A credit master attack is a criminal act in which someone illegally obtains and uses another person’s credit card information. Credit master attacks are rising in Japan and have a significant impact on businesses and cardholders. Because of this, it is necessary to use measures to prevent credit master attacks.

In this article, we explain credit master attacks, the damage they can cause, and countermeasures businesses and cardholders can use to prevent them.

What’s in this article?

• What is a credit master attack?
  
• How do credit master attacks impact businesses in Japan?　
  
• How can businesses in Japan prevent credit master attacks?
  
• How do credit master attacks impact cardholders?
  
• How can cardholders prevent credit master attacks?
  
• FAQs about credit master attacks
  
• What to know about credit master attacks
  

What is a credit master attack?

A credit master attack is a credit card fraud method that uses the consistency of credit card number digits to illegally obtain card numbers. In a credit master attack, the attacker uses a program or software that automatically generates random numbers. These numbers are then tested to identify valid card numbers and security codes.

Attackers use the payment pages of ecommerce sites to determine whether or not these machine-generated numbers are valid credit card numbers. If a payment page accepts a credit card payment using these numbers, the card number and security code are considered valid. They are then at risk of being used fraudulently on various other ecommerce sites.

Here is a detailed explanation of the specific methods used in a credit master attack:

The credit master technique

A credit master attack involves the automatic generation of numbers based on credit card number regularity.

In accordance with the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 7812 international standard, credit card numbers are composed of:

• An issuer identification number (IIN): This is sometimes also called the bank identification number (BIN) and includes the first six digits.

• A member account number: The seventh through penultimate digits make up this number.

• A check digit: This is the last digit.

Using a special algorithm, the check digit determines whether the card number is correct. The credit card issuer determines the IIN. This is public information that anyone can check. For example, Rakuten credit cards are assigned the IIN “3584-03,” and EPOS Visa credit cards are assigned the IIN “4897-83.”

After establishing a starting point through some guesswork, numbers are automatically generated by a computer. The final number is worked out by repeatedly testing combinations of the security code and expiration date, in addition to the IIN, member account number, and check digit.

Damages from credit master attacks

According to the Japan Consumer Credit Association, the total amount of damage caused by unauthorized use of credit cards in Japan from January–December 2023 was ¥54.1 billion, the highest amount ever recorded. Compared to the ¥43.7 billion in total damages in 2022, this represents an increase of over ¥10 billion in a single year.

When the amount of damage caused by the fraudulent use of credit cards is broken down into categories, the total amount of damage caused by number theft in 2023 was ¥50.5 billion. This represents 93.3% of the total amount of damage caused by the fraudulent use of credit cards.

Credit master attacks typically fall in the number theft category, but not all attacks that involve number theft use credit master techniques. However, according to recent trends, fraudulent activities involving credit card number theft—including credit master techniques—are becoming more complex and sophisticated every year. There is concern that the losses will continue to increase.

How do credit master attacks impact businesses in Japan?

Here’s how these attacks impact Japanese businesses:

Increase in processing expenses due to large number of authorization requests

Card authorization (i.e., the process of securing credit or receiving approval for credit) allows businesses to check with the credit card company to see whether the customer has sufficient funds or credit available to pay for a transaction. The business must pay the credit card company a processing fee for each authorization, typically anywhere between ¥1–¥5.

If an ecommerce site is subject to a credit master attack, it will typically be charged a large amount of authorization fees as card numbers are submitted for authorization. Although the fee for each authorization attempt is small, the cost of the authorizations can rapidly add up to a large amount.

Even if the credit cards aren’t fraudulently used directly on that site, the business can still suffer damage due to a large number of authorizations and their associated costs.

Loss of sales opportunities and customer complaints

During a credit master attack, a large number of access attempts are made at a single location. This can overload the system, slowing down payment and order processing and, in some cases, preventing legitimate customers from accessing the ecommerce site. More problematically, credit card payments can be temporarily unavailable as a result.

If this situation occurs on an ecommerce site, customers will likely feel inconvenienced, suspicious, or uncomfortable and might stop using the site altogether. This can result in a loss of sales opportunities for the business. In addition, the site will be inundated with inquiries and complaints from actual customers concerned about whether their orders and payments were processed correctly.

Suspension of credit card payments

Credit card companies are constantly monitoring payment conditions. For this reason, credit card companies can temporarily suspend payments for ecommerce sites that have been the target of a credit master attack.

