Subscribe
Share
Share
Embed
Welcome to the Click & Pledge Fundraising Command Center Podcast!
Welcome to the Click & Pledge Fundraising Command Center Podcast – your mission control for mastering modern philanthropy. Every month, we equip you with the insights, tools, and strategies you need to elevate your impact. We believe in understanding the why, mastering the what, and showcasing the how of successful fundraising. Tune in every Monday for a new perspective:
The Why
Start your month with the big picture. "The Why" is our thought-leadership series that dives into the deep, foundational concepts behind our work. Every first Monday, we explore the science, philosophy, and psychology of fundraising, technology, and giving. This show isn't just about what you do; it's about providing a framework for why you do it. Join us as we connect big ideas from neuroscience, behavioral economics, and cognitive science to the future of philanthropy.
The What
Get to know your toolkit. "The What" is our product-focused series where we go "under the hood" of the Click & Pledge platform. Every second Monday, we deconstruct our features, reveal the "story behind the product," and explain what our technology is designed to do. If you want to understand the architecture, the design, and the specific problems our tools solve, this is your guide to the blueprint.
The How
Learn from the leaders. "The How" is our community showcase, where we pass the microphone to the experts: your peers. Every third Monday, we invite nonprofit leaders, fundraisers, and innovators to share how they are using our platform to run successful campaigns, engage donors, and grow their impact. These are their stories, their strategies, and your real-world templates for success.
Welcome to this edition of the Click and Pledge's Fundraising Command Center Podcast, where we talk the why, the what, and the how in the Click and Pledge's ecosystem.
Speaker 2:It is so great to be here with you today for another deep dive.
Speaker 1:This is the why series.
Speaker 2:And we've got a really, really fascinating one lined up for everyone listening.
Speaker 1:We really do. So, today, we are going to start by painting a picture for you. It's well, it's basically a true crime scenario.
Speaker 2:Oh,
Speaker 1:absolutely. But it's one that plays out, you know, every single day in high end retail. So just picture this. Picture someone walking into a luxury store. Let's just say it is a Louis Vuitton boutique.
Speaker 2:Right. High
Speaker 1:end. Exactly. Pristine. The air smells like, you know, expensive leather. And this person walks up to the counter to purchase a $2,400 handbag.
Speaker 2:Just a casual Tuesday afternoon purchase.
Speaker 1:Right. Totally normal. So they hand over a credit card. Cashier swipes it, the terminal communicates with the bank, the transaction is approved, the receipt prints out, and that bag just walks right out the glass doors.
Speaker 2:Clean and simple. Yep. And by the time the actual cardholder sees that charge on their statement, you know, maybe days later and disputes it, that bag has already been flipped on the secondary market.
Speaker 1:Yeah. The thief is long gone and the merchandise is completely untraceable at that point.
Speaker 2:Exactly. It functions as the perfect modern heist. I mean, is quick, clean, and just highly profitable for the organized Rings running these operations.
Speaker 1:It really is. But, okay. Let's unpack this.
Speaker 2:Let's do it.
Speaker 1:Because there is a massive, like, a massive logistical missing piece to this crime that a lot of people just gloss over.
Speaker 2:Right. The testing phase.
Speaker 1:Exactly. Yeah. You cannot just walk up to a cashier at a luxury boutique with a stack of 50,000 stolen card numbers in your pocket Right. And just run them one by one until you get a green light.
Speaker 2:Yeah. They'd call the cops on you in two minutes.
Speaker 1:Exactly. Security would literally have you escorted off the premises by, like, the fifth declined attempt. No physical retail environment is good to permit high volume testing like that. So the fraudster had to know with absolute certainty that specific credit card was going to work before they ever stepped foot in the store.
Speaker 2:Right. They require absolute certainty before committing to that in person transaction. Which brings us to the, kind of chilling moment for our industry.
Speaker 1:Yeah. They didn't test that card at the mall?
Speaker 2:No, they didn't. They tested it on your organization's online donation form.
Speaker 1:Wow. And that is the uncomfortable operational truth that we really need to break down in this deep dive today.
Speaker 2:Yeah, because to a fraudster, a nonprofit's donation page is not a charity.
Speaker 1:Right.
Speaker 2:It's well, serves as their quality assurance department.
Speaker 1:That is just wild to think about, but it makes so much sense. So our mission for this deep dive is to explore the mechanics of why malicious actors treat nonprofit donation forms this way. Right?
