause damage is critically important. Security needs to be a 24/7 priority with security monitoring that looks for and identifies unusual behavior and irregular patterns.
The following characteristics are some common indications of authorization/account testing:
- Account numbers being used do not exist, e.g., a card number from an un-issued BIN range.
- Account numbers being used repeatedly with variations in the security features (expiration date, CVV2/CID, cardholder’s postal code).
- Increase in account numbers attempted within a BIN range, particularly when used at the same merchant for small amounts. Testing may occur with sequential account numbers, or certain digits within the account number may be incremented in regular intervals.
- Increase in AVS checks (e.g. Condition Code)
- An increase in the percent of declines for a merchant or BIN range. Authorization testing will generate higher numbers of declines as fraudsters attempt to find the correct combination of account number, expiration date and security codes (e.g. CVV2/CID).
- An increase in the percent of approved authorizations that do not settle for a merchant.
- An increase in transaction velocity / volume at a new merchant or merchant with low settlement rates.
- A rapid increase in transaction velocity / volume at a merchant that has been inactive.
- An increase in the number of different names being submitted on transactions for a merchant when historically that merchant has submitted only a few legitimate names
What are some prevention best practices to stop this attack form happening in the first place?
Troy Leach: The best protection to mitigate against account testing attacks is to adopt a layered defense that includes secure authentication protocols, patching operating systems and software with the latest security updates, vigilant intrusion detection practices and the proper installation of payment systems. Also, being PCI DSS compliant provides a strong security foundation that can help to address this threat by creating a culture that prioritizes outstanding security standards and practices. For more information about best practices for detection and prevention, people should review our full bulletin.
What are some ways people can learn more about cyber security in general and the threats they face?
Matt LaVigna: The NCFTA encourages public and private sector stakeholders to actively engage each other through available information sharing mechanisms and/or organizations to identify threat trends and collectively develop mitigation strategies. Peer resources include the FBI’s Infragard, the Secret Service’s Cyber-Fraud Task Forces, local ISAOs, sector specific ISACs, and the NCFTA.
Resources to help you: