Interesting Credit Card transactions, are you seeing similar?
In my day job we get involved in payment systems, credit card transactions etc. We are also asked to investigate and explain incidents as well as "unusual" activity.
When looking at credit card payments there are always payments for people like lkjsdflkjs and "famous person name", usually small value transactions $2, $5, $10 although recently we've started seeing $60 transactions. These are easily identified and the motive is very clear, test the card. If the transaction goes through the card number and CVC (if needed) or other details are correct.
Recently however I've been seeing more interesting transactions. The transactions start with a high value and step down until the transaction is accepted. ie. we start with a charge of 10K, the next transaction 9K , 8K ......3K, $1000, $900, $800, ....$100. The process is automated so if the limit on the card is high enough multiple transactions are sometimes accepted. Again these transactions are easily identified, however the motive eludes me. We looked at a number of possibilities:
- identify the upper limit on the card. - The process however results in the card being maxed out. The issuing bank or card brand blocks the card. The number now no longer has any value. You know the upper limit, but can no longer use the card.
- purchases for resale - This was the obvious one, but in the cases I worked on, none actually deliver physical product to the purchaser.
- Refunds? - Another scenario we looked at is that after the transactions are done the organisation is called by the fake cardholder and a refund is requested. Because their bank has blocked the card they'd like to be refunded to a different card or some other payment mechanism. Looking at refunds and refund requests through customer service avenues allowed us to discard this scenario in the cases we worked on.
- Credit Card DOS - A third scenario was a DOS on cards, max out the card and as many as possible and irritate either the bank or the card brand, or the proper cardholders. The volumes however would be annoying for the merchant and issuing bank, but were certainly not on epic scales. Unless of course we were only seeing one small part of a much larger distributed effort.
So what I'm asking those of you that deal with credit card payments is this. Have you seen similar behaviour in your payment systems? Multiple transactions on the same card, starting with a big value, stepping down in increments to lower values until the transaction is accepted and in some cases beyond. Those of you that deal with donation sites or online delivery (i.e. no physical product) are more likely to see these.
If you have other ideas on what the point of these transactions is by all means share, either as a comment or through the contact form.
Regards
Mark H (markh.isc at gmail.com)
Comments
techvet
Apr 24th 2013
1 decade ago
Moriah
Apr 25th 2013
1 decade ago
Maybe simply to see how fast different card-issuers react.
Wonder if it possible to block the card, yet still obtain authorisation for transactions (thru differing payment handling companies) made via in-store point of sale terminals or third party cash ATM's for an 'unspecified' period of time after the card-issuer blocked the card? It shouldn't happen, but..
nick
Apr 25th 2013
1 decade ago
The attacker anticipates bank security will analyze and eventually shut down the card.
A descending maximum maximizes payout before detection. An ascending series gives minimum payout in the short term.
Is smash-and-grab in credit theft most common, or are there good case studies where a compromised cards are milked over a long period to larger effect?
Kradak
Apr 25th 2013
1 decade ago
tonyd
Apr 25th 2013
1 decade ago
Korwyn
Apr 25th 2013
1 decade ago
The authorization will eventually age off of the card, be removed, and all of the credit will again be available. If a small authorization is run after and succeeds that will then show the card has still not been reported as compromised, may indicate it is not used much, and they now know about how much credit is available. Just a thought.
David S.
Apr 25th 2013
1 decade ago