Podcast: Play in new window | Download
Credit card tumbling (CCT) is a subset of credit card fraud in which a hacker has some, but not all, of a customer’s information and attempts to guess the rest. The word tumbling is a reference to the tumblers, or knobs, on an old-fashioned safe, which a robber would open by listening carefully to the moving tumblers to detect a click, an indication that a code number had been reached. Today’s hackers aren’t listening to moving tumblers until they hear that click, but they are leveraging partial credit numbers or expiration dates and continuing to guess the missing information until a purchase goes through.
It’s no surprise that CCT is top of mind for merchants, who are continually looking to offer more security and prevent such fraud from accelerating.
In a recent PaymentsJournal podcast, Alok Kumar, chief information security officer, NCR Retail & Payments; and Brian Riley, head of credit and co-head of payments at Mercator Advisory Group, discussed the threat CCT poses and offered best practices for merchants who are tackling this issue.
Preventing CCT Fraud
Detecting CCT fraud is relatively simple. It shows up when a bill is disputed by a customer who’s unaware that information has been stolen. Preventing CCT fraud before it happens is more challenging, but can be done if the appropriate precautions are taken.
“The passive way is to sit there and wait for a bill to tell you of an attack,” Riley said. “The proactive way involves a process that pre-identifies where that risk is and allows you to catch things way before the problem turns into a real big problem.”
According to Kumar, the most important aspect of a proper information security control system is to prevent CCT fraud. “Today, with many of the vendors [out there], if I go to their website, they don’t ask for a CVV,” Kumar said. “The CVV is the card verification value, which is on the back of the card. That number is not saved in any database. So even if the hacker takes the credit card info online, they never have the CVV. That’s something we need to verify every time.”
Velocity checking, also referred to as rate limiting, is another key factor to watch out for. “You need to check and see how many attempts at a payment you’re getting per minute from the same session,” Kumar said. “Sometimes people do up to 30 tries, and there’s no reason for someone to do that many per minute.”
Other security checks involve corroborating customer information. For example, it’s important to make sure the card number matches the address presented by the customer and that the IP address is legitimate. There are IP reputation lists published by different vendors—a merchant can subscribe to that service and verify that a customer is not coming from an IP that has already been blacklisted.
Companies can leverage these strategies in-house or outsource them. “There are a lot of third-party vendors that you can outsource the traffic to,” Kumar said. “Those companies have security services, where you can route your [customer] traffic through them. They also offer customizable solutions, blocking certain cards under custom rules, and only send the proper traffic to your website.”
Preventing CCT fraud also involves focusing on data storage. Merchants should make sure to have intrusion detection prevention services, such a firewall and antivirus file integrity monitoring. Databases should be encrypted, along with credit card information.
“When you’re sending credit card information to a processor for any reason, you should not leave any of the plain text of the credit card in any file, whether it’s a database or a flat file,” Kumar said. “Many people do manual processing at the end of the day. They sometimes leave log files on their computers with credit card text in them, which can be stolen.”
Another common mistake that can be easily avoided is the sending of sensitive log files to the trash folder. When malware gets into a computer, it looks in the trash folder first. People who handle credit card information daily can be trained to not leave sensitive files in the trash folder.
Overall, avoiding CCT fraud is possible with the right steps. Checking for a CVV, checking card submission frequency, and corroborating customer information are important to sniffing out fraudsters. Securing customer information via encryption and disposing of data properly are also important. Companies can implement much of this in-house or partner with organizations that specialize in these tasks. With the right plan, companies can improve their bottom line significantly by working to reduce fraud before it happens.