How Fraudsters Use Credit Card Enumeration Attacks to Steal Payment Data – and How to Protect Yourself or Your Business

Fraudsters increasingly use enumeration attacks to steal payment data, exploiting legitimate businesses by methodically testing card numbers, expiration dates, and CVV codes through merchant payment systems. This is akin to picking a lock, one digit at a time. They often test small-dollar transactions to verify stolen card details before launching more extensive fraudulent activities.

Key Tactics Fraudsters Use to Steal from Credit Cards

1. Enumeration Attacks: Fraudsters attempt multiple combinations of card details to find valid ones.
2. Account Testing: Small transactions ($1–$2) test the validity of cards. Successful tests lead to large-scale fraud.
3. Phishing or Merchant Account Takeovers: Criminals gain access to merchant accounts by phishing, taking over, or creating fake accounts.
4. Clone Payment Devices: Fraudsters also use cloned payment terminals to bypass legitimate merchant channels.

According to VISA:

Threat actors are leveraging sophisticated technologies, like automated scripts and botnets, to amplify their card testing attacks, allowing them to exploit vulnerabilities at an unprecedented scale and speed. These attacks, known as enumeration attacks, inflict operational expenses and $1.1B annually in fraud losses, accounting for a significant portion of global fraud.

Enumeration can have lasting impacts on our VISA clients and there’s an immediate need for tools that can better detect and prevent these attacks in real-time, said Paul Fabara, Chief Risk and Client Services Officer at Visa.

Thirty three percent of enumerated accounts experienced fraud within five days of a fraudster obtaining access to their payment information.

How Credit Card Enumeration Attacks Work

Enumeration attacks are a form of payment fraud where criminals use trial-and-error methods to systematically test combinations of card details (like card numbers, CVVs, and expiration dates) through online payment systems. This method exploits weak or non-existent fraud detection mechanisms within a payment processing system, and fraudsters may only need a few valid pieces of data to succeed.

How the Attack Is Executed

• • Card Number Testing: Fraudsters start by acquiring partial or full card numbers, often from breaches or the dark web. They then attempt to “guess” additional information, such as CVV and expiration dates, by running multiple small transactions.
  • Using Merchant Systems: The fraudster tests these combinations through a legitimate merchant’s payment gateway, trying various expiration dates and CVVs until a valid combination is found. Automated bots are frequently used to speed up this process.
  • Small Transactions: The attackers often use small-dollar transactions (e.g., $1–$2) to avoid detection and ensure the card details are valid. Once validated, they move on to more substantial fraudulent purchases.

What Fraudsters Expect

• • Successful Matches: The ultimate goal of an enumeration attack is to identify valid card details that can then be exploited for larger fraud schemes, such as making significant online purchases or selling the card information.
  • Minimal Risk: Fraudsters expect to operate under the radar, using numerous merchants to distribute their attack and lessen the chances of detection. By testing small transactions across various platforms, they avoid triggering traditional fraud alerts.

How Cardholders Can Be Aware

• • Monitor Small Transactions: Cardholders should keep an eye on small, unfamiliar charges, which could indicate that their card details are being tested. Even a small transaction can be a red flag.
  • Set Up Alerts: Most banks allow customers to set up text or email alerts for any transactions, particularly international or online ones.
  • Report Suspicious Activity: If cardholders notice unauthorized charges, they should report them to their bank immediately to freeze the account and prevent further fraudulent use.

How Merchants Can Be Aware

Merchants can spot Enumeration Attacks by carefully monitoring their payment systems for unusual patterns and irregular transaction behavior. Here’s how they can detect attacks both in progress and after the fact:

Spotting Enumeration Attacks in Progress:

1. 1. • Unusual Transaction Patterns: A high volume of small, rapid transactions in quick succession from different cards can signal an attack. These attempts often involve microcharges of $1–$2, indicating fraudsters are testing combinations of card numbers, CVVs, and expiration dates.
      • High Decline Rates: A sudden spike in transaction decline rates, especially for small charges, may indicate that criminals are trying multiple invalid card details, hoping to find the right combination.
      • Unusual IP Addresses or Geolocations: Attackers may use bots or automated systems, which often result in multiple transactions coming from a single or a few unusual IP addresses that don’t match the expected locations of customers.
      • Repeated Usage of Similar Card Numbers: Fraudsters might increment or decrement card numbers slightly to identify valid combinations. If the merchant’s system spots patterns of numbers being tested with different CVV or expiration dates, this is a clear sign of enumeration attacks.

Identifying Enumeration Attacks After the Fact:

1. 1. • Transaction Logs Review: Conduct post-event reviews of transaction logs, focusing on declined transactions. A significant number of declines over a short period or across several merchant accounts can point to previous enumeration attacks.
      • Analysis of Fraud Chargebacks: Multiple chargebacks linked to small, successful transactions followed by larger fraudulent purchases can indicate that attackers successfully tested card details using enumeration.
      • Merchant Account Breaches: If the business sees a pattern of suspicious account behavior (e.g., account takeovers or unusual payment device setups), attackers may be targeting the system to exploit it for card testing.

By regularly reviewing transactions for these signs and implementing strong fraud prevention tools such as rate limiting, CAPTCHA, and two-factor authentication (2FA), merchants can better detect and block enumeration attacks before they cause substantial damage.

Protecting Against Enumeration Attacks

Both businesses and cardholders must remain vigilant. Implementing strong authentication measures, monitoring for unusual transaction patterns, and regularly reviewing credit or debit card statements can help mitigate the risk of being affected by enumeration attacks.

Summary: Know The Basics

1. Strong Authentication: Ensure multi-factor authentication (MFA) for anyone accessing your payment systems.
2. Monitoring Transaction Patterns: Keep a close eye on transaction anomalies, especially small-dollar amounts.
3. Enforce Strict Fraud Controls: Implement strict limits and controls for small transactions to block account testing.
4. Employee Training: Educate employees about phishing and social engineering techniques used to take over accounts.

By staying vigilant and adopting robust security practices, businesses can safeguard themselves from becoming unwilling participants in these fraud schemes.