Protect your site from credit masters

Mass attack blocking service

This is a service to prevent damage caused by "Credit Master", which is a criminal act that exploits the regularity of credit card numbers to identify other people's card numbers.
In response to the act of repeatedly entering the card number until credit is OK, which is a characteristic of Credit Master's modus operandi, it is possible to block authorization requests that are repeatedly executed according to the threshold value specified by the merchant.

Challenges like this can be overcome.
It can be solved

I want to take security measures

What is a Credit Master?

A credit master is a fraudulent act committed by a malicious third party in the following ways:

Using a program that exploits the regularity of credit card number generation,
Determine a valid, legitimately issued credit card number,
Using the merchant's payment form as a stepping stone,
Mechanically repeat the attack until the expiration date and Security Code of the credit card are known

Illegally obtained card information may be used for fraud on EC sites that handle high-value products.

* For more information on Credit Master, please refer to the following article for PG Multi-Payment Service merchants
"In order to prevent your e-commerce site from being misused, you need to know about the current situation and countermeasures against credit master damage"
(2023/4/24 GMO Payment Gateway Creation Article)

Influence of Credit Master

The following risks arise as an impact in the event of Credit Master damage.

Server failures occur due to increased traffic volume, etc.
* Credit Masters may generate traffic in tens of thousands of units in a short period of time.
Credit card companies reduce authorization rates, which affects purchases made by legitimate users
Increased card fee rates or suspension of contract with the card issuer
Loss of customer trust due to service outages, information leaks, etc.

Measures for Credit Masters

There are various countermeasures on the merchant side, but the main countermeasures are the following five points.
* There is no completely safe measure. Continuous measures are required in accordance with changes in criminal methods.

Limit the number of times you enter a credit card

Since Credit Master is a method of repeating mechanical attacks, it is effective to take measures to make it difficult to try by setting a limit on the number of times such as using a mass attack blocking service.
Take action against bots

Since it is common to use an automated tool called a bot in Credit Master, it is effective to introduce countermeasure tools such as "reCAPTCHA" provided by Google and play mechanical input.
Implement a fraud detection system

A fraud detection system is a service that monitors and reviews orders and detects suspicious orders.
Unlike anti-bot tools, it is possible to detect manual fraud by humans.
Outage of the area under attack

It is effective to stop repeatedly accessed parts of the site, such as membership registration, card information change, and payment functions.
In case a form request is sent directly to the server side, we recommend that you stop functioning on the server side as much as possible.
Fraudulent Account Order Confirmation

Check out the large number of new registered users, accounts, and payment data.
Since there is a high possibility that it will be chargeback (cancellation of sales due to fraud of a third party's card), we recommend that you take measures such as deleting transactions or canceling shipping.
If damage is confirmed, please consider reporting it to the police.

Details of the Mass Attack Blocking Service: 5 Blocking Methods

The "Mass Attack Interception Service" provides five attack blocking methods.

Attack blocking method	target	summary
(1) Same order ID transaction	payment Trading	Block requests for the same "order ID" if more than the specified number of authorization requests are made within a specified period of time
(2) Same card number transaction	payment Trading	Block requests for the same "card number" if more than the specified number of authorization requests are made within a specified period of time
(3) Same-BIN band transactions	payment Trading	If more than the specified number of authorization requests are made to the same "BIN band" within the specified period of time, the request will be blocked.
(4) Registration of the same member ID card	Card Registration	Block requests for card registration if more than the specified number of requests are made within the specified period using the same "member ID"
(5) Same-BIN band card registration	Card Registration	If more than the specified number of card registration requests are made within a specified period of time using the same "BIN band", the request will be blocked.

Mass Attack Blocking Service Details: How to Set Up

This service is a paid option. To use it, you need to apply from the management screen.
Mass Attack Blocking Service Option Application Please check the operation manual on the management screen.
* You will be redirected to the page for member stores. If you are asked to authenticate, please enter the ID/PASS listed on the "Documents" page in the upper right corner of the site/shop management screen.
Merchants can set blocking conditions on the shop management screen or site management screen.
* The management screen used differs depending on the attack blocking method.

Mass Attack Blocking Service Details: Fees

* This content is for merchants who contract after June 27, 2023.

You will not be charged for the first contract month of the first month.
contract A monthly fee of 2,000 yen will be charged from the month following the start month.
Even if you apply in the middle of the month, a full monthly fee of 2,000 yen will be charged.
Even if you are not using this service, if you set it to "Use", you will be charged a usage fee.