How We Fell Victim To Card Testing Fraud

The last three weeks have been hectic for our company. Credit card testing fraud has hit us hard. This post is the third on this subject, following the first post by our Trust and Data protection officer and the second post made by me. In this post, I would like to take a step back and explore the larger context of what happened and what we learned from it.

We design our product for the good guys: people who want to eliminate the back-and-forth when scheduling meetings with people outside their organization. We put a lot of thought and effort into creating a great product for the good guys. Unfortunately, it turns out there are also bad guys who want to use our product for illegal purposes, as another piece in their crime chain.

Why would anyone purchase OnceHub SMS credits with a stolen card? Well, if they can do this on a large scale, with thousands of bots all around the world, they can create a card-testing machine that tells them which of the cards they stole or purchased on the dark web were already blocked and which are still usable for their fraudulent schemes. They can do this on a large scale, filtering out the blocked cards and keeping the validated cards, which they can then resell, use at ATMs, or use to purchase physical goods.

The attack started with the fraudsters creating one account and using it to make multiple purchases. We managed to detect this pretty quickly and blocked the account. We then refunded and voided all the transactions.

Then the fraudsters started with the second phase of their attack, creating multiple accounts and using them for multiple purchases. We responded as we did before and started to deploy additional measures to curb the attackers.

They carried out the third phase of their attack with innocent-looking accounts, some of which they may have prepared in advance. Every such account had one purchase only and everything looked legitimate. It was very hard to tell the difference between a real customer and a fraudster account. We again responded and deployed additional measures. However, this only slowed them down for a while and they kept coming back, bypassing the measures we implemented and the expensive bot-detection software meant to block this kind of attack. These fraudsters had the complete details of all their cards. See this article to understand how they steal this information.

At that point, we decided to take down purchasing via credit cards. We knew this would be another blow to our business but it was the right thing to do.

We have a high focus on security and privacy in OnceHub, ensuring our customers’ data is safe. However, we did not conceive that someone would want to use our software for an illegal activity on such a large scale. This incident taught us that the threat from illegal use of our software is just as crucial and its mitigation should be an integral part of our product development lifecycle process.

Another takeaway from this incident is never to underestimate the power of fraudsters and how sophisticated and determined they can be. Credit card fraud is a multi-billion dollar industry. In August this year, over five million cards were breached from a supermarket chain. In November, over four million credit cards were obtained from breaches involving a chain of restaurants. Just yesterday, a large convenience store chain announced its cards were compromised over a nine-month period. We empathize with all the innocent cardholders whose details were compromised as a result of these attacks.

As I mentioned at the start of this post, the last three weeks have been tough on us. They required all we had: commitment, resourcefulness, perseverance, initiative, and leadership. We are proud of our team members, who stepped up and demonstrated these values, working together around the clock to fight this massive attack. Yes, we have been hurt, but we will prevail. We are coming out of this a stronger, smarter, and more resilient company.