
13 Best Practices for Merchants: Anti-Enumeration and Account Testing
Merchants face increasing threats from cybercriminals who employ tactics like enumeration and account testing to exploit vulnerabilities in online platforms. These techniques can lead to unauthorized access, financial loss, and damage to brand reputation. To mitigate these risks, it’s essential for merchants to adopt robust anti-enumeration and account testing practices. This guide outlines best practices that can help protect online businesses from these threats.
Understanding Enumeration and Account Testing
Enumeration is the process by which attackers systematically submit fraudulent transactions to discover valid payment information. This typically involves using automated scripts to test common payment fields, including:
- Enumeration Attacks: Criminals submit transactions with various values (e.g., Primary Account Number, card verification value, expiration date) to identify valid accounts. This method is often referred to as a Brute Force attack.
- Account Testing: Involves attackers attempting to gain unauthorized access to accounts by initiating low-dollar transactions to verify if an account is active, intending to take over or sell the account for illicit purposes.
Both techniques exploit weaknesses in authentication systems and can lead to account takeover, data breaches, and significant financial losses.
Causes of Enumeration and Account Testing
Fraudsters perpetrate these attacks using various methods:
- Weak Fraud Controls: Many merchants lack robust fraud detection mechanisms, making them easy targets for enumeration.
- Synthetic Merchant Accounts: Attackers can create fake merchant accounts to conduct enumeration attacks, exploiting weaknesses in the onboarding processes of acquirers.
- Credential Theft: Phishing schemes can lead to the theft of merchant login credentials, allowing attackers to gain unauthorized access to payment gateways.
- Cloned POS Devices: Fraudsters can set up counterfeit point-of-sale devices using stolen merchant credentials to submit fraudulent transactions.
Best Practices for Anti-Enumeration
1. Employ Account Lockout Mechanisms
Implementing account lockout mechanisms can restrict the number of login attempts made from a single IP address over a specific time frame. By limiting attempts, merchants can significantly slow down automated scripts used for enumeration and identify unusual patterns that may indicate enumeration attempts.
For example, if a user fails to log in after five attempts, their account could be temporarily locked. However, it’s essential to balance this with user experience, as overly aggressive lockout policies can frustrate genuine users.
2. Use Captcha Challenges
Integrating CAPTCHA systems can help distinguish between human users and automated scripts. By requiring users to complete a CAPTCHA challenge after a certain number of failed login attempts, merchants can deter enumeration attacks while allowing legitimate users to access their accounts.
3. Enable Multi-Factor Authentication (MFA)
Implementing MFA adds an additional layer of security to the login process. Even if an attacker manages to obtain a valid username and password, they will still need access to the second factor (e.g., a text message code or authentication app). This significantly reduces the risk of unauthorized account access even if login credentials are compromised.
4. Anomaly Detection
It is crucial to identify irregularities early, such as sudden spikes in daily averages and declined transactions, which may indicate that a business has become a target.
Alerts should be set for transactions showing a high volume of approvals or declines from similar BIN ranges, as well as for an increase in reversals, as fraudsters often reverse transactions shortly after approval. Additionally, monitor excessive usage and bandwidth consumption from individual users and incorporate IP addresses with multiple failed payment attempts into a fraud detection blacklist for manual examination.
5. Implement a Web Application Firewall (WAF)
A WAF can add an essential layer of security by detecting and blocking malicious traffic. Firewalls can be adjusted to limit page submission and repeat actions on websites, as well as automatically ban visitors and users from known malicious origins. It should include tools for bot detection and prevention, helping to safeguard against automated attacks.
6. Use Device Fingerprinting
Device fingerprinting allows merchants to identify unique user devices, making it easier to detect multiple accounts being accessed from the same device.
7. Utilize 3-D Secure Authentication
Implementing 3-D Secure can enhance transaction security and provide additional verification steps during the payment process.
8. Monitor Account Verification Attempts
Track account verification requests to identify excessive failed attempts, which could indicate an ongoing attack. Use a layered validation approach that includes CVV2 and Address Verification Service (AVS) checks. Monitor and block excessive failed account verification attempts – which can be tracked by account IP and device to prevent unauthorised exploitation of their authentication mechanism.
9. Set Velocity Thresholds
Establish thresholds for transaction frequencies and amounts and use velocity checks for low amounts or authorisation-only transactions, as account testing transactions typically involve amounts under $10 USD. Additionally, thresholds should be set on the number of transactions within a specified timeframe, while also monitoring the velocity on data elements such as IP address, device, email.
10. Obscure Error Messages
When a login attempt fails, the system should provide generic error messages that do not specify whether the username or password was incorrect. For example, a message like “Invalid login credentials” does not reveal specific information that could aid an attacker in their enumeration efforts.
11. Monitor Account Creation Activity
To enhance security, limit the number of cards that can be added to each account and session, as well as restrict the number of accounts that can be created from a single IP address within a specified timeframe. Additionally, monitor how frequently payment methods are changed on accounts, implement reCAPTCHA for user registrations, and terminate sessions for guest users that remain inactive for a certain period.
12. Regularly Update Password Policies
Merchants should enforce strong password policies that require users to create complex passwords. This can include a combination of uppercase letters, lowercase letters, numbers, and special characters. Additionally, encouraging regular password changes can enhance security.
13. Conduct Regular Security Audits
Regular security audits can help identify vulnerabilities within the system that could be exploited for enumeration and account testing. Merchants should conduct penetration testing and vulnerability assessments to uncover weaknesses and take corrective measures before they can be exploited.
Collaborate with Stakeholders
Collaboration among merchants, acquirers, issuers, and payment networks is essential for combating these threats. Sharing information about suspicious transactions can help identify and deter risks to the payment ecoystem. Merchants should report any account testing activities to Visa and Mastercard, including details such as:
- Source IP addresses
- Customer names and billing addresses
- Source email addresses
- User-Agent headers
This information can aid in correlating transaction attempts and identifying patterns of fraud.
Conclusion
In a landscape where cyber threats are constantly evolving, merchants must adopt comprehensive anti-enumeration and account testing strategies to safeguard their platforms. Implementing technical tools such as anomaly detection, CAPTCHA challenges, and account lockout mechanisms can significantly reduce the risk of enumeration. Meanwhile, multi-factor authentication and strong password policies are crucial for preventing unauthorized access through account testing.
By taking these proactive measures, merchants can enhance their security posture, protect customer data, and maintain trust in their brand. As cybercriminals continue to refine their tactics, staying ahead through vigilance and robust security practices is essential for long-term success in the online marketplace.
Contact Austreme and discover how our Chargeback Prevention service with RDR and OrderInsight can help you reduce and deflect chargebacks.
Want to learn more? Explore our Services page.
Want to learn more about merchant risk services? Visit our Youtube Channel.
Subscribe to our newsletter
Keep up to date with the latest industry news and up and coming innovations!
About Austreme
Austreme Technology is an industry leader specialising in ecommerce acquiring payment risk technologies and services. We provide a wide range of financial risk management services for global customers such as big data analytics, anti-transaction laundering, merchant website risk content monitoring, merchant onboarding and chargeback prevention. Austreme is a MasterCard Merchant Monitoring Service Provider (MMSP) since 2015, and a Visa Third Party Agent (TPA).