Crooks start most payments fraud by trying to figure out if the crime is actually worth the effort, sending small probes to see if there is enough money to steal.
The payments company says the technology has reduced a type of attack called "card testing" by 80% in the past two years. That has come as Stripe's yearly payment volume has grown from about $500 billion to more than $1 trillion during that time, a jump in payments activity that theoretically makes card testing easier.
If these payments go through without being flagged, the fraudsters then make incrementally larger purchases, relying on the initial "test" payments that have beaten a company's fraud guard to pave the way for larger theft.
"Card testing is where most fraud begins," said Emily Sands, head of information at Stripe, where she is responsible for leading a department that develops uses for data in decision-making and automation. "Bad actors try to get to which cards can be used in the future."
Administering the exam
Card testing is the most prevalent type of payment fraud, according to
While the losses due to card testing alone are minimal, the technique is a gateway to $205 billion in e-commerce fraud in the first half of the 2020s, according to
"It's a big threat and challenging to detect," Sands said. "Crooks are clever. They hide attacks in businesses that make or receive lots of payments. The record of payments in this case may not look as spiky as for a business or small company. So there's not a sudden shift in the pace of transactions."
There are two major types of card tests. A verification attack involves a crook trying to make small purchases on stolen card accounts to see which ones have been canceled or expired. An enumeration attack, which is gaining steam as crooks use more sophisticated technology, involves "guessing" at card numbers in a rapid-fire manner to spot active cards and to circumvent the cards' blocking function.
Stripe uses machine learning, or a form of artificial intelligence, to estimate the overall prevalence of card testing on its platform, which enables the company to update its risk systems daily. The payment company additionally uses machine learning to estimate where card testing is likely to be taking place, such as businesses, issuers or a type of purchase or payment. This helps determine if a "rush" of transactions are card testing or a spike in payments due to a marketing campaign, for instance.
Other tests include vetting individual transactions to spot signs of card testing. This technology enables Stripe to label breakthroughs, or "successful" card tests. That is combined with intelligence from new attack types, analyses that spot fraud patterns and manual reviews. This produces a set of transactions or transaction types that are labeled card-testing fraud, which is then fed into machine-learning models for rapid training using an engineering platform.
"Crooks are constantly changing methods," Sands said. "Machine learning enables rapid retraining to spot new attack methods. "This detection adds new features that get fed back into the AI model."
Rise of the machines
While card testing has existed for years, it has increased over the past few years in concert with the economic crisis that accompanied the Covid-19 pandemic, which also catalyzed a rapid expansion in online payments. That has attracted payment and technology companies to develop products designed to halt the attacks.
Firms are increasingly using large language models, or an advanced form of AI that's better at deciphering text, to detect similar intent, word usage and patterns in any textual fields of transactions such as disputes, chargebacks, etc. across different transactions, according to Andras Cser, a vice president and principal analyst at Forrester. The emerging technology also includes using machine learning and algorithms to parse large amounts of merchant and issuer data, he said.
"This is the motivation for Visa to
Battling card testing fraud is a great application for machine learning and advanced data management, according to David Mattei, strategic advisor for the fraud and anti-money-laundering practice at Datos Insights.
"The one thing in common I see with these newer card testing detection solutions is that they are coming from industry players considered to be at the network level," Mattei said, adding these firms view card authorization traffic across many merchants and financial institutions. Due to the nature of card testing, it is very helpful to have that 50,000 foot perspective to detect card testing attacks. Stripe is in a good position to offer this kind of solution."
