Card tumbling: What is it and how to prevent it

Published March 5, 2021

Have you ever wondered how financial institutions come up with the numbers on your credit card? If you’re like most people, the answer is: no, not really.

Instead, most of us are a little more concerned with how spam callers get our phone numbers––or how we can never seem to get rid of unwanted emails, no matter how many times we unsubscribe. Or, how despite the time consuming and expensive methods that we use to protect our sensitive information, there’s always a new data breach in the news, putting customer healthcare records, social security numbers, and addresses at risk. If corporations with billions at their disposal can’t protect our information, then how can we be expected to? Should we just break out the tinfoil hats?

Although we may not care as much about the “How?” as we do the “What now?”––in the case of credit card tumbling, both are important. Credit card tumbling, a rarely discussed but effective form of fraud, happens when thieves steal your personal information through educated guesses, created and tested by using complex computer-generated algorithms.

Understanding how these fake credit card numbers are created, and how your own personal information factors into the process, can help you or your business avoid becoming the victim of fraud.

How does a credit card tumbling scam work?


Credit card fraud remains the leading form of identity theft, and with steady increases in online shopping, it doesn’t seem like that’ll change anytime soon. That’s because “card not present” (CNP) transactions–where you don’t have to give your physical card to a merchant– can be difficult to verify.

In an article written on the growing prevalence of credit card fraud, the American Banking Association writes:

“Indeed, CNP fraud is now 81 percent more likely than point-of-sale fraud, according to Javelin Strategy & Research [….] While card-present and counterfeit fraud is down, bank losses from CNP fraud continue to rise.”

Many businesses have put measures in place to prevent online credit card fraud, including encrypting their customers’ data and asking for identifying information. Still, some online merchants are behind when it comes to protecting consumer data, leaving their payment systems vulnerable to cyberattacks. This is where credit card tumbling scams come in.

Card Tumbling: The basics

The term “card tumbling” actually refers to the first step in a larger process. The culprits are usually skilled programmers—people who write code for computer programs—looking to make money at your expense. But it’s not personal. In fact, the first step of credit card tumbling doesn’t involve you at all.

In a credit card tumbling scam, programmers write algorithms, or a set of instructions, to create thousands of possible credit and debit card numbers from scratch. Because hackers don’t need information from you or your business to create these fake numbers, your credit card number is targeted completely by chance. Then they write another series of scripts to “test” these cards on websites—and this is where you come in.

When these hackers determine that their fake credit card numbers have bank accounts to match, they can begin making purchases or selling your information to the highest bidder. This makes credit card tumbling a rare type of identity theft—one that requires very little identifying information.

But how is this even possible to begin with?

Your credit and debit card numbers aren’t random–instead, they are generated according to a set of mathematical rules.

The first few digits of your card are called the Issuer Identification Number, or IIN. These numbers are specific to your financial institution, like your bank or credit card company, and they vary slightly from customer to customer. The rest of the numbers in the sequence are set according to a standard algorithm, and the final number, called a “check digit,” is added for extra security.

These rules are just about the same for everyone, and this is because financial institutions use a standard process to validate credit card numbers. This process is called Luhn’s Formula, an algorithm designed by Hans Peter Luhn in the 1960s. The formula was created in response to countless credit and debit card errors, which provoked complaints from financial institutions and the consumers who used them. Today, all debit and credit cards are validated with Luhn’s Formula. With fewer possible variations in card numbers, it’s easier to prevent errors and make financial transactions secure.

But Luhn’s Formula wasn’t meant to prevent targeted, malicious fraud. And because the rules used to generate debit and credit card numbers aren’t random, they’re easier for hackers to mimic. Card tumbling is that mimicry in action.

Picture a thief in a high stakes heist movie, his ear pressed against a safe, carefully turning the dial and listening for the tumblers locking in place. This is credit card tumbling in a nutshell–except in this case, the thief’s stethoscope and gloves are intricately designed lines of code, created with the purpose of generating and testing thousands of possible combinations at once.

A hacker can write code that takes both Luhn’s Formula and your financial institution’s card-creation rules into account. In this high-tech guessing game, hackers can create thousands of accurate credit card numbers with just a few clicks of the keyboard.

As you can probably imagine, card tumbling alone can’t be very useful. Even if hackers can come up with these incredibly complex algorithms, this can create thousands upon thousands of possible credit card numbers. In reality, there are about 30 quadrillion different combinations of a single 15-digit sequence. Even with the aid of computers, this number is too high and cybercriminals would have to individually test every single possible card number for their scheme to work. So before they can sell your credit card number to anyone, they have to verify that it belongs to an actual person.

