Credit card fraud occurs when malicious actors use stolen credit card information in online transactions. The most common method of obtaining credit card information is via bots designed for that purpose.
Bots are the foundation of a card criminal’s arsenal. They are used in a variety of methods to obtain or validate stolen card numbers. Later, the numbers are used fraudulently, which results in lost revenue and chargebacks to the unfortunate merchant.
To steal card data, bots scan for vulnerabilities within retailers and other sites that process payments. When a vulnerability is found, the hacker breaches the site and steals the data. One successful attack can produce a windfall of cards: thousands, or even tens of thousands of active numbers.
Threat actors also use bots to validate stolen card numbers. Bots enter the numbers into web applications to see if they are accepted or rejected. A similar technique is used to discover new cards: bots cycle through potential numbers and enter them into web applications. This is a crude, but effective, way to steal additional cards that were previously unknown to the attacker.
The scale of online credit card abuse is illustrated by the prevalence of “card not present” fraud. This is growing, thanks in part to the rise of EMV chip cards. EMV makes physical card fraud more difficult, which discourages criminals from monetizing stolen numbers by printing physical cards. Thus, more criminals are moving online to monetize their stolen numbers.