The credit master technique uses a large number of random numbers that conflict with each other. This results in the large number of authorization requests mentioned above, which can be flagged as fraud. As a result, the credit card provider might deem it necessary to stop credit card payments on a given site completely. And while these payments are suspended, it is impossible to provide credit card payment services to legitimate customers.

Loss of customer trust and spread of damages

As mentioned above, credit card payments might be temporarily unavailable. If the ecommerce site goes down while a customer is placing an order, they could perceive the site as unsafe or unable to process secure payments.

If a customer checks with the business, they might receive a response such as, “Credit card payments are temporarily suspended due to unauthorized activity from outside the company.” A message like this might increase the customer’s unease or mistrust.

Furthermore, if a credit master attack is successful, credit master attackers might view the site as having poor security. Therefore, the site might continue to be targeted in the future. In addition, if a malicious third party obtains valid credit card information from a company’s ecommerce site, the customers’ personal information has been compromised. Their card information can also be used fraudulently elsewhere, resulting in further harm to customers.

How can businesses in Japan prevent credit master attacks?

Here are the steps businesses can take to protect against credit master attacks and reduce the likelihood of being impacted:

3D Secure

3D Secure is an authentication system that aims to prevent unauthorized use of credit cards when making payments on ecommerce sites. One-time passwords and biometric authentication are becoming the norm, and they are used to confirm that the person entering the credit card information is the legitimate owner of the card.

For example, in 3D Secure 2.0 (also known as “EMV 3-D Secure”), it is possible to prevent unauthorized use, such as stealing credit card information. The system performs risk assessment based on detailed data, such as the customer’s device information, access region, and time of day. However, 3D Secure 2.0 on its own is not sufficient to completely prevent fraud, so it is necessary to implement various other fraud prevention measures beyond 3D Secure 2.0.

Bot countermeasure tools

Using bot detection tools is another way to prevent automated unauthorized access, including credit master attacks. Google’s reCAPTCHA is a well-known bot detection tool, and it is a security service that any business can adopt.

reCAPTCHA v2 features two kinds of tests. One requires the customer to check a box to confirm they are not a robot, and the other requires customers to select the correct images from a set of multiple images. For example, the instructions might say: “Please select the images that include a pedestrian crossing.” These are often seen when submitting an inquiry form on a website or when logging into an account.

In addition, the latest version—reCAPTCHA v3—uses machine learning to analyze customers’ web activity patterns and automatically determine whether the site is being accessed by a human or bot. While reCAPTCHA v3 does not require customer input like reCAPTCHA v2, it provides superior security.

Fraud detection systems

A fraud detection system identifies fraudulent use based on past payment information and behavior. Some of the information it looks for includes:

• An invalid or fictitious address

• A mismatched cardholder name

• Orders placed from different terminals

• Repeated payments with different card numbers

With a fraud detection system, businesses can more effectively prevent damage to ecommerce sites by detecting and automatically blocking fraudulent transactions that cannot be verified with 3D Secure. Fraud detection systems also don’t require legitimate cardholders to go through extra steps to make payments, such as being asked for additional authentication. This can lead to an improved shopping experience for customers.

Stripe helps businesses optimize their online payment environment by addressing the growing threat of fraud on a global scale. Stripe’s proprietary fraud prevention tool, Stripe Radar, uses machine learning to adapt to the ever-changing patterns of fraud, enabling more advanced fraud prevention measures. Because it can be incorporated into the payment flow without extra time and cost to independently develop a fraud detection system, use of the system can be started smoothly and easily.

Limits on card information entries

Setting a limit on the number of times a customer can enter their credit card information on the payment screen can prevent large-scale credit master attacks.

However, if the limit is set too tightly, it can block card use if a legitimate cardholder mistakenly enters incorrect information too many times. An overly strict limit can increase the risk of shopping cart abandonment and decrease customer satisfaction.

How do credit master attacks impact cardholders?

Here are a few examples of damage a cardholder might suffer as a result of a credit master attack:

Undetected fraudulent card use

If the credit card information generated in a credit master attack is deemed valid, it’s likely that it will be used by a malicious third party. As credit master attackers adopt more sophisticated methods, many will deliberately keep the amount of money spent so low that it is not immediately detected as fraudulent use by the customer.

