How Stripe responded to a wave of card testing attacks

Lead image 3 (higher res)

Between February and August 2022, Stripe tracked a surge of credit card fraud in which bad actors inundated merchants with millions of small- or zero-dollar transactions. These “card testing” attacks allow criminals to verify that stolen credit cards still work and can cripple businesses. At the peak of the wave, Stripe Radar—Stripe’s fraud prevention solution—blocked more than 20 million card testing attempts per day.

The summer wave was part of a trend. Card testing has accelerated over the last few years as more businesses have moved online. Many are unfamiliar with the intricacies of ecommerce and have left themselves vulnerable to bad actors. Card testing attempts have spiked as a result—up more than 100x since 2019.

Card testing sent to Stripe vs baseline v4b OL

Verifying stolen cards

Card testing plays a crucial role in the process bad actors use to extract value from stolen credit card details. When they purchase a list of credit card details, they don’t know which cards are still active. Some might have been canceled and others might have expired. This makes it hard to know the real value of the list.

This is where card testing comes in.

Card testers create programs that automatically attempt to make a small payment with each card in a set, or to save it on a site as a validated payment source. Cards that are used or saved successfully can be sold to other bad actors who can use them to make larger purchases or manufacture counterfeit cards.

“Fraud in general is an ecosystem where you have different players that are doing different things in the value chain in order to ultimately make money,” said Will Megson, product lead for Radar.

Radar responds

The good news is that businesses can fight back with little effort on their part—Radar does the work for them.

In response to the card testing surge, Stripe engineers streamlined the flow of data from the Stripe network into Radar. This made it possible to launch upgraded models within an hour—accelerating a process that previously took a day or two and allowing Radar to adapt to fast-moving fraud trends.

“By leveraging Stripe’s machine learning and custom fraud rules, we've seen a decrease in our fraud rates and chargeback rates,” said Lourdes García, product manager at the online optical store Ben & Frank.

Stripe also built a new transaction-level card testing machine learning model. Doing so required developing new methods for accurately labeling card testing transactions, beyond the existing state of the art—a previously prohibitive step because card networks don’t provide card testing labels of any kind.

In addition to these machine learning improvements, Stripe introduced dozens of new rate limiters, which cap the number of requests the Stripe API will process in a short period of time. This step alone has blocked nearly 40 million card testing transactions this year.

“We’re getting much smarter about monitoring how card testing scripts interact with merchants,” said Megson.

Blocking more attacks

The results have been encouraging. So far this year, Radar has blocked an additional 400 million fraudulent transactions, cutting the number of card testing attacks that slip through in half—without increasing the rate at which legitimate transactions are misidentified as fraud.

“We were on the cusp of losing the ability to process payments due to the number of fraudulent transactions. That’s when we started using Radar, which allowed us to programmatically fight fraud and institute fine-grained ways to fight back against card testers,” said Matt Maier, CEO of AdBlock.

Stripe continues to invest in Radar by combining innovations in machine learning with real-world lessons from the fight against card testing. As card testing evolves, Radar will, too.