A second wave of attacks began midday Friday after much of the eastern United States was affected in the morning. Sites affected included Etsy, ...
Criminals are using free online trials of products to test validity of stolen or generated credit card numbers. Because the trial authorizes a number but does not generate a charge, months can pass before anyone knows a card number has been compromised.
Online fraudsters have a new target in their sights: e-retailers that offer free or nominal-fee trials of products or services, says Jeff Foster, executive vice president of payment processor and security consultant Retail Decisions - U.S.A. To authenticate stolen credit card account numbers, criminals will use them to sign up for free trials on retail web sites, he says. "This happens thousands of times a day across the online retail spectrum," he tells InternetRetailer.com.
Criminals generate by high-volume random selections of 15-digit numbers, then try them out at web sites. They know they have an authentic account number as soon as they get confirmation from an e-retailer of their acceptance into a trial program, such as for a subscription to books or movie DVDs ordered online and delivered through the mail. But because there is typically no fee for the trial program immediately charged to the stolen credit card account, the transaction doesn`t alert the actual cardholder, merchant or card issuer to fraudulent activity, Foster says.
The costs to e-retailers can be enormous, because they must pay transaction fees to card processors, which can amount to close to $1 per transaction, then pay penalties for chargebacks, Foster says. Visa U.S.A. and MasterCard charge a $25 penalty per chargeback under conditions that vary based on the type of chargeback. He notes that one e-retailer processed 45,000 trial program authorizations in fraudulent card transactions over the course of a single week.
Foster notes that, under most trial programs, a charge won`t show up on the actual cardholder`s account statement until after what is normally a 30-day or 60-day period--giving the criminal plenty of time to start using or to sell a stolen account number before the authorized cardholder becomes aware of fraudulent activity.
Foster notes that most online commerce fraud is now driven by highly organized criminals, who compile information on how, when and where to get the best returns on fraudulent activity. For example, if an e-retailer sets a lower threshold for checking suspicious activity--say, for all purchases over $200--criminals will quickly learn that they can charge up to $199 on that site without alerting the retailer.