Giving Tuesday Logo, a light blue heart icon
Download the 2022 Giving Tuesday Toolkit now!

Hello, WAF. How Funraise's newest security feature is kicking carding fraud to the curb.

April 19, 2022
10 minutes
Funraise’s Chief Product Officer, Tony Sasso, shares a look into the fundraising features we’re rolling out and why.

Carding fraud attacks suck.

And what’s worse, nearly all nonprofits can be victims of carding fraud attacks. To help your nonprofit defend against these attacks, Funraise has a suite of fraud mitigation tools—and our most recent innovation is already showing impressive initial success in reducing fraud attempts for our customers. The release of Funraise’s new Web Application Firewall (WAF) and its results so far underline the leading role Funraise is playing in protecting nonprofits from this common type of online fraud attack.

What is Carding Fraud?

Carding fraud is the most common fraud nonprofits face online. Carding occurs when an individual (usually aided by automation tools) attempts transactions against a payment form to test whether stolen cards are still usable. Fraud is an issue for any service or company that collects payment.

Why nonprofits, though?

Great donation forms are designed for a fast payment flow that reduces friction and time for supporters to make contributions (that easy giving experience we talk about). This streamlined nature of donation forms and the fact that most donation forms enable transactions of small amounts make them perfect targets for carding. Additionally, because no goods or services are exchanged during the course of a donation, nonprofits often forgo features or strategies employed to mitigate fraud because they result in higher friction for the donor.

For this reason, Funraise employs several different layers of sophisticated fraud mitigation tools that are transparent to donors.

Is fraud the same as a data breach? Is my organization at risk?

No and no. A data breach occurs when someone gains access to data they are not authorized to access. The data hosted in your fundraising database is not at risk when it comes to carding fraud.

And here’s (mostly) why: Instead of trying to access the data in your fundraising database, the carding fraudster is bringing information to your site and using your nonprofit’s public donation form to confirm the validity of that information, like whether a stolen card can successfully transact a small amount. 

The carding fraudster does not need to “hack” or gain unauthorized access to your data to run stolen cards against your donation form—everything the carding fraudster needs is right on your website.

While your organization should have security policies in place and a fundraising platform partner that prioritizes your data security, carding fraud can happen to any organization with a public online donation form. Carding fraud is still an attack, but when your organization is the victim of carding fraud, the security of your data has not been compromised.

How do we know if our organization is experiencing a carding fraud attack? What should we expect/do if we experience this?

Oh, you’ll know. Carding fraudsters often use bots to automate running hundreds or thousands of stolen credit cards through a payment form at high velocity. While most of these cards will fail, a few may succeed, fulfilling the purpose of carding: to identify which cards can be used for fraudulent spending.

When your organization is experiencing a carding fraud attack, you’ll see abnormally high rates of failed transactions—like, hundreds of failed transactions in a short period of time.

If you’re experiencing a carding fraud attack, take a breath. Remember that your data is not at risk in the context of carding fraud—this is not a data breach! It’s a good idea to reach out to your fundraising platform partner to report the attack and request their support in the clean up required. Here at Funraise, we have a customer-facing Technical Systems team that works directly with organizations. This team is equipped to help our customers recover from carding fraud.

How does Funraise protect my organization from carding fraud?

It’s worth mentioning that carding fraud is a widespread problem, not a Funraise or donation-platform-specific problem. Every payment or donation technology will face these attacks. Funraise has prioritized protecting our customers from carding attacks because when these attacks occur, an organization (and our team) spends a lot of time and resources cleaning up. Additionally, a carding attack can add to a nonprofit’s reputation risk or financial risk. Funraise was built to make fundraising online as easy as possible, which also includes providing accessible tools to mitigate the damage online carding fraud can inflict.

Our team has worked hard to fortify Funraise’s donation form against fraudsters of all types while ensuring that the donation experience remains as frictionless as possible for donors. This is why Funraise employs several sophisticated layers of fraud mitigation that are transparent to donors. There is no silver bullet tool to eliminate transaction fraud online—just like any security protocol, it requires a collection of risk mitigation actions that target specific aspects of fraud attempts. 

