As online payments have become more common, so has online payment fraud. The InfoSec and card payment communities have noticed a measurable uptick in fraudulent card activity over the past months. We’re contacting you to help address the risks of some specific incidents we've seen impact our customers.
What is Velocity Fraud?
Velocity fraud occurs when a hacker uses a payment website to test compromised credit card numbers in an effort to validate open accounts that can be used for purchases. The hacker sends thousands of small-dollar transactions or authorization requests through the payment portal during a short amount of time. While this usually results in minimal actual payment dollars transmitting, the business can lose thousands in transaction fees, chargeback fees, lost revenue, and additional costs.
What are the Risks?
A recent incident cost one merchant over $30,000 in various transaction fees in the course of one night. This attack occurred during non-business hours, delaying its detection and mitigation. The irregular behavior caused the processor to close down the account to prevent further fraudulent activity. This kind of attack can damage a business or organization in multiple ways:
Financial liability: Business owners are still responsible for transaction authorization fees accrued during a Velocity Fraud attack, even if transactions decline.
Service interruption: Processors may shut down card processing during remediation efforts or terminate the account for fear of future risk events.
Reputational damage: Businesses with compromised payment portals suffer a higher customer loss rate and are statistically more likely to fail.
Legal liability: Some merchants may face legal ramifications caused by delays to service or delivery. Customers may seek recourse for breach of Service Level Agreements or other contractual obligations.
Protecting Your Organization From Velocity Fraud
Fortunately, the industry is familiar with velocity fraud, and you can mitigate these with some basic preventative steps.
1. If you don't have an active fraud management process, you can begin by turning on transaction reporting. Check the daily count, daily volume, and single transaction amounts for obvious anomalies. If you're a low-volume merchant, massive increases in card transaction volume will be apparent. However, because most velocity fraud occurs overnight, by the time you check your report in the morning, it may be too late to mitigate the damage. That's why we recommend automated notification and failsafe thresholds to prevent after-hours velocity fraud attacks.
2. Talk to your web developer or website hosting service. Those that build or control your customer-facing payment pages can put safeguards in place. Good questions to ask your developer are:
- Is velocity checking enabled on my site?
- How is my site detecting anomalies in any of the following: an abnormally large number of total transactions, declines, transactions using the same card number, transactions from the same IP
address or billing zip code, or originating from the same device? - Is ReCaptcha enforced on my customer-facing payment pages to prevent bot attacks?
3. Improve your practices: You are ultimately responsible for the safety and viability of your company. Regularly review company practices and policies to ensure that velocity attacks are detected and prevented before too much damage occurs. Create documented procedures for post-transaction fraud management and have an incident response plan in place that includes assigned roles and steps.
4. Consult with your processor: Your processor may already have velocity fraud protection services built into their platform. Set an appointment to discuss your options with your processor or reseller.
A good fraud loss prevention solution will take all of these elements into account and assess the volume or sum of any combination of those variables over time. A good web developer will understand the need for preventative measures and proactive responses to all card fraud.
What OmniFund Does to Help Protect You
- Customers using our OneClick hosted payment page are already protected from velocity attacks by ReCaptcha.
- All merchants using OmniFund’s customer-facing payment functions (OneClick, ClickNPay, Passport, and Invoices) have the option to enable an industry-leading fraud prevention solution from the LexisNexis® ThreatMetrix® platform that will help detect and defend against bad actors.
- OmniFund employs tenured experts in data security and fraud prevention. As such, we are well-positioned to share standard best practices and specific steps our clients can take to protect themselves. We will continue to share alerts and advice through our customer portal as we see security trends evolve.
- Through our strategic partnerships with processors, security solutions providers, and other PCI experts, we keep our finger on the pulse of the card processing world. Our active participation in the payment card security community enables us to maintain a macro view of the industry’s state and update our practices to stay ahead of threat trends.
