Much to my surprise, we started to get some credit card donations on the site we run for a UK registered charity which were from stolen credit cards.
(The Google Grant we managed to successfully apply for has helped the charity an enormous amount, generating traffic for donations and also to get more disabled people money from the charity - I will write about that later, separately.)
Naively I thought these might be Robin Hood style donations, robbers trying to steal from the rich to give to the poor, but no. After doing lots of research I found this mighty helpful article on the philanthropist's
site, which explains all. We are now taking further steps to combat the problem.
Stolen credit-card numbers aren’t worth much on the underground market until verified, so thieves use online payment websites to test whether the numbers work. Some thieves pay criminal services groups to do the confirmation work using a bot, — a software application that rapidly enters the numbers into payment websites, said Don Jackson, director of threat intelligence at PhishLabs. If the payment goes through, the criminal-services group reports back to the thief that the credit-card number is valid and will work for making larger fraudulent purchases.
Fraudsters also use for-profit retailers to verify stolen numbers. But businesses are often well protected, requiring multiple steps to make purchases such as setting up an account and providing personal information linked to the credit card.
Many nonprofits forgo such requirements to reduce obstacles to making donations.
That simple design is ideal for a thief or a bot trying to test many numbers quickly.
"I think the reason charities and nonprofits are targeted is they want to set it up with as few bars to funding as possible," Mr. Jackson said.
Nonprofits are also vulnerable because online donations are not tied to geography, Mr. Conroy said. If someone uses her credit card to buy coffee in her town of residence on the same day a thief uses her credit-card number to buy a television three states away, that may raise a red flag with the credit-card company. A small, fraudulent online donation is unlikely to trigger that detection system.
The financial costs of these attacks on nonprofits can be significant. Credit-card companies categorize online donations as "card-not-present" transactions and place the burden for recouping fraudulent charges entirely on nonprofits.
That means nonprofits have to return fraudulent donations that people report to their credit-card companies. In May 2013, Irish charity the Jack and Jill Children’s Foundation announced
that it received and refunded about $170,000 in donations made via stolen credit cards. Most of the donations were less than $7.
For each fraudulent charge, charities also have to pay credit-card companies "charge-back" fees, which can be as high as $25. When thieves targeted DonorsChoose.org about three years ago, it had to pay $10 to $20 in charge-back fees for each of more than 100 fraudulent donations,