Attack Type · Card Testing

Card Testing Detection

Card testing attacks — where fraudsters probe card validity with small-dollar transactions — generate millions in chargebacks and risk merchant account termination. Fraudhalo detects them in real time before damage is done.

What is a card testing attack?

Card testing (also called carding or BIN attack) occurs when fraudsters use stolen card data — or algorithmically generated card numbers — to probe whether cards are valid and active. They submit dozens to thousands of small-dollar transactions against a single merchant, checking which cards authorize successfully before selling valid cards on dark web markets or using them for larger purchases.

Payment processors are the primary target because they aggregate volume from many merchants. A single processor may see card testing spike from a single source IP, device cluster, or BIN range. At 150,000 daily transactions, a card testing event affecting 5% of volume is 7,500 fraudulent requests — generating chargebacks, processing fees, and issuer penalties.

Detection Signals

How Fraudhalo detects card testing.

Fraudhalo monitors four signal categories that reliably distinguish card testing from legitimate high-frequency transaction patterns.

card_velocity_1h

High-velocity BIN probe rate

Number of distinct card hashes transacted per IP or device in a rolling 1-hour window. Card testing generates anomalously high BIN concentration per source.

amount_pattern

Small-dollar sequential amounts

Card testers submit $0.01, $0.50, $1.00, $2.00 transactions. The amount distribution pattern is statistically distinct from legitimate purchase sequences.

decline_spike_5m

Rapid decline rate spike

Card testing generates high decline rates as invalid or expired cards fail authorization. A decline rate exceeding 40% in a 5-minute window from a single source is a high-confidence signal.

device_card_fan

Device fingerprint clustering

Multiple card numbers transacted from a single device fingerprint or device cluster within a short window. Legitimate users rarely submit more than 2-3 card attempts per session.

Pilot result.

Payment processor handling 150K daily transactions

US-based payment processor serving mid-market e-commerce merchants, processing high-frequency card-not-present volume.

65%

Reduction in card testing fraud within 3 weeks

2 weeks

Time to production via REST API integration

<72ms

p99 latency in production

Role: Head of Fraud Operations — attribution withheld per pilot agreement

Relevant integrations for card testing detection.

Card testing detection benefits from device fingerprinting enrichment alongside transaction data. Fraudhalo's pre-built connectors make this straightforward.

Stripe Connector

Pre-built Stripe webhook handler forwards transaction events to Fraudhalo automatically. Block decisions reflected in Stripe Radar rules.

Device Intelligence

ThreatMetrix and Sardine Device connectors enrich transaction events with device fingerprint before Fraudhalo scoring.

REST API

Any payment stack can integrate in under 2 hours using the REST API. Node.js, Python, and Ruby SDKs available.

Ready to protect your transaction layer?

Join our pilot cohort. We are working with payment processors, neobanks, and BNPL providers processing more than 50,000 transactions per day.

Request a Pilot