Speaker 2:Exactly. We are gonna look at how this attack actually works at a technical level.
Speaker 1:And the devastating hidden costs it inflicts on organizations. Plus, most importantly, we're going to explain how our platform at Click and Pledge is structurally designed to just completely neutralize this threat.
Speaker 2:Because your organization needs to be focused on changing the world, not, you know, acting as a testing lab for organized retail crime.
Speaker 1:Exactly. So to understand how these automated bot networks target nonprofits, we first need to look at the origin of the card numbers themselves.
Speaker 2:Yeah. Because the common public perception here is just fundamentally flawed.
Speaker 1:It really is. The general assumption I mean, if you ask most people, they think a credit card number is just a randomized string, like a lottery ticket drawn out of a hat.
Speaker 2:Right. Just random numbers.
Speaker 1:Yeah. But it is highly structured. It functions much more like a zip code or maybe a bank routing number.
Speaker 2:Absolutely. Every single credit card number tells a specific highly regulated story. The digits follow a format defined by international standards.
Speaker 1:And fraudsters use those standards, right?
Speaker 2:Oh! They use them as a mathematical roadmap. If you look at the anatomy of the numbers, that very first digit identifies the payment network.
Speaker 1:Oh right, like if it starts with a four it's a Visa.
Speaker 2:Exactly. A four indicates Visa, a five is MasterCard, a three is American Express. So the number reveals its origin immediately.
Speaker 1:Got it. And following that, the next sequence of numbers narrows the target even further.
Speaker 2:Yes. So the first six digits as a whole constitute what we call the bank identification number or the BIN.
Speaker 1:The BIN. Okay.
Speaker 2:Yeah. The DIN tells you exactly which bank issued the card and crucially what specific tier of card it is.
Speaker 1:So it differentiates like a basic debit card from one of those fancy high limit corporate rewards cards.
Speaker 2:Precisely. Meaning if a fraudster wants to target high limit accounts, they don't just guess randomly, they just look up the six digit BN for a premium travel.
Speaker 1:Card. Wow! So they already have the first six digits for millions of potential high value targets before they even start.
Speaker 2:Exactly. But the really fascinating vulnerability lies in how they figure out the remaining digits.
Speaker 1:Especially that final one, right?
Speaker 2:Yeah, the final one is the key. The last digit is known as a check digit. It is calculated using the Loon algorithm which is just a mathematical formula.
Speaker 1:And the history behind that algorithm is so wild. I mean it was patented by an IBM engineer named Hans Peter Loon back in 1960.
Speaker 2:1960.
Speaker 1:Yeah! This was an era of mechanical computing. We're talking way, way before e commerce even existed.
Speaker 2:Right. It had nothing to do with internet security.
Speaker 1:Exactly. The formula was designed solely to validate the physical structure of a number to prevent, like, accidental transcription errors.
Speaker 2:Just basic data entry mistakes.
Speaker 1:Right. If a data entry clerk accidentally transposed two numbers while typing on a keyboard, the formula would just flag it as an ingelid sequence.
Speaker 2:Yeah. It is a simple modulus 10 mathematical You run the previous digits through this nineteen sixty equation and it dictates exactly what that final check digit must be for the entire card number to be structurally valid.
Speaker 1:And fraudsters basically take this helpful validation tool and weaponize it. They reverse engineer it.
Speaker 2:Completely. They utilize standard developer tools to generate millions of numerical sequences locally on their own machines.
Speaker 1:Without even being connected to a bank.
Speaker 2:Right. They then run those sequences through the Loon algorithm to pre filter them ensuring every single number they generate is structurally flawless.
Speaker 1:So they aren't breaching a bank's mainframe, they aren't stealing some encrypted database out of a server room?
Speaker 2:No, not at all. They are literally just sitting at a laptop running basic open source math scripts to generate millions of valid credit card sequences.
Speaker 1:That is terrifying. And because they are doing this locally, it doesn't cost them a dime, does it?
Speaker 2:Not a single cent. They never touch a financial network during the generation phase. Creating plausible card numbers is computationally trivial for them.
Speaker 1:Right. So what's the holdup for them then?
Speaker 2:Well, the only bottleneck in their supply chain is finding a live payment endpoint. They need to determine which of those millions of generated numbers actually correspond to a real actively funded bank account.
