Enumeration attacks are also known as brute force attacks. These attacks attempt to submit payment information through a merchant’s website fraudulently. An enumeration attack basically hacks a website through several techniques. It will try a specific technique over and over until it finds success.

Enumeration attacks come in many different forms, including:

• Card stuffing: Using bots to inject legitimate payment information into a merchant’s checkout page.
• Opening fraudulent merchant accounts: Creating a fraudulent account allows a hacker to log into the merchant’s website.
• Taking over a merchant account: Similar to gaining access to an admin account, the hacker targets weak points in the merchant’s payment software, such as payment gateways, to take over a merchant’s account.
• Cloning merchants: By obtaining fraudulent point of sale (POS) device credentials, fraudsters can connect to a POS device with weak credentials and submit fraudulent transactions.

One example of an enumeration attack is when a fraudster submits payment information on a website’s checkout page. It may fail a few times, but if the shopping cart software cannot prevent these repeated attempts, the fraudster will simply continue submitting bogus or stolen information until it is finally accepted.

One way Visa is combating enumeration attacks is through its generative AI-powered solution. The solution is called the VAAI Score tool and is being rolled out to US merchants. The tool is part of its comprehensive Visa Account Attack Intelligence (VAAI) offering.

In a May 7 press statement, Visa said that enumeration attacks amounted to $1.1 billion in losses for US merchants. Visa’s VAAI Score tool will help reduce these losses by assigning risk scores to card-not-present (CNP) transactions. Clients can customize their responses by setting rules based on risk scores.

Merchants can protect themselves from enumeration attacks using better security across their shopping cart software and gateways. Those using a WordPress website can add plugins specifically designed to combat enumeration attacks. CATPCHAs, passkeys, oAuth, in-device biometrics, and multi-factor authentication also help to reduce enumeration attacks.