December 12, 2019
If you are interested in the bigger story behind this incident, you can read our CEO’s summary and perspective.
Credit Card Fraud is a growth industry. Survey after survey shows that “card-not-present” fraud is a multi-billion dollar industry which shows no sign of slowing down.
Like all online merchants, we are not immune to the impact of this type of fraud, and we recently experienced an incident where our software was used by a fraudster in an illegal way – for what is known as Credit Card Testing Fraud.
The incident occurred when we detected suspicious activity on our systems and found that someone was opening multiple OnceHub accounts and then attempting to purchase $15 of SMS credits using a list of stolen cards. They were doing this to test whether the stolen card details were still “valid”, i.e. to see whether the card had been canceled or blocked by the cardholder’s bank.
We immediately took steps to contain the incident, and we voided or refunded all transactions that had been accepted by the cardholder’s bank. This was not a hack or breach of security of any of our systems. It was a case of someone using our software for illegal purposes.
As part of our Incident Response, we investigated if there was any specific event that may have triggered this incident. We found that it may have been related to several high profile credit card breaches that have happened recently in the USA.
In August, over 5 million cards were breached from a supermarket chain and in November over 4 million credit cards were obtained from breaches involving a chain of restaurants. Criminals most probably captured the card information by installing malicious software on the retailer’s card processing system. They then sold it on websites on the “Dark Web”.
It is an ongoing battle for all of us to stay one step ahead of online fraudsters and hackers.
As a company, we have learned lessons from this incident. We will be deploying further security controls on our payment gateway to reduce the risk of our website being used to commit this type of fraud in the future.
As individuals, we must always be on the lookout for suspicious activity on our bank accounts. Setting up account alerts, and using chip and pin enabled cards are some of the ways in which we can help to detect and reduce the risk of fraud.
If your card was used in this fraud and you have any questions relating to it, or if you have not received a refund where an illegal payment was made, then please contact us at firstname.lastname@example.org.
Trust & Data Protection Officer