Speaker 1:Okay, wait. If generating these numbers locally costs nothing, it seems like the dark web should just be flooded with them. Why do they even need to involve a nonprofits payment form?
Speaker 2:That's a great question.
Speaker 1:Cause they could just sell the generated list directly, right?
Speaker 2:They could, but the dark web marketplace operates on reliability. A raw unverified card number carries enormous risk for the buyer. So it is practically worthless.
Speaker 1:What are we talking? Like pennies?
Speaker 2:Maybe a dollar or 2 at most. But the moment a card is validated.
Speaker 1:Meaning proven to have active available credit.
Speaker 2:Exactly. Once it's validated, its market skyrockets.
Speaker 1:The price jumps from $1 to what? Up to $150 for a single premium card number?
Speaker 2:Yep. That validation step is the entire profit engine for these networks.
Speaker 1:Wow. But that still leaves the question of why nonprofits are the preferred testing ground? I mean over major online retailers like Amazon or Walmart.
Speaker 2:Well major ecommerce platforms have massive friction points built into their architecture. Think about it, when someone purchases a physical product there is a fulfillment delay.
Speaker 1:Right, they don't ship it instantly.
Speaker 2:And the retailer cross references the shipping address against the billing address. Nonprofits, by their very nature, design their forms to completely remove friction.
Speaker 1:Which makes sense. I mean, we want to facilitate generosity and not conduct a police interrogation when someone tries to give $50.
Speaker 2:Exactly. But that lack of friction makes nonprofits the perfect sandbox. A bot can hit that form thousands of times without a physical shipping address triggering an alarm.
Speaker 1:And nonprofits process donations instantly in real time.
Speaker 2:Yes. There is no physical inventory to hold back while a manual review takes place. Plus historically many organizations just haven't deployed the kind of enterprise grade behavioral analysis that multinational retailers use.
Speaker 1:So the bots simply submit thousands of tiny $1 donations per minute.
Speaker 2:Yep. And they have zero interest in the transaction actually succeeding. They do not want to give you a dollar.
Speaker 1:They only care about the gateway's error response.
Speaker 2:That's the golden ticket. They're literally just reading the decline codes. If the processor returns invalid card, the bot scripts just discard the number.
Speaker 1:But if the message comes back saying insufficient funds
Speaker 2:Oh that gives them everything they need. Insufficient funds confirms two critical data points. First the card number mathematically generated by the script corresponds to a real human being. Wow and second? Second, the account is active on the banking network.
Speaker 2:The fact that the card happens to be maxed out at that exact moment is totally irrelevant to the bot operator.
Speaker 1:Right because it's a real So they package that validated number, sell it on the dark web for a premium, and someone else uses it for a high dollar fraudulent purchase later.
Speaker 2:Exactly, like the Louis Vuitton bag.
Speaker 1:That is just wow, and the scale of this operation is staggering. We are not talking about like manual entry by some guy in a basement.
Speaker 2:No no. Automated Bot Networks are testing cards at a rate of 50,000 attempts per minute.
Speaker 1:50,000 a minute! That moves way beyond a nuisance! That turns your donation form into the target of a distributed of service attack.
Speaker 2:A literal DDoS event. It is an absolute bombardment of your infrastructure.
Speaker 1:But while 50,000 attempts per minute is an engineering challenge, the financial reality for the targeted organization is far more destructive, isn't it?
Speaker 2:It is catastrophic.
Speaker 1:Because we all know payment gateway authorization fees are a standard cost of doing business. You run a card, you pay a pinty fee.
Speaker 2:Right.
Speaker 1:But when a bot is firing 50,000 attempts a minute, those standard micro fees suddenly turn into a massive financial hemorrhage.
Speaker 2:Because every single time a payment gateway attempts to authorize a card, the banking network charges a fee. And here's the kicker: the network does not care if the transaction ultimately succeeds or fails.
Speaker 1:Wait, really?
Speaker 2:Really, the fee is incurred simply for asking the issuing bank if the card is good.
Speaker 1:Oh man, so a sustained bot attack can rack up thousands of dollars in authorization fees?
Speaker 2:Literally overnight. An organization can wake up to zero actual donations, but a massive invoice from their payment processor just for the privilege of being attacked.
Speaker 1:That is brutal. And the processor doesn't just send an invoice though. Gateways like Stripe, they automatically monitor accounts for velocity and decline ratios.
