Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Interesting Credit Card transactions, are you seeing similar?

Published: 2013-04-24
Last Updated: 2013-04-24 16:00:49 UTC
by Mark Hofman (Version: 1)
7 comment(s)

In my day job we get involved in payment systems, credit card transactions etc. We are also asked to investigate and explain incidents as well as "unusual" activity.

When looking at credit card payments there are always payments for people like lkjsdflkjs and "famous person name", usually small value transactions $2, $5, $10 although recently we've started seeing $60 transactions.  These are easily identified and the motive is very clear, test the card.  If the transaction goes through the card number and CVC (if needed) or other details are correct.

Recently however I've been seeing more interesting transactions. The transactions start with a high value and step down until the transaction is accepted.  ie. we start with a charge of 10K, the next transaction 9K , 8K ......3K, $1000, $900, $800, ....$100.  The process is automated so if the limit on the card is high enough multiple transactions are sometimes accepted. Again these transactions are easily identified, however the motive eludes me. We looked at a number of possibilities:

  • identify the upper limit on the card. - The process however results in the card being maxed out. The issuing bank or card brand blocks the card. The number now no longer has any value. You know the upper limit, but can no longer use the card.
  • purchases for resale - This was the obvious one, but in the cases I worked on, none actually deliver physical product to the purchaser.   
  • Refunds? - Another scenario we looked at is that after the transactions are done the organisation is called by the fake cardholder and a refund is requested. Because their bank has blocked the card they'd like to be refunded to a different card or some other payment mechanism. Looking at refunds and refund requests through customer service avenues allowed us to discard this scenario in the cases we worked on.
  • Credit Card DOS - A third scenario was a DOS on cards,  max out the card and as many as possible and irritate either the bank or the card brand, or the proper cardholders. The volumes however would be annoying for the merchant and issuing bank, but were certainly not on epic scales. Unless of course we were only seeing one small part of a much larger distributed effort.

So what I'm asking those of you that deal with credit card payments is this.  Have you seen similar behaviour in your payment systems?  Multiple transactions on the same card, starting with a big value, stepping down in increments to lower values until the transaction is accepted and in some cases beyond. Those of you that deal with donation sites or online delivery (i.e. no physical product) are more likely to see these.

If you have other ideas on what the point of these transactions is by all means share, either as a comment or through the contact form.

Regards
Mark H  (markh.isc at gmail.com)

 

Keywords:
7 comment(s)
Diary Archives