What is Credit Master? ― Explanation of the mechanism of occurrence and the risks of EC businesses

In recent years, the damage of "credit masters" by malicious third parties has been increasing on e-commerce sites. In this article, we will explain basic information about credit masters, the impact on e-commerce businesses and credit card holders in the event of damage, and the measures to be taken to prevent new damage.

1. What is a credit master?

1.1. Features of Credit Master

Credit mastering is an online criminal act* committed by a malicious third party. It is a method of mechanically repeating attacks until the expiration date and Security Code of the card are known from the payment form of the e-commerce site in order to determine the legitimate and valid credit card numbers that are issued using a program that exploits the regularity of credit card number generation. Valid credit card numbers obtained from them can be misused for purposes such as fraud on e-commerce sites and online payment. In the process of determining a valid credit card number, the payment form on the ​​ e-commerce site or the card registration page on My Page is misused, so it can be assumed that the e-commerce business operator is unknowingly involved in a crime.

*Malicious third parties may be charged with the following crimes:
・Crime of obstruction of business
Applies when a merchant's system fails due to a large number of attacks, forcing the service to be suspended.
・Crime of fraud using electronic computers
Applies to a third party impersonating the cardholder's payment system and gains unlawful financial benefits.

1.2. Flow of credit master damage

The specific process of credit mastering is as follows.

(1) Mass attacks by programs
Mechanical attacks are carried out against e-commerce sites to determine credit card information.

(2) Card information sales
Valid credit card numbers derived from mass attacks are bought and sold between malicious third parties.

(3) Unauthorized use of card information
The purchased credit card number is used to illegally purchase products with high resale value.

(4) Card suspension
Disputes from end users (cardholders) will result in the discovery and suspension of fraud credit cards.

1.3. credit card fraud damage situation

According to a survey by the Japan Credit Association, credit card fraud has been on the rise in recent years, with annual damage reaching a record high of 43.7 billion yen in 2022. More than 90% of them are victims of number theft.

Quoted from the Japan Credit Association, "Aggregate Results and Correction of Credit Card Fraud Damage" (March 31, 2023)https://www.j-credit.or.jp/download/news_202300000195.pdf

This damage situation is considered a major problem by the government and the credit card industry, and in the future, credit master measures, which are one of the causes of number theft, may be positioned as one of the "basic security measures" of e-commerce businesses.

2. Influence by Credit Master

2.1. Risks of e-commerce businesses

The main risks of e-commerce businesses by credit masters are as follows.

(1) Server failure
In Credit Master, attacks may occur in tens of thousands of units in a short period of time, so server failures may occur due to increased traffic volume. When the server goes down, it is forced to temporarily suspend the provision of services and product sales, which leads to the loss of opportunities.

(2) Decrease in credit card approval rate
If a credit master attack grows, credit card companies can reduce payment approval rates, resulting in legitimate users not being authorized by the card company to make purchases.

In addition, if the damage is long-term or the amount is large, it may be considered that the card company was unable to take the necessary measures immediately, which may lead to contract suspension as "no merchant qualification". If the damage is even greater, it may lead to a contract suspension with the card company.

(3) Financial damage
If payment is passed through Credit Master, the payment processing fee may be borne by the e-commerce business. In addition, due to the impact of the attack, there is a possibility that credit card fee rates will increase, which can lead to direct financial damage.

In addition, the impact of credit masters on e-commerce businesses is wide-ranging, such as the risk of losing customer trust due to service outages.

2.2. cardholder risk

If an e-commerce business fails to take measures against credit masters and damages occur, cardholders also pose the following risks:

(1) Financial damage
Unauthorized use of credit card information creates a risk of financial damage. When it comes to credit card fraud, if a cardholder dispute often results in a chargeback (a mechanism in which the credit card company reverses the sale and refund if the cardholder does not agree to the payment), but the cardholder fails to detect the fraud on the credit card, You may suffer financial damage without your knowledge.

(2) Suspension of credit card use
Your credit card may be suspended if your credit card fraud is detected. Cardholders will be forced to go through the process of resuming use and reissuing the card, as well as the inconvenience caused by not being able to use the card.

3. Measures for credit masters

Here are 5 measures that e-commerce businesses can take against credit masters.

3.1. Precautions for Credit Masters

(1) Limit the number of times you can enter a credit card
Credit masters repeatedly use mechanical attacks to determine valid credit card numbers. You can expect to make it difficult to try by setting a limit on the number of times you can enter your credit card at payment time on an e-commerce site.

(2) Take measures against bots, etc.
Since the use of automation tools called bots is common in credit masters, it is effective to introduce countermeasures such as "reCAPTCHA" provided by Google to repel mechanical input.

(3) Introduce a fraud detection system
A fraud detection system is a service that monitors and reviews orders and detects suspicious orders. Unlike anti-bot tools, it can detect manual human fraud.

3.2. Measures in case of credit master

(4) Suspension of the attack area
This is a measure to stop repeatedly accessed areas such as membership registration, card information change, and payment functions on the site. In case a form request is submitted directly to the server side, it is recommended to go out on the server side whenever possible.

(5) Account registration and order status confirmation
Detect suspicious orders by checking for a large number of newly registered fraudulent user accounts payment data. chargeback There is a high possibility that it will be (cancellation of sales due to unauthorized use of a third party's card), so we will take measures such as deleting the transaction or canceling shipping if necessary.

4. Conclusion

Credit mastering is a criminal offence, so it's important for both e-commerce and payment agencies to take action to ensure that unrelated credit card holders are not harmed.
The measures introduced this time are examples. Even if these measures are taken, the attackers' methods are becoming more sophisticated, so it cannot be said that the security of the e-commerce site is guaranteed. Therefore, it is necessary to continuously collect, review, and respond to security measures.

GMO-PG offers a number of measures to protect your e-commerce site in response to changes in criminal methods. As a countermeasure against credit masters, we have deployed a "mass attack blocking service" that automatically blocks repeated authorization requests. Detecting a large amount of transaction data is very effective in preventing damage in the credit master tactics of credit masters who abuse payment forms on e-commerce sites. PG Multi-Payment Service merchants are encouraged to consider introducing this service.

Merchants can apply from the PG Multi-Payment Service management screen.

→ Please check the following URL for how to apply.
https://docs.mul-pay.jp/payment/credit/fraudcheck_console

*This service is a paid option.
**You will be redirected to the page for member stores. If you are asked to authenticate, please enter the ID/PASS listed on the "Documents" page in the upper right corner of the site/shop management screen.

→ For more information on the "Mass Attack Blocking Service", please check the following URL.
https://www.gmo-pg.com/service/mulpay/security/attack-syadan/