Card Running

Veronica Brown

Has anyone experienced card running via website? We're currently being hit hard by one individual who is running small amount transactions ($5.00), using different email addresses and different credit card numbers. We've contacted Support to get assitance with this. One option was to block the IP address, which we did, to no avail. They're recommending adding Addresses Verification Service (AVS) which will match the donors address to the card, which Blackbaud warns results is fails for legitimate donors if they haven't typed their information in properly, which can be frustrating for the donor.


Below are the AVS options. I'm wondering if anyone uses this to protect from card running and have you seen an adverse affect on online donation rates as a result?

 

For zip code matching (PARTIAL_ZIP), the zip code at the bank can create a false failure if the bank has the zip+4 and the constituent does not enter in the +4 at the time of donating.

 

For either matching (PARTIAL), the matching is the same as the other partial matches but it will accept either.  So if I type in the wrong street number but the correct zip code, the transaction will be accepted and vice versa.

 

For complete matching (FULL), the matching is the same as the partials, but everything has to be correct.  So if I type in either my street number or my zip code incorrectly, the transaction will fail.

Sara Hoffman

Hi Veronica -


Phishing can happen almost anywhere If you already talked to Support then you've probably already been advised to consider changing the minimum amounts on donation forms. Since your phisher is semi-smart and they've already jumped the IP block hurdle, then you can start with the PARTIAL_ZIP and see if you get any donor complaints. If phishing continues, then you still have higher levels of AVS settings that you can trigger.


The biggest pain for you as the account owner will be the credit card charge-back fees and those can out weigh the handful of donor complaints.


Good luck,

Sara




 

Glen Peck 2

Ditto what Sara said! Online fundraising is a balance between costs (including donor frustration) of fraud prevention and administrative pain of fraud tolerance! If you accept donations online, you will have some fraud. Your trick is to find that pivot point for your organization where the cost of tolerance outweighs the cost of prevention - you don't want to loose more money to preventing fraud than the fraud itself costs you. Just be sure to consider everything - intangibles of reputation, media, frustration and tangibles of fees, time, etc.

​The one thing I'm curious about, you seem certain that it is one individual... What is the basis of that determination? Typically it would be IP setting, but since that didn't work, is there something else that you are using to identify the individual? There are other options beside just IP address that you might consider depending on the profile of these carding runs. Support can enable and configure options that have to do with the velocity of run - number of cards within a period of time... That can often be more successful than a simple IP block, but it can be problematic if you have events like corporate donation days where a number of people at one location a donating to you as part of a drive or something.

Liza Mueller

We had the same issue, got the same advice, and implemented AVS. The small (for us, fraudulent) transactions were a big enough headache for us to take the risk, and we haven't had any issues with AVS so far.


We have an automated report that runs weekly (we could look at it more often) showing us declined transactions and we didn't see an uptick in declines. We do have one consistuent who consistently has AVS issues but it's due to user error and she knows it!

Sara Hoffman

This is the best:

due to user error and she knows it!

Sally Riddle

I believe that this is happening and that it is a problem, but I'm a little curious as to why a criminal would be using credit cards to give to a charity. What is there to gain? Maybe I don't fully understand what is happening in these cases.

Glen Peck 2

Carding runs are used to verify the usability of an unscupulously gained credit card. The risk of capture in giving a $5 donation to a non-profit is far less than the risk of capture at an ecommerce site. Non-profits are hardwired to make it as easy as possible to give money (relatively speaking) where as ecommerce is hardwired to protect the business profites (and therefor the delivery of goods).


If the card works on your site, it can then be sold off as a working card to be used for much higher transactions that make the risk "worthwhile." Stolen card numbers have a life span measured in hours, so it is a segment of the market that continuously validates and re-validates the "integrity" of the "product."