Skip to main content

 

Splunk Lantern

Credit card fraudulent test purchases

You might need to check for test purchases on credit cards when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

When a credit card is used to make a small purchase, immediately followed by a large purchase, the transaction might be fraudulent. The small transaction can be a test to see whether the card has been deactivated or will be declined.

To optimize the search shown below, you should specify a time range. You may also need to adjust fields to match what is available in your data source. 

  1. Run the following search:| sourcetype=<customer information data source>
    | eval _time=strptime('_time',"%Y/%m/%d %H:%M:%S")
    | sort - _time
    | streamstats earliest(amount) AS first_amount latest(amount) AS last_amount earliest(_time) AS _time latest(_time) AS latest_time time_window=1m count(action) AS num_transactions by customer
    | where (((first_amount < 20) AND (last_amount > 3000)) AND (num_transactions >= 2))
    | eval first_amount=tostring(round(first_amount,2),"commas"), last_amount=tostring(round(last_amount,2),"commas"), latest_time=strftime(latest_time,"%Y/%m/%d %H:%M:%S")
    | table customer, _time, latest_time, num_transactions, first_amount, last_amount

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| sourcetype=<customer information data source> Search only your business service data for customer information.
| eval _time=strptime('_time',"%Y/%m/%d %H:%M:%S") Parse the time stamp into a UNIX time value.
| sort - _time Sort the results from oldest to newest.
| streamstats earliest(amount) AS first_amount latest(amount) AS last_amount earliest(_time) AS _time latest(_time) AS latest_time time_window=1m count(action) AS num_transactions by customer Report cumulative time, monetary value, and transaction count statistics in one-minute increments, renaming the fields as shown.
| where (((first_amount < 20) AND (last_amount > 3000)) AND (num_transactions >= 2)) Return only events where the value of the first transaction is less than 20, the value of the last is greater than 3,000, and there were at least 2 transactions total.
| eval first_amount=tostring(round(first_amount,2),"commas"), last_amount=tostring(round(last_amount,2),"commas"), latest_time=strftime(latest_time,"%Y/%m/%d %H:%M:%S") Convert the monetary values to strings rounded to two values, using a comma when needed. Then, convert the UNIX time value into a human-readable string. 
| table customer, _time, latest_time, num_transactions, first_amount, last_amount Display the results in a table with columns in the order shown.

Result

Run a regular report for which customers have a small amount followed by a large amount within a short period. Use the reported results to alert the customer right away after looking up their contact information. If the card is stolen, this may prevent further fraud.