Tips to combat fraudulent auth testing

Helpful tips to help you combat fraudulent auth testing on your payment gateway.

The pandemic accelerated both merchants’ and their customers’ transition to a digital marketplace. More than one year later, with more and more transactions occurring online, merchants are at an increasingly higher risk for fraudulent attacks.

As eCommerce continues to cement its foothold in the marketplace, fraudulent authorization testing remains a prevalent risk to business owners. Auth testing or Account Enumeration, as it is more commonly known, occurs when fraudsters use stolen credit card numbers to test small purchases on a merchant’s payment system to see if a transaction gets authorized. If it does, then they start racking up bigger charges on the validated stolen card numbers.

Making matters worse, fraudsters can test hundreds to tens of thousands of stolen payment card numbers on a single digital checkout in the blink of an eye with the help of software applications called bots. Those transactions, no matter how small, quickly add up as every attempted transaction comes with an authorization cost.

Small and medium businesses are often preyed on by these fraudsters, sometimes from a lack of preparedness. Prior to the pandemic, a study by Emailage of more than 1,000 North American SMBs revealed that 48 percent didn’t believe they were large enough to be a target, while 38 percent didn’t see fraud as a top business concern.1 Remember, customers – both small and large – are best prepared through a multilayered approach. We encourage you to visit these tips offered by Elavon’s Loss Prevention Team below. As a reminder, if your customers are Converge users, many of the preventive tools below are available through the Converge solution. Please refer to the downloadable guide in The Learning Center (TLC) for more information.


1. Use these fraud deterrence tools. Consumers’ expectations continue to grow for a more seamless, safe way to shop online. While these tools are part of an evolving process, some of the more common tools currently used are:

• Firewalls – Network security systems that monitor and control incoming and outgoing network traffic based on predetermined security rules and transaction parameters.

• CAPTCHA or reCAPTCHA – A program or system aimed at distinguishing human input from bots with images.

• Honeypots – Decoy systems that operate alongside production systems that lure in fraudsters.
• Device fingerprinting – Technology that detects the originating device to help identify bots.
• Key stroke recognition – Another biometric tool that uses the unique manner in which an individual types to recognize as human and not a bot.

2. Ensure HTML source code is hidden. Using an outside vendor to develop eCommerce websites could expose customers to fraudsters. Coders may leave HTML source code exposed or accessible, leaving the door wide open for fraudulent auth testing, so it is important to ensure that source code is well hidden. While tools like CAPTCHA can help, it may require the help of a developer to disguise these codes from fraudsters. Our Developer Portal can help.

3. Require more information when setting up pay fields. Many pay fields only require the credit card information, but adding email addresses, phone numbers and cardholder addresses makes auth testing less likely as fraudsters need to build a much longer script with all that additional information to obtain an authorization. Our Software Technical Support (STS) team can install tools such as Address Verification Service (AVS) to help confirm the required additional information in the fields is a match.

4. Continually monitor transactions. Since authorization testing often happens in large groups of transactions within a small period of time, customers should set hourly or daily velocity limits within their payment acceptance platform. The goal is to specify an upper limit of expected transactions to occur within the selected timeframe to a specific IP address. Business owners should continually review high-ticket transactions or unusually low-ticket transactions. They can set a transaction threshold that, if the transaction seems oddly low or much higher than their average transactions, can automatically decline the transaction or pend for later manual review prior to attempting the authorization.

5. Scan systems. Check for malware or spyware regularly.

1 SMB Merchants Are Too Complacent When It Comes to Payment Fraud, My Total Retail

April 12th, 2023 by