Preventative and proactive measures to protect against brute force enumeration attacks.
As covered in our recent blog Payment Enumeration Attacks Explained, enumeration attacks are one of the top threats to the payments ecosystem, causing over $1 billion in fraud losses each year. They harm merchants by driving up processing fees, increasing operating costs, and by exposing merchants to increased risk.
Fortunately, there are steps a merchant can proactively take to reduce the likelihood of an enumeration attack and to quickly determine if an attack may be underway. Many processors offer tools you can use to implement the following strategies:
- Set transaction limits: Limit the number of transactions allowed from any single IP address within a given time. This will prevent bots from making multiple attempts on your site as quickly as they want.
- Implement CAPTCHA: Using CAPTCHA on checkout pages can help slow down enumeration attacks, eliminate bots and block automated enumeration attacks.
- Use 3D Secure (3DS): By requiring customers to verify ID through a secondary step, such as entering a code sent to their phone, 3DS makes it harder for software/bots to test card numbers.
- Implement monitoring: Use velocity checks and monitor for transaction patterns that are typical of enumeration attacks so that you can act promptly. Patterns to watch for include:
- Spikes in transaction volume at odd times of the day
- A high volume of transactions in a brief period of time.
- Spikes in small dollar transactions or transactions with the same or similar amounts.
- A large volume of transactions from the same issuer (BIN)
- Spikes in authorization declines with response codes including, Response Code 14—Invalid Account Number, Response Code 54—Expired Card, Response Code 55—Incorrect PIN, Response Code 59—Suspected Fraud
Additionally, merchants should use comprehensive security measures to protect their systems, including:
- Endpoint security: Ensure all endpoints are secured with advanced endpoint protection platforms (EPPs). This includes next-gen antivirus, endpoint detection and response (EDR), and zero trust security models.
- Advanced application security: Employ comprehensive application security measures, including regular code audits, application-level encryption, and web application firewalls (WAFs) that are configured to detect and block attack patterns specific to BIN attacks.
- Deep packet inspection: Use DPI at the network perimeter to scrutinize incoming and outgoing traffic at the application layer. This can help identify and block potentially malicious packets that could be part of an enumeration attack.
Finally, make sure to continuously reassess security protocols, have an incident response plan in place, and keep up to date on the latest fraud schemes and cybersecurity threats. Staying informed and being proactive will help you improve your defensive capabilities and protect your business.
If your business is looking to better manage your merchant account or reduce fees, we’re here to help. We fix and monitor your existing merchant account, and we bring that money back to you. No need to change processors or add a project to your team’s already hectic workload. Schedule a consultation today.
Verisave is a third-party cost-reduction firm specializing in merchant accounts and credit card processing fees.
Verisave is not a payment processor, and is not affiliated with any processors, card brands, or banks.
Verisave has more than 20 years of experience optimizing and monitoring the credit card processing industry.