Credit Card Testing
      Back to home
      1. Knowledge Base
      2. Fraud Prevention
      3. Credit Card Testing

      Card Testing Mitigation

       

      Client Side Controls

      1. Client-Side Rate Limiting

      • How it works: Limit the number of payment attempts per session, per page load, or based on certain time thresholds.

        Implementation:

        • Track the number of form submissions locally using localStorage, sessionStorage, or in-memory variables.
        • Set thresholds (e.g., maximum 3 attempts per 5 minutes).
        • Block the UI (e.g., disable the submit button) or show a CAPTCHA when the threshold is exceeded.

      javascript

      let attempts = parseInt(localStorage.getItem('paymentAttempts')) || 0;
      const maxAttempts = 3;
      const timeoutDuration = 5 * 60 * 1000; // 5 minutes

      document.querySelector('#paymentForm').addEventListener('submit', (e) => {
        if (attempts >= maxAttempts) {
          alert('Too many attempts. Please try again later.');
          e.preventDefault();  // Block submission
          return;
        }
        attempts += 1;
        localStorage.setItem('paymentAttempts', attempts);

        setTimeout(() => {
          attempts = Math.max(0, attempts - 1);  // Reduce attempts over time
          localStorage.setItem('paymentAttempts', attempts);
        }, timeoutDuration);
      });

      2. Invisible ReCAPTCHA or Honeypots

      Prevent automated scripts or bots from submitting the form by adding invisible bot detection mechanisms.

      • Invisible reCAPTCHA: Automatically triggered when the user interacts with the page, blocking bots while remaining transparent to legitimate users.

      • Honeypot fields: Add hidden fields that normal users won’t interact with. If a bot fills or modifies them, block the form submission.

      Example Honeypot:

      html

      <form id="paymentForm">
        <input type="text" name="cardNumber" id="cardNumber" placeholder="Card Number" required>
        <input type="text" name="honeypot" id="honeypot" style="display:none;" autocomplete="off">
        <button type="submit" id="submit">Submit Payment</button>
      </form>

      JS Check:

      javascript

      document.querySelector('#paymentForm').addEventListener('submit', (e) => {
        if (document.querySelector('#honeypot').value !== '') {
          alert('Bot detected! Form submission blocked.');
          e.preventDefault();  // Block submission
        }
      });

      3. JavaScript-Based CAPTCHA Challenges

      Trigger a JavaScript-based CAPTCHA before the user can submit the payment form after detecting suspicious behavior, like:

      • Multiple failed input validations.
      • Rapid reloading of the payment page.
      • Excessive typing speed or random key presses

      Example Integration (Google reCAPTCHA v2):

      html

      <form id="paymentForm">
        <input type="text" id="cardNumber" name="cardNumber" required placeholder="Card Number">
        <div class="g-recaptcha" data-sitekey="your-site-key"></div>
        <button type="submit">Submit Payment</button>
      </form>

      <script src="https://www.google.com/recaptcha/api.js"></script>

      Trigger the CAPTCHA based on input validation:

      javascript

      document.querySelector('#paymentForm').addEventListener('submit', (e) => {
        // Custom validation logic here
        if (invalidAttemptDetected) {
          e.preventDefault();  // Block form submission until CAPTCHA is completed
        }
      });

      4. Client-Side Behavioral Monitoring

      Track user interaction patterns (mouse movement, typing patterns, click frequency) to distinguish bots from humans.

      Indicators of automated card testing:

      • No mouse movement or clicks.
      • Rapid, fixed-interval keystrokes (indicating bots).
      • Immediate form submission upon page load.

      Example using basic monitoring:

      javascript

      let userActivityDetected = false;

      document.addEventListener('mousemove', () => userActivityDetected = true);
      document.addEventListener('keydown', () => userActivityDetected = true);

      document.querySelector('#paymentForm').addEventListener('submit', (e) => {
        if (!userActivityDetected) {
          alert('Suspicious activity detected. Please try again.');
          e.preventDefault();  // Block form submission
        }
      });

      5. Prevent Autofill and Browser-Based Bot Submissions

      Fraudsters may use browser automation tools like Selenium or Puppeteer to autofill form fields. You can block these methods by:

      • Disabling autofill attributes on sensitive fields.
      • Dynamically generating field names/IDs on page load.

      Example:

      html

      <input type="text" name="dynamicField" id="field-12345" autocomplete="off" required>

      • Rotate the field names dynamically using JavaScript:

      javascript

      document.addEventListener('DOMContentLoaded', () => {
        const field = document.querySelector('#field-12345');
        field.setAttribute('name', 'cardNumber-' + Date.now());
      });

      6. Prevent Form Submission without User Interaction

      Disable the submit button initially and enable it only after specific user interactions (e.g., filling out required fields, reviewing terms, or answering a security question).

      javascript

      document.querySelector('#submit').disabled = true;

      document.querySelector('#cardNumber').addEventListener('input', () => {
        if (isValidCardInput()) {
          document.querySelector('#submit').disabled = false;
        }
      });

      Server Side Controls

      1. Device Fingerprinting (Advanced Configuration)

      Even if the IP changes frequently, the underlying device signature (combination of browser, device type, screen size, fonts, plugins, and more) is often consistent. Advanced device fingerprinting solutions can flag and block suspicious devices across sessions, even with IP rotation.