This is why there’s another step to card tumbling–where scammers test fake card numbers on unsuspecting businesses.

Card testing

All businesses (and consumers) can be vulnerable to card tumbling schemes. But, some online payment systems are more at risk than others.

For a few reasons, non-profits are the most common targets for card tumbling schemes. First, businesses tend to use their websites to sell merchandise or services, while in contrast, non-profits use their sites to receive donations. This makes it easier for card tumblers to create several, low-value transactions without looking for something inconspicuous to purchase.

Non-profits also tend to be more relaxed with the security of their online payment systems. For example, when a non-profit receives a sudden, unexplained spike in donations–like thousands of dollars of modest transactions, all in the amounts of one or two dollars. Since nobody expects thieves to donate to charity, these fraudulent donations can easily slip under the radar. And, after donations are recognized as card testing, they can be difficult to send back or fix.

Although non-profits are certainly a common target, any business can find themselves the victim of card tumbling. All online payment systems can be vulnerable to fraud—and all businesses have a stake in preventing it.

What can we do about Card Tumbling?


And now for the good news—we aren’t helpless to credit card tumbling scams.

Because hackers guess the card numbers they want to steal, there’s no guaranteed way to make sure that yours doesn’t make it on the shortlist. Still, despite the complexity of the process used to steal your information, it can be pretty straightforward to stop potential thieves in their tracks.

You can start by asking for (and providing) information that hackers can’t synthesize with a computer program. For example, security codes, address information and the location that you’re accessing the online payment system from, among other things. For businesses, you can also use monitoring software to create profiles of average customers and track consumer behavior, preventing thieves from making fraudulent purchases.

Following through with these best practices as a business, and being able to recognize them as a consumer, is a painless and cost-effective way to prevent fraud.

Requiring CVV/CSC verification

CVV verification is one of the most important forms of “card not present” verification. Before CVV verification, businesses were concerned about the validity of card numbers, and customers were frustrated by the cumbersome and inefficient methods used to verify card information. In response, CVV/CSC numbers were introduced to allow consumers to make safe and reliable purchases, even without showing their physical cards to businesses.

The formula used by hackers to falsify credit card numbers can’t reasonably account for CVV verification–and so those three or four numbers throw a wrench into their fraudulent process. Already faced with thousands of possible credit card combinations, even a few more added variables can make the method impossible to complete. And so asking for the CVV number from consumers can protect businesses from fake charges, and help consumers discern a trusted website from a potentially harmful one.

Requiring AVS verification

Address Verification Services, or AVS, help consumers and businesses prevent fraud by requiring customers to provide their address when making a purchase.

Your credit card number alone doesn’t say much about who you are, and only identifies you in the way that it references a bank account associated with your name. Inputing your address into an online payment form helps businesses verify that the person using your credit card number is actually you—by comparing it to the address that’s on file with your bank.

This works through a few steps shared between your financial institution and the company that you’re purchasing from. Think of when you order a pair of shoes from your favorite online store. First, you enter your credit card number and billing address, then the shoe store’s payment system sends your address to your credit card provider.

Then, the provider sends that information to the institution that issued you the card, and makes sure that the address on record matches the address that you entered in the form. If everything looks good, the issuer confirms this with the shoe store’s payment system, verifying your purchase and securing that fashionable pair of boots.

Geolocation, machine learning, and other methods

In addition to verifying a customer’s CVV and address, businesses can also use:

Geolocation: Transactions are secured by verifying that the location that the purchase is made from matches that of the customer who owns the credit or debit card. Using IP addresses or your phone’s location, businesses can make sure that a customer in Alaska can’t make a purchase using a Californian’s credit card number.

Machine Learning: Using artificial intelligence, businesses can determine the likelihood of credit or debit card fraud. Machine learning systems can analyze consumer behavior and use those insights to distinguish legitimate customers from card tumbling scammers. For instance, if a vegan customer suddenly buys a subscription to Meat Lovers Digest, the machine learning program could flag this transaction as unusual.

Fraud Scoring: This method of security involves analyzing consumer buying habits, and using that information to assign “scores” to each purchase made with your business. These scores refer to the riskiness of each customer based on the variation and frequency of each purchase. This analysis takes several different factors into account when determining these scores, which can include the IP address, location, and purchasing habits of your customers. Fraud scoring can be done manually, but it’s simpler (and quicker) when automated using a computer program.

Velocity Limits: When your business or non-profit is receiving too many repeat transactions, velocity limits help flag and stop this behavior before it goes too far. For example, if you usually see about 2 pipe-cleaner purchases an hour at your online crafts store, your velocity limit will prevent 200 pipe-cleaner purchases from going through in the span of 10 minutes.

