Criminals are using poorly protected charity websites to test the validity of stolen credit-card numbers, cybersecurity experts said this week, costing some groups thousands of dollars. Simplified online donation pages make it easy for people to give — but also serve as prime testing ground for credit-card thieves.
“There’s a giant target painted on the industry’s back that is very advantageous for credit-card thieves,” said Kevin Conroy, chief product officer at GlobalGiving.
Although not a new problem, it is now “near universal,” said Matt Holford, chief technology officer at DoSomething.org.
Easy Target
Stolen credit-card numbers aren’t worth much on the underground market until verified, so thieves use online payment websites to test whether the numbers work. Some thieves pay criminal services groups to do the confirmation work using a bot, — a software application that rapidly enters the numbers into payment websites, said Don Jackson, director of threat intelligence at PhishLabs. If the payment goes through, the criminal-services group reports back to the thief that the credit-card number is valid and will work for making larger fraudulent purchases.
Fraudsters also use for-profit retailers to verify stolen numbers. But businesses are often well protected, requiring multiple steps to make purchases such as setting up an account and providing personal information linked to the credit card.
Many nonprofits forgo such requirements to reduce obstacles to making donations.
That simple design is ideal for a thief or a bot trying to test many numbers quickly.
“I think the reason charities and nonprofits are targeted is they want to set it up with as few bars to funding as possible,” Mr. Jackson said.
Nonprofits are also vulnerable because online donations are not tied to geography, Mr. Conroy said. If someone uses her credit card to buy coffee in her town of residence on the same day a thief uses her credit-card number to buy a television three states away, that may raise a red flag with the credit-card company. A small, fraudulent online donation is unlikely to trigger that detection system.
Costs Soar
The financial costs of these attacks on nonprofits can be significant. Credit-card companies categorize online donations as “card-not-present” transactions and place the burden for recouping fraudulent charges entirely on nonprofits.
That means nonprofits have to return fraudulent donations that people report to their credit-card companies. In May 2013, Irish charity the Jack and Jill Children’s Foundation announced that it received and refunded about $170,000 in donations made via stolen credit cards. Most of the donations were less than $7.
For each fraudulent charge, charities also have to pay credit-card companies “charge-back” fees, which can be as high as $25. When thieves targeted DonorsChoose.org about three years ago, it had to pay $10 to $20 in charge-back fees for each of more than 100 fraudulent donations, said Jeana Takahashi, the nonprofit’s integrity assurance manager and technical writer.
And once a nonprofit has surpassed a certain charge-back rate threshold — often 1 percent of all transactions in a month — credit card companies may put it on probation and charge it several thousand dollars a month in fines. If the nonprofit can’t lower its charge-back rate, credit-card companies may shut off its merchant account, rendering it unable to accept any donations made with that card brand. Vendors may also temporarily block nonprofits’ ability to process transactions if fraud attempts spike, said Clam Lorenz, PayPal’s general manager of social innovation for North America.
Harder to measure but still significant are the costs to a nonprofit’s reputation when people discover that donations were made without their consent.
“When you start to have fraud activities associated with you, it damages the name of your charity,” Mr. Jackson said.
Tighter Controls
There’s only one way to stop this kind of fraud, Mr. Conroy said: monitoring all online donations.
Nonprofits should look out for small donations (some bots randomly generate donations that are not whole numbers, such as $1.32), or a burst of donation activity during a short period of time. They should also look for donations made on a device whose IP address is different from the cardholder’s billing address or is linked to multiple transactions from different cardholders.
To thwart thieves, nonprofits also need to improve online donation forms, said Steven MacLaughlin, director of analytics at Blackbaud. He recommends setting a minimum online donation amount of $15. Charities should only accept donations in set increments, ask for credit-card expiration dates and security codes, and turn on address-verification services. PhishLabs recommends requiring donors to provide an email address to which nonprofits mail a donation-verification message and using URLs for the transaction page that change every time someone makes a donation.
Both Mr. Conroy and Mr. MacLaughlin advise against installing Captcha programs — quizzes that require users to interpret a string of misshapen numbers and letters to thwart bots. It’s quick and easy for criminals to get through such screens manually or pay low-skilled workers to do it. As a result, Captcha tests can frustrate more real donors than fraudulent ones.
“It’s a speed bump on the way to robbing you,” Mr. MacLaughlin said.
Getting Help
Payment-processing vendors also have a role to play, and some vendors are more susceptible to fraud than others, Mr. Jackson said. He mentioned one that has a “relatively sizable share of the charitable-organization market” as being weak because it accepts credit cards from all over world and doesn’t examine payment velocity. He declined to name it.
Mr. Conroy recommends that nonprofits research how prospective vendors prevent and handle fraudulent activity before signing a contract.
“It would be unwise to go solely for the lowest cost option,” he said.
Mr. Lorenz advises nonprofits to familiarize themselves with the charge-back reports their payment-processing vendors send. He also says nonprofits should talk to their vendors about available anti-fraud tools and good ways to deter thieves.
Nonprofits may need to buy more sophisticated services from payment processors or hire fraud-detection firms, such as Sift Science, which use the same machine-learning principles as email spam filters, and ThreatMetrix, which uses identification fingerprinting technology. Both of these companies charge per transaction: Sift Science charges 3 to 7 cents for each, although discounts are available for nonprofits, while DonorsChoose.org now budgets about $20,000 a year to pay ThreatMetrix, Ms. Takahashi said.
There is one downside to the system, Ms. Takahashi said: the rate of “false positives,” legitimate donations flagged as potentially fraudulent, has risen. DonorsChoose now flags about 3 percent of transactions for extra screening.
But it’s not a big problem, Ms. Takahashi said, and she thinks the extra protection justifies the false-positive risk and the cost.
“We don’t want to make it easy for the bad guys out there,” she said.
Charities that have the resources and tech talent may be able to develop internal anti-fraud protections. GlobalGiving created a system to monitor donations as they come in and to assess them later. The system is largely automated, although one employee runs frequent audits, and catches dozens to hundreds of attempted fraudulent donations every week. The nonprofit proactively reverses donations it suspects to be fraudulent to avoid paying charge-back fees later and now makes fewer than 10 charge-back fees each month.
Mr. Conroy declined to share how the system works, calling the fight against fraudsters an “arms race.”
“We have to keep some secrets so we can still combat them,” he said.
Joining Forces
CTOs for Good, a group of chief technology officers at nonprofits that include DonorsChoose, GlobalGiving, Wikimedia Foundation, Mozilla, Charity: Water, VolunteerMatch, Crisis Text Line, and Global Poverty Project, will discuss this problem at its meeting in October and perhaps produce a paper to share with the public, Mr. Holford said.
“Developing a unified solution is tough because our stacks, payment flows, and payment processors are all different,” he said in an email. “But some member groups have come up with smart logic to apply and lessons learned.”
Experts agree that each nonprofit has a role to play in helping charities fight back against credit-card verification fraud.
“We should work together and share best practices, look at ways we can share code to do that, and share referrals to off-the-shelf systems that are available,” Mr. Conroy said. “We’re only as strong as our weakest link.”