A serious rapid-fire credit card attack in late July
The last three weeks have been “interesting”.
On July 27th and 28th, while I was innocently visiting the family of my oldest son in the Dallas area, CatholicCulture.org suffered a sustained credit card fraud attack.
I do not mean that any credit card information was stolen from us. Not at all. Every bit of personal financial information we have from our donors is (a) encrypted; (b) stored on a system separate from the website; and (c) behind a seriously tough firewall that even we need to make special arrangements to get past.
So nobody has ever snatched even a single piece of credit card information from CatholicCulture.org. Rather, what happened is something fairly common in the non-profit world: Major hackers steal thousands or millions of credit card records by exploiting security weaknesses in the systems of major financial institutions and retail outlets. But then they have to test the information they have illegally acquired by using it to try to put through successful charges.
This is where the non-profits come in. To test the stolen credit card information, these bad actors frequently design robotic systems to slam non-profit organizations with donations. This is ideal for their purposes because the transactions do not involve the purchase of merchandise requiring shipping addresses. Also, non-profits (for obvious reasons) make the donation process extremely easy, with a minimum of steps to go through.
This can be damaging to charitable organizations because, for each credit card successfully charged, they must issue a costly refund, wasting both time and money. Sometimes their own systems can be slowed or stalled by the intensity of the attack. And sometimes their legitimate users are inconvenienced in ways which require investigation and explanation.
CatholicCulture.org combats credit card fraud
Of course, many of the attempted transactions will be declined because the credit card number and other required information (security code, zip code, name, etc.) do not match. But when everything matches up, the charge goes through, unless it can be detected as fraud by other logical or statistical tests. The whole point, of course, is for the bad actors to find out which sets of information they have acquired are good, matching sets—sets that can be exploited in other ways or sold.
For moral reasons (not to mention saving time and money), CatholicCulture.org is intensely proactive in preventing as many of these fraudulent charges as possible from even getting past our systems and on to the credit card processing service. One of the main prevention techniques we programmed years ago was a method of identifying the internet location (IP address) from which each charge attempt is initiated. If we get three charges put through from the same IP address in a set period of time, we mark the user account as fraudulent.
After that, none of the potentially thousands of charge attempts from that IP address can do significant damage of any kind. Plus, the system immediately sends an email to me with a link to the fraudulent user account so that I can investigate personally and determine whether anything more needs to be done.
The most recent attack
As you might guess, the bad actors are constantly refining their techniques to get past the security measures. In the latest attack against CatholicCulture.org, the robotic attack system was programmed to change (or at least spoof) a different IP address after every few transaction attempts. The result is that over six thousand five dollar donations were attempted on CatholicCulture.org in the space of about twenty-four hours, and nearly all of them got through to our credit card processor’s gateway.
The gateway company runs heuristic tests on each transaction and also checks each transaction against a database of known fraud patterns gathered from all of its many clients. In this case, the gateway quickly detected that this credit card charging blitz was fraudulent, and it declined the charges. Thankfully, then, we did not have to painstakingly issue any credits.
But there was an unfortunate side-effect. As part of its efforts to stop the attack, the gateway put a block on all donations of $10 or less coming through the CatholicCulture.org account—and left that block in place after the attack had run its course. I am sure this was an automated response, but the result was that, over the next two weeks, I received an increasing number of messages from concerned donors explaining that their gifts had been declined and that the banks which had issued their credit cards had no record of them being declined. Oops!
It took me a few more days of investigating the charge records for our website to recognize this pattern for what it was, and then a few days more to confer with our credit card processing company, open a support ticket, and get the problem resolved. All together, about 150 of our donors were affected by having legitimate donations declined. I had to communicate with each of them, manually reset any monthly pledges that were cancelled as a result, and put each of the donations through again, one by one.
This was nobody’s idea of a good time.
Need for system improvement
The fraudsters have upped their game, and so must we. It is once again time for CatholicCulture.org to investigate the pros and cons of various programmable methods to make sure this new kind of attack does not get past our own server and on to the credit card processing company. There is a fine line in these prevention measures. If we tighten things up too much, legitimate donations will be blocked. But if we are too loose, the result is what I have just described—a huge pain for everybody.
Financially, things are slow in the Summer. Since our August income so far has been less than $10,000, against a monthly budget of $26,000, and since action on this is urgent, I hope to raise between $10,000 and $15,000 very quickly right now so that we can engage the experts, thoroughly investigate all systems again, and code the best possible, state-of-the-art fraud prevention measures.
As always, we depend on our users, who are the only means of support for our Catholic mission. When people like this attack Catholic organizations, they attack the Church—and they attack you.
All comments are moderated. To lighten our editing burden, only current donors are allowed to Sound Off. If you are a donor, log in to see the comment form; otherwise please support our work, and Sound Off!