Card cycling: The fraudulent tactic threatening Hong Kong SMEs

January 03, 2023 06:00
Photo: Consumer Council

Hong Kong is one of the world’s premier financial hubs, so it is of little surprise that the city and its residents’ finances are attractive to fraudsters. According to a study conducted by NordVPN, 399,537 payment cards that were hacked belonged to Hong Kong. And whilst methods of committing fraud vary, one increasingly commonly used tactic – known as card cycling - occurs at eCommerce checkout.

Card cycling, also known as credit card testing, is a sneaky way of validating stolen credit card credentials. It’s a simple scheme: Fraudsters find a website where they can make purchases with a small dollar amount, as these often go under the radar (donation platforms are common). They write a computer script that allows them to cycle through thousands of stolen credit card numbers to find valid ones.

Afterward, the bad actor has a set of valid card details they can use to fraudulently purchase goods at that or another platform (for later resale), or to sell at a premium on the dark web because they have already been verified. As scammers double down on their efforts to trick users into revealing personal information, this is one of the most common fraud tactics affecting Hong Kong consumers today.

Keeping SMEs Fraud-Free

As we move beyond the pandemic, consumers are using more digital tools and looking for more virtual or digital experiences. This makes digital fraud, including card cycling, one of the most dangerous threats to businesses in Hong Kong – especially for small and medium-sized enterprises (SMEs), which constitute more than 98 percent of businesses in the city. SMEs need to balance the need for technology that makes them more cyber-enabled, whilst mitigating their increased vulnerability to fraudsters. As a result, secure payment methods with more innovative features are critical to ensuring safe, seamless payment experiences.

Mastercard’s borderless payments research indicated that nearly 60 percent of SMEs globally have increased their use of cross-border payments during the pandemic. However, despite widespread adoption, over 40 percent of businesses and consumers said they are worried about being attacked by fraudsters. Respondents also expressed concerns about fees and service hours, including a lack of transparency and geographic restrictions on payments. In addition, unlike large enterprises, SMEs do not have the resources to staff big know-your-customer (KYC) teams – making their already limited resources more vulnerable to fraudsters.

If a fraudster gets away with testing stolen payment information on apps or websites, they’re likely to try making a fraudulent purchase — leading to chargebacks and potential damage to the bottom line. These concerns may also affect customer loyalty, as once customers experience fraud or payment friction, their trust in SMEs may be diminished. This erosion of trust can make customers decide to make future purchases through larger companies instead, making the SMEs’ businesses less viable.

What Can Be Done and What Should SMEs Look Out For?

To address these concerns, a critical priority for SMEs is to re-evaluate their current anti-fraud approach. Because of the reputational risks involved when consumers discover that their data has been mishandled, businesses are reluctant to divulge that they’ve fallen victim to an attack. This, of course, is only to the detriment of business in general. Entrepreneurs, specifically SME owners, need to be more open about the impact of fraud, and do more to protect themselves– especially as cybercrimes such as card cycling continue to rise.

According to Mastercard NuData Fraud Risk At A Glance Report, incidents involving card cycling have increased 54 percent year on year. If SMEs have proper security protections in place on their eCommerce websites or apps, card cycling wouldn’t be difficult to spot. Any user who inputs many different credit card numbers in rapid succession from the same IP address is likely a cycler. Looking at behavioral indicators, like typing cadence, can help identify automated activity including card cycling bots.

User experience is an important element to be incorporated into the anti-fraud process. It is critical for SMEs to prevent fraud while still providing fast, seamless and safe detection as well as reducing efforts and delays. In the digital age, SMEs can leverage behavioral information to create better customer experiences and build stronger security protections for their customers. By gaining a better understanding of their trusted users, companies can flag bad actors more rapidly and accurately, resulting in a frictionless, secure user experience.

As SMEs are vital to our communities, it is important for them to be equipped with the right knowledge and information about fraud prevention. The more we are aware of fraud tactics such as card cycling, the more we can avoid – and eliminate – the risks and threats they pose to Hong Kong’s businesses and consumers.

-- Contact us at [email protected]


Managing Director, Hong Kong and Macau, Mastercard