Brute force attacks aren’t new, but recently they’ve risen in popularity. Blame technology, but it is now easier than ever for fraudsters to both attempt and execute brute force attacks on cardholder and merchant accounts. These attacks utilize a trial-and-error methodology to acquire username and password information. Automated computer software attempts to acquire the information by guessing, time and time again, until the right combination is found.
With payments gateways, fraudsters aren’t merely looking for backend access to steal accounts for nefarious reasons. Instead, they are pretending to be a legitimate merchant trying to authorize transactions with stolen or generated card numbers and details. Using the transaction authorization process, they can find a combination that isn’t declined and then use those card details to commit fraud.
These attacks can impact merchants in two ways. One, by providing fraudsters with legitimate card details resulting in chargebacks that impact the bottom line. Secondly, these attacks allow fraudsters to access the payment flow and use the merchant’s legitimate credentials to validate stolen card information using authentication requests. Once they validate card numbers, the fraudsters can then go on to use these cards in POS, ATMs or eCommerce sites.
We’ve put together some recommendations to help you mitigate these threats. Keep in mind that beyond the previously mentioned impacts, this type of attack also generates several thousand transaction authentication requests in the space of seconds. These can add up, resulting in numerous transaction-related fees charged to your merchant account.
Beware of Phishing Attempts
Make sure to educate and protect your employees and business against phishing attempts. Emails are often used in phishing attempts, so make sure to double-check each email sender and recipient name or address for misspellings, avoid opening suspicious attachments, and never open a link from an untrusted source. Limiting employee access to sensitive information like your acquirer’s BIN or your merchant number can also help prevent an unintentional leak.
Secure Your Business
Regularly updating your anti-virus programs and a periodical review of firewalls and passwords to ensure strength is always a good idea. Keep in mind that fraudsters can, at times, use dictionary attacks to crack passwords so a robust and complex password will help protect you. You should also require two-factor authentication for all administrative remote-access applications to better protect against that fraudsters cannot access your systems. Most importantly, ensure that your business operations and service providers comply with PCI DSS.
Implement Anti-Fraud Solutions
It’s essential to protect your shoppers as well as your business from fraudulent attempts. Utilizing CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) and 3D Secure authentication can help prevent bots or scripts from automating transaction initiation.
Monitor Your Traffic
Keep an eye, or even better use a monitoring tool, to flag inconsistent use of your system. Users who have excessive bandwidth usage, or ones with inconsistent browser language, IP address and time-zone combinations might need to be examined. Multiple transactions from a single email or device ID but with multiple cards should also be flagged and sent for manual review to check for fraud. Similarly, a single card used on multiple IPs may call for closer examination.
What to do if you’ve been compromised?
If you believe that you’ve been compromised, and have had your information used for a brute-force attack, reach out to your service provider for further guidance. It is good practice to cease use of the terminal or credentials that you suspect may have been compromised and to consult with your service provider for the next steps.
Credorax is consistently implementing and developing best practices and anti-fraud solutions for our customers, ensuring that you have the tools and knowledge to better handle fraud.
Want to learn more about how you can protect your business against fraud?
Contact us today- firstname.lastname@example.org.