Russian hackers have found a way of exploiting a merchant account security vulnerability using the pre-authorization request to discover the amount of credit available on compromised credit cards. These hackers operate a handful of checker sites to be used by identity thieves as a service which allows these criminals to easily discover the amount of available credit on a card, so they know how large a charge they can place on it. Pre-authorization checks are done frequently, for instance when a credit card is swiped at a restaurant, and unless a consumer monitors activity on their account in real time, an illicit pre-authorization check may go completely undetected.

One thing that consumers can do to counter this kind of attack is to sign up to be alerted by email whenever there is any activity on their account; in fact, this is most often how banks are alerted that a merchant account is being used for card checking. These criminals count on the fact that merchants, issuing banks, and acquiring banks do not share pre-authorization information. If they did, the patterns of illicit activity would be easy to detect. If a bank is informed by a customer that the activity is occurring, most likely originating from another jurisdiction, the bank will do little more than try to sell the customer additional fraud protection services and return any funds that were fraudulently obtained if illicit charges actually cleared.

As a merchant, other than following normally prudent security procedures, the way that you can help with this problem is to notify the bank you have your merchant account with when you are alerted to, or notice yourself, an unusual number of pre-authorizations issued from your account. Currently the only defense against this type of attack is to make sure all the parties involved share information on unusual merchant account activity.