Card reissue

If there are multiple instances of fraudulent credit card transactions, the credit card company might decide to cancel the card. As we’ll explain later, if a credit card holder notices a credit master attack on their own, they need to contact the credit card company and have the card canceled. In either case, the card will need to be reissued and can’t be used until it is.

How can cardholders prevent credit master attacks?

When a credit card is used fraudulently in a credit master attack, it is both a financial and psychological burden for the customer. Here’s what cardholders can do to reduce their risk of being victimized and what they should do if their credit card information is used in a credit master attack:

Preventing credit master attacks

Check card statements carefully and regularly

When a cardholder checks their statement regularly, they’re more likely to notice payments they don’t remember making. For example, compared to someone who only checks their statement once a month, someone who checks their statement after every shopping trip or meal will be more likely to tell whether or not a payment is unusual.

Use a usage notification service

A usage notification service allows a cardholder to receive notifications by email, text message, or push notification whenever a credit card is used. They are notified in real time of the amount, date, time, name of the business, and other information after the card is used. If they receive a notification when they didn’t use the card, they will know immediately that it is fraudulent and can take appropriate action.

Set card use restrictions

Setting a limit for each type of usage situation can provide some peace of mind to credit card customers. It is also important to set individual limits for each situation. For example, if the cardholder never travels outside of Japan, they can set the overseas limit to the minimum. They can also set the card to prevent single high-value transactions so they are less likely to become a target for online shopping fraud.

Recovering from a credit master attack

Sometimes, these attacks are unavoidable, even if the business and cardholder take every measure possible to prevent fraud. Here’s what a cardholder can do if they become a victim of a credit master attack:

Contact the credit card company to suspend the card

As soon as a cardholder notices any unauthorized use, they should contact the credit card company immediately and request the card be suspended. If unauthorized use is discovered, they can request a refund by refusing payment through a process called chargeback.

Use the compensation system

After a credit card has been suspended, cardholders can use the credit card company’s compensation system. The details of compensation are different for each company, but if unauthorized use has been confirmed, they can use the compensation system as a consumer relief measure. Therefore, cardholders should check the details of the compensation system in advance. This can help them act calmly in the event of a credit master attack.

FAQs about credit master attacks

When does a credit card statement update?

In terms of timing, when the store sends the usage data to the credit card company, it is reflected on the statement. For example, if the store sends usage data immediately after a credit card payment, it generally takes two or three days from the time of the payment to the time it appears on the statement. However, the timing of data transmission varies by store. In some cases, it can take several weeks or months for a charge to appear on a statement.

If a cardholder uses a credit card to pay for a product, the transaction information won’t appear on the statement immediately.

Is it possible that only the credit card number could be misused?

Credit cards include several pieces of information that can be misused, such as a security code and expiration date. Some people might worry that their card number has been revealed to a third party and might be misused. However, in general, if just one of these details is leaked, the chances of successful unauthorized use is low.

This is because shopping online at an ecommerce mall or signing up for digital services over the internet requires cardholders to enter the card number, security code, and expiration date. In other words, it isn’t possible to make a credit card payment online with just the card number.

However, if the security code and expiration date are leaked along with the card number, it could be used fraudulently. For this reason, whenever a cardholder makes a credit card payment—whether in person or not—they should be careful about what people around them can see. They should avoid shopping online in places with large numbers of people, as someone might try to look at the payment screen and obtain their information.

When will 3D Secure for credit cards become mandatory?

As part of the measures to prevent unauthorized use of credit cards, 3D Secure 2.0 will be mandatory for ecommerce sites in Japan by the end of March 2025. As 3D Secure becomes mandatory, it’s important for all companies involved in the credit card industry to encourage ecommerce businesses to participate.

What to know about credit master attacks

In this article, we examined the attack methods and monetary amount of damage in credit master attacks, as well as the damage and countermeasures for both businesses and customers.

Credit master attacks involve malicious techniques that allow random attacks by using machine-based automatic number generation as a way to fraudulently obtain credit card information. To defend against attackers who plan to use the credit master technique, it is very important to support 3D Secure and strengthen the security level of your company’s ecommerce site. You can do so by implementing fraud detection and creating a site environment where customers can enjoy shopping with peace of mind.

On the customer side, credit cardholders should also take extra care when using their cards, check their statements regularly, and use care when storing and managing their personal information.