Here are several methods we use to prevent fraud.

Rate limiting and IP banning

To limit fraud bots, Funraise bans IP addresses that exceed our set rate limits. Rate limiting can knock out IPs that are part of botnets. Blocking an IP address is a short-term method to quickly stop a high volume fraud attempt.

Human monitoring

Preventing fraud requires active monitoring from humans along with the use of automated tools. Our Technical Systems team monitors logs and transaction success rates across all of our customers to proactively mitigate fraud.

Google reCAPTCHA

Funraise’s Giving Forms have a built-in integration with Google reCAPTCHA. The basic concept of a reCAPTCHA is to ask a human to complete a task that is particularly difficult for a basic bot to accomplish, like identifying objects in pictures.

Rather than require every donor to complete the puzzle, Funraise only displays reCAPTCHA when we detect fraud patterns. reCAPTCHA is removed from the donation form after detected fraud patterns cease. By dynamically displaying reCAPTCHA, your donation forms provide the most efficient donation experience for your donors while still mitigating bot attacks.

Gateway Level Fraud Prevention

Funraise's donation form is configurable so you can collect the information required for the gateway level verification methods appropriate for your use case, including Address Verification Service (AVS) and Card Verification Value (CVV). This allows you to rely on both Funraise’s and your own gateway’s fraud mitigation tools.

For transactions processed with Stripe, Funraise’s preferred payment partner, we also pass the IP address of each online transaction, along with other transaction data, which can be used to manually block a specific IP address that has repeated fraudulent activity.

Hello, WAF. We recently added a new tool to our fraud mitigation toolkit and the initial results are impressive.

Funraise's fraud protection has been a priority for our payments team, as you can see by the mitigation features listed above. In a recent release, we introduced a new innovation that has had impressive initial success.

This new layer of protection is called a Web Application Firewall (WAF). You can think of WAF as a shield that sits between Funraise’s platform and a world full of fraudsters (or bots). The WAF has sophisticated listening capabilities that detect constantly shifting signals from HTTP traffic sources, determining the trustworthiness of the source as well as the validity of the request, and blocking them appropriately.

This means that while Funraise’s WAF was intended to shrink the breadth of carding attacks, it also offers some protection against malicious hackers who are trying to breach your data—the WAF filters out web traffic by detecting the fingerprints of known vulnerabilities, such as SQL injection, cross-site scripting (XSS), file inclusion, and improper system configuration.

Like most of Funraise’s security features, fraud prevention tools operate behind the scenes—we hope you never even know they’re there. Because of this, it’s quite exciting to see these tools in action. Check it out!

One method to monitor carding fraud attempts and the success of our mitigation efforts is to view a timeline of failed transactions. Because the majority of stolen cards will fail, we see spikes and surges of failed transactions during carding fraud attempts. While our goal was not necessarily to reduce failed transactions overall, the rate of failed transactions is one way of viewing the impact of carding fraud on the system.

Almost immediately after implementing the new WAF, failed transactions stopped spiking and returned to an expected, consistent level while successful donations didn’t fluctuate, which means that the new WAF is accurately targeting fraud sources. This is what fraud protection looks like.

a blue graph showing Failed Transactions Over Time. There are some early spikes, and then the failed transactions drop dramatically. Exciting!

So, no more carding fraud?

Unfortunately, carding fraud attacks will continue to occur. Like all security strategies, our goal is risk mitigation—it’s impossible to be free from risks online. Carding fraudsters are putting just as much effort into carding attacks as we put into blocking them. This is why it’s crucial for your fundraising platform partner to clearly communicate how they are prioritizing protecting your organization from carding attacks.

Funraise’s new fraud mitigation tool is an impressive addition to the fraud mitigation toolkit working for our customers already, not just because of how it works, but because of how well it’s working. This new layer has already resulted in the reduction of carding fraud against nonprofit organizations and we’re excited to continue to tune the tool to maximize its results—and to continue building fundraising features that grow nonprofit revenue.

Start For Free