        How Device Fingerprinting Works

        Device fingerprinting gathers and analyzes unique characteristics of a user's device, such as:

        • Browser settings (e.g., User-Agent, installed plugins, screen resolution)
        • Operating system information
        • IP address and geolocation
        • Language and time zone settings
        • Cookies or local storage data
        • Network information (e.g., proxy usage)
        • Hardware specifications (e.g., CPU type, GPU, battery status)

        These attributes collectively create a fingerprint that distinguishes the device from others.

        Application in Card Testing Detection

        1. Multiple Transactions from the Same Device:

          • If many transactions (e.g., small authorization attempts) originate from a device within a short time, it may indicate card testing activity.

        2. Behavioral Pattern Detection:

          • Fraudsters often use automated tools (bots) for rapid-fire testing of stolen card data. Device fingerprinting helps spot unusual behavior, such as:
            • Rapid transactions with different card numbers
            • Changes in user-agent strings or IP addresses but the same device signature

        3. Cross-Session Tracking:

          • Even if a fraudster tries to hide their identity using VPNs or switching browsers, device fingerprinting can correlate their actions across different sessions.

        2. Behavioral Analytics and Velocity Rules

        Monitoring transaction patterns (velocity) and user behavior is essential. Velocity checks include:

        • Number of payment attempts within a timeframe (e.g., 3-5 attempts in a minute).

        • Multiple cards tested from the same device or session.

        • Repeated failed authorizations.

        • How it helps: Even with rotating IPs, behavioral analytics detect anomalies like excessive retries or rapid changes in card details.

        • Action: Implement dynamic rate-limiting or temporary blocks on suspicious behaviors.

        3. BIN (Bank Identification Number) Thresholds

        Analyze the BIN of the card to detect if all recent cards have the same BIN.

        • Establish a threshold for consecutive transactions with the same BIN. (transactions per second/minute) 

        • Action: Reject any card numbers that match the BIN for a period of time ranging from 3-24 hrs. 

        4. Address Verification System (AVS) Check (pre-processing)

        Even if the fraudster provides an address, an AVS mismatch score can help detect discrepancies. Some fraudsters may provide partially valid information, but AVS validation can still highlight high-risk transactions.

        • Action: Decline or flag transactions where the address or ZIP code fails verification.

        5. Rate Limiting on Payment Attempts (server side)

        Since fraudsters rely on brute-force methods during card testing, rate limiting can effectively block repeated attempts. Implement:

        • Global rate limits on card transactions.

        • IP-based limits, device-based limits, and velocity checks.

        • How it helps: Blocks high-frequency requests even with rotating IPs.

        • Action: Use tools like Cloudflare, AWS WAF, or similar services for implementation.

        6. AI-Driven Fraud Detection Solutions

        Machine learning models analyze patterns and behaviors that static rules might miss. These systems can detect:

        • Unusual patterns (e.g., a legitimate card being used across different IPs or locations in a short time).

        • Subtle changes in how legitimate vs. fraudulent users behave.

        • How it helps: Dynamically adapts and blocks evolving fraud tactics.

        • Action: Implement AI fraud prevention tools (e.g., Riskified, Forter, or Stripe Radar).

        7. Real-Time CVV Validation 

        Using a CVV validation service check the user provided CVV data.  This can be done using the Zift account-verification call. 

        • How it helps: Identifies stolen or compromised cards.
        • Action: Work with payment processors that offer this feature.

        Note: This should be combined with a throughput threshold (transactions per second/minute) so that account-verification is not used for every transaction. 

        8. Blacklisting and Shared Intelligence Databases

        Leverage blacklists of known bad devices, IP addresses, and card details. Use shared intelligence databases (e.g., from major fraud protection networks) to identify compromised card batches quickly.

        • How it helps: Blocks transactions associated with known fraud patterns.
        • Action: Use services like ThreatMetrix or other threat intelligence providers.

        9. Monitor for Proxy or VPN Use

        Rotating domestic IP addresses often rely on VPNs, proxies, or bot networks. Identify these using:

        • IP reputation services that detect known proxy/VPN nodes.

        • DNS-based or real-time checks for suspicious IP ranges.

        • How it helps: Blocks or flags IPs associated with high-risk behavior.

        • Action: Enforce stricter checks on transactions originating from these IPs.

        10. Multi-Factor Authentication (MFA)

        Require additional verification beyond the CVV and address, such as email or phone OTPs, before processing payments.

        Recommended Strategy Combination:

        For best results:

        • Device fingerprinting + rate limiting + CAPTCHA challenges
        • Behavioral analytics + BIN/geolocation checks
        • AI fraud detection + 3D Secure (if applicable)

        This layered defense ensures that fraudsters will be slowed down or stopped altogether, despite having full card data and rotating domestic IPs.