Speaker 2:They monitor them very aggressively. When their algorithms detect thousands of declined transactions firing off an account per minute, they don't treat the organization like a victim.
Speaker 1:Right, they don't care that you're a charity.
Speaker 2:Not at all. They view your account as a severe liability to the banking network. The processor will automatically flag the account and suspend payment processing entirely.
Speaker 1:So the nonprofit bleeds thousands of dollars in fees and simultaneously loses the ability to accept legitimate donations from real supporters.
Speaker 2:It's a double blow. It shuts you down completely.
Speaker 1:Okay. So with the threat level this high, traditional defenses are clearly falling short. Let's look at why standard security measures fail. Taking IP blocking first.
Speaker 2:Yeah. Let's talk about that.
Speaker 1:Because you would think, okay, I'm getting hit 50,000 times. I'll just identify the source IP of those attempts and block that server. Boom. Done.
Speaker 2:In earlier eras of the internet, sure, an attack might originate from a single centralized server in a known bad location. You drop that IP address at the firewall and the attack stops.
Speaker 1:But not today.
Speaker 2:Not today. Today, sophisticated operators use residential proxy networks.
Speaker 1:Meaning blocking an IP isn't blocking a hacker's server. You're blocking, like, a compromised smart thermostat or a hijacked router in a suburban home.
Speaker 2:Exactly. Which makes the traffic look entirely legitimate to traditional filters. The attacks are routed through millions of compromised Internet of Things devices globally.
Speaker 1:Wow. So when those transaction attempts hit the donation form, they arrive from perfectly legitimate home Internet connections in Ohio, London, Tokyo.
Speaker 2:Exactly. You cannot block them at the IP level without indiscriminately blocking legitimate donors in those exact same neighborhoods.
Speaker 1:Which renders IP blocking useless. So the other common defense everyone uses is the puzzle test, specifically CAPTCHA.
Speaker 2:Ah, yes. The classic CAPTCHA.
Speaker 1:And by the way, did you know CAPTCHA actually stands for completely automated public Turing test to tell computers and humans apart?
Speaker 2:I didn't know that, but it is an excellent piece of technical trivia.
Speaker 1:I just love that acronym. But the completely automated aspect of CAPTCHA has been thoroughly weaponized, hasn't it?
Speaker 2:Oh, completely. Modern attack scripts do not even attempt to solve the puzzles programmatically themselves. They bypass the system entirely using farm solutions.
Speaker 1:Wait, solutions? Like servers?
Speaker 2:No, instead of using server farms, they are utilizing commercial CapCha farms where real human workers are paid fractions of a cent to solve puzzles all day long.
Speaker 1:So a bot hits my donation page, encounters the Capchar, then what?
Speaker 2:It instantly routes that visual puzzle via an API to a human worker halfway across the world. The human selects the crosswalks or the traffic lights or whatever. The bicycles. Right, the bicycles. And then they wrote the solved token back to the bot.
Speaker 2:It is a highly efficient, industrialized process.
Speaker 1:That is insane. How much does that even cost the attacker?
Speaker 2:Bypassing 50,000 captcha prompts this way cost the operator a negligible amount, often less than $50 total.
Speaker 1:Unbelievable.
Speaker 2:And today, AI driven visual recognition solvers can bypass them even faster and cheaper than the human farms.
Speaker 1:So relying on CAPTCHA is basically like putting up a toll booth where the bad guys can just toss in a penny and the gate swings wide open.
Speaker 2:That is a perfect analogy, it does absolutely nothing to stop a determined attack.
Speaker 1:Ultimately, CAPTCHA serves primarily as just a friction tax that annoys your legitimate supporters.
Speaker 2:Yeah, real donors get frustrated trying to decipher blurry images of school buses while the attackers just automate their way past it instantly.
Speaker 1:Okay, so if the old technology is fundamentally broken, I mean if IP blocking targets the wrong devices and CAPTCHA is just a bypassable tollbooth, how do we actually secure these forms?
Speaker 2:This is where we have to shift the paradigm.
Speaker 1:Right. How does the click and pledge architecture fundamentally change the game for the organizations listening right now?
Speaker 2:Well, we have to break the underlying mathematical assumption of the fraud model. We change the architecture of how payments are authorized.
Speaker 1:Okay, I'm listening.