Fingerprints and Biometrics: For eligible transactions on capable devices, biometrics can prevent hackers from attacking your business. With just a fingerprint, customers can prove that they’re legitimate, while being certain that you’re taking your data security seriously.

Using common sense and due diligence

Your own suspicion and due diligence are your best lines of defense when it comes to preventing these credit card scams from affecting you or your business.

That can include being wary of businesses that don’t require your CVV or address to make a purchase, nonprofits that accept your donation without any other identifying information, and being diligent about checking your bank account balance.

In the case that you find a fraudulent charge on your statement, alert your card issuer right away. Time is of the essence in this scenario, as scammers are often careful about how they spend your money. A few dollars here and there may not seem serious at first. But, even the smallest charge that goes unnoticed can become a big problem—and once that money is gone, there isn’t much businesses can do to get it back to you.

As a business or non-profit owner, be suspicious of spikes in revenue or donations. Accepting only legitimate transactions speaks to the integrity of your business, and your reputation is easily tarnished by a poorly protected payment system.

Using technology to prevent card tumbling


As new methods to reduce fraud are developed, we are confronted with the difficult decision of choosing how to protect our information. In order to make a wise choice, we have to understand how data security software works, and how we should go about using it.

Monitoring and tracking software for businesses

In addition to requiring customers to provide more information to verify their identity, businesses can monitor the transactions made with their payment services. This can include using technology to accurately watch self-service stations, point of sale systems, and the security of mobile apps and websites.

Data security software for businesses can also be a great way to use technology to prevent attempts at theft such as card tumbling. Ideally, this software creates an accurate picture of your company’s average customer, and uses your customer’s purchasing info to spot fake customers and fake credit card numbers. Through a combination of machine-learning and profiling, security software identifies unusual behavior and notifies you right away—preventing future fake transactions and keeping your customer data safe.

Competent data security software is also both flexible and secure. It protects your consumers data while helping them move smoothly through the buying process without jumping through too many hoops.

Learning how to protect customer data is crucial for the success of any business, no matter the size. So do your research on fraud prevention software—it's vitally important in the process of finding the protection that’s right for you and your business.

Monitoring and tracking software for personal use

For consumers who are also serious about preventing scams like credit card tumbling, fraud detection software can be a helpful tool in the fight against hackers and thieves. As elaborate credit card fraud schemes become more common, information security companies begin to design more creative ways of keeping consumers informed and prepared for theft and privacy violations.

Similar to the software used for businesses, data security software for individuals creates a financial profile for banking and credit monitoring. It can include details about your credit score and credit report, information about what you buy and where you buy it, and trends in your shopping habits over the course of your life. This software can also aggregate data regarding your debit or credit card account, credit card balance or withdrawal and deposit history.

Tracking software can also include real-time screening and reporting, allowing you to see your purchases as you make them and scan for any strange or unrecognized payments. Using your past buying habits, this software can alert you about unusual purchases, allowing you to make the right decision regarding your account.

Uniquely, data security software can also detect gray areas in your purchasing behavior that certain banking institutions or credit card companies may not catch. By including a combination of historical data and different kinds of credit card transaction details, data security software cuts down on false positives and allows you to shop freely without worrying about embarrassing declined charges.

Depending on the type of software you choose, this information can be accessed through a mobile app, or through a website where you securely enter details about yourself, your credit card company, and your banking institution. By keeping tabs on your data, you can stop a scammer from emptying out your account—while keeping an eye on your spending habits.

What we can learn from card tumbling


Even if we aren’t always aware of it, fraud prevention has become a part of our daily lives.

Early scammers used methods such as pick pocketing, dumpster diving, or simply looking over the shoulders of potential victims to collect and sell stolen information. But, as more ways to share information are invented, more ways to steal that information spring up to meet them.

Now, we’re all required to do our part. We shred all of our paper records, cup our hands over the pin-pad at the grocery store, and we avoid sharing our information over the phone. We create passwords the length of football fields, and it feels like we’re taking an exam each time we want to check our account balance.

Still, the emergence of card tumbling tells us that some aspects of protecting our data aren’t within our control. And, no matter how many security measures we create, more scammers will work to find novel ways to steal our information. So, although payment fraud remains rare, it can be a sign of more complex, more intelligent systems used to assume your identity, or in the case of card tumbling, your hard-earned savings.

Despite this, we know that all hope is not lost.

By introducing more robust methods of data security for our businesses, being diligent about our decisions as customers and working together to make financial transactions more secure, we can effectively reduce rates of fraud. In doing so, we build trust between customers and businesses, and set a standard for the future of data security.

This is payment processing, made simple.

Everything you need to take and process payments, all in one trusted, secure solution.

Need more information?