Protecting Nonprofits Against Carding Attacks

A report by Symantec released earlier this year revealed that nearly half of all U.S. companies experienced two or more cyberattacks, many of which focused on identity theft. Following such a breach, cybercriminals test the stolen credit card data to validate the information in a process called credit card number testing that is dramatically on the rise.

Card testing is up 200 percent in 2017 alone, according to Radial’s recent report from May 2017. The tactic can be manual or automated and is used by fraudsters to test stolen credit card numbers and check their validity. The automated systems parse the data and attempt donations to a charity website for a small dollar amount. The bot then reports back to the hackers to let them know if the transaction was successful. Each card that cybercriminals can validate online is worth good money on the black market and is quickly used to obtain other goods and services with higher value.

This ability to verify small amounts from tens of thousands of different types of cards in many different countries seems to work more reliably with nonprofits than larger entities, probably because these targets often lack adequate fraud controls. Nonprofits seem particularly susceptible given they often have simple online forms to make it easy to collect donations and just like buying any kind of digital good, no shipping address is required to complete a purchase. Unfortunately, this kind of fraud impairs organizations with chargeback fees, lost sales or donations, administrative time, and damaged reputation.

How to Protect Your Organization From Carding Attacks

Fraudsters regularly identify the security-weak, cardable websites and brazenly share their names and URLs on pages dedicated to showing other hackers how to pull off the carding fraud.

So, what can a nonprofit do to protect itself?

First, understand where your weaknesses may lie. Factors like manually storing credit card numbers in hard copy or in a computer in clear text or other non-encrypted, human-readable, accessible form have left organizations vulnerable to cybercriminals costing them significant time and money.

Second, work only with credit card payment processors that uphold the highest security standards. PCI Level-1 DSS is the industry’s highest standard for payment processors and demonstrates that they have submitted and passed a rigorous and comprehensive process involving a full-scale audit to validate all areas of a business that encounter credit cardholder data. The PCI standard defines over 300 controls that include everything from corporate security policy to use of latest security hardware, testing of breaches, physical controls and encryption to be used.

The Visa Global Registry of Service Providers is another way that organizations can verify their payment processors of choice. Visa advocates educating your stakeholders about protecting their data and encourages organizations to only use certified payment processors, while also developing a contingency plan in the event of a fraudulent carding attack in the form of:

1. Cyber Security Education: Provide a basic understanding of cyber security and the role your staff and donors play in it. For example, remind donors to monitor their online activities, including checking their debit and credit card statements, so they can notify you and their banks if any unusual activities show up.
2. PCI Level-1 Certified Payment Processor: The best practices are to guarantee that the third-party payment processor does not store credit card numbers. A qualified vendor will ensure that once a card is entered onto a form it is immediately tokenized. This means that the number is turned into a form that is not human-readable. The unreadable number is still encrypted in transit (as it goes through the Internet) and at rest (when it is stored).
3. Contingency Planning: Have a response plan in place in the event of an attack that includes alerting donors about the breach and providing clear instructions about what they need to do. Be open and transparent about what exactly happened and let them know about any steps you are taking to resolve the issue to minimize the negative impact and prevent further damage.

While nonprofit organizations are most vulnerable to carding attacks, they can quickly follow these three necessary steps to protect their data management systems against potential cyber threats. Download the “3 Steps to Protecting Your Nonprofit from Carding Attacks” infographic.