Speaker 2:The first line of defense we recommend at Click and Pledge is leaning heavily into digital wallets, such as Apple Pay and Google Pay.
Speaker 1:Oh, digital wallets. Because they utilize tokenization and biometric authentication. And that breaks the model because the actual credit card number isn't even being transmitted, right?
Speaker 2:Correct. The device issues a substitute number, a token, and that token is uniquely bound to that specific smartphone or smartwatch.
Speaker 1:So even if the bot successfully generated your real credit card number using that LUN algorithm we talked about,
Speaker 2:they cannot use it through a digital wallet gateway because they do not possess your physical device.
Speaker 1:Right. Plus every single transaction requires biometric authentication.
Speaker 2:Yes, it requires a face ID scan or a fingerprint and a bot operating from a headless Linux server somewhere cannot spoof a real human face.
Speaker 1:That makes total sense. By prioritizing digital wallets these high volume validation attacks become architecturally impossible to execute.
Speaker 2:They just bounce right off.
Speaker 1:So that secures the mobile frictionless side of giving. But obviously, you know, many donors still prefer to manually type their standard credit card number on a desktop computer, we can't just eliminate traditional entry.
Speaker 2:No, we certainly can't. And this is where we need to dive deep into the ultimate defense mechanism built into our platform, pre gateway architecture.
Speaker 1:Pre gateway architecture. So let's break down the how of this. Mhmm. If an organization uses a traditional setup, the donation form takes the card data and immediately hands it to Stripe or another processor to see if it works. Right?
Speaker 2:Yes. And that authorization attempt is exactly what triggers the fee and the potential suspension.
Speaker 1:Got it. So our architecture acts like a highly trained bouncer out on the sidewalk. Right?
Speaker 2:Yes. Before they even get to the door.
Speaker 1:But if this bouncer isn't just checking the ID meaning, not just checking the IP address or asking for a CAPTCHA. What specific mechanisms are they using to evaluate the traffic?
Speaker 2:Our pre gateway engine utilizes a multi layered analytical approach. First, we deploy behavioral biometrics.
Speaker 1:Behavioral biometrics, what does that actually look like?
Speaker 2:Well, the system analyzes the microinteractions on the form itself. A real human donor typing a credit card number has a distinct rhythm, right? They pause, they look down at their physical card, their mouse movements have slight imperfections.
Speaker 1:Sure, humans are messy.
Speaker 2:Exactly. Yeah. A bot script however, injects the data into the form fields instantaneously and perfectly. Our engine identifies that non human velocity and flags it immediately.
Speaker 1:So the bouncer isn't just looking at the ID, they're analyzing the exact biomechanics of how the person walked up to the door?
Speaker 2:Precisely, it is extremely effective. Second, we utilize advanced device fingerprinting.
Speaker 1:Okay, so going beyond just the IP address?
Speaker 2:Way beyond. As we discussed, a residential proxy might mask the IP address to look like a home computer in Ohio. But our engine looks deeper. It looks at the device's hardware configuration, the browser headers, the screen resolution.
Speaker 1:So if the IP says it is a standard residential connection, but the device fingerprint reveals a headless server environment running automation software,
Speaker 2:the engine blocks the attempt instantly.
Speaker 1:Wow, that completely strips away the disguise of those residential proxy networks.
Speaker 2:It does. And third, we implement sophisticated velocity checking checking across our entire ecosystem.
Speaker 1:What does that mean across the ecosystem?
Speaker 2:Well, a bot might try to fly under the radar by only hitting one specific nonprofit's form a few times. Trying to look quiet.
Speaker 1:Sneaky.
Speaker 2:But because our pre gateway architecture analyzes traffic across all click and pledge clients simultaneously, we can identify distributed attack pattern instantly.
Speaker 1:Oh, I see. So if a specific device fingerprint or behavioral pattern is attempting small transactions across 20 different charities in our network within like a five minute window.
Speaker 2:The engine neutralizes it globally, everywhere at once.
Speaker 1:The result of deploying behavioral biometrics, device fingerprinting, and global velocity checks is that the malicious traffic is intercepted and completely dropped?
Speaker 2:Yes. It never hits the payment processor.
Speaker 1:Stripe never sees the fraudulent attempts, the issuing banks never see them?
Speaker 2:Exactly. And the operational benefits of this pre gateway architecture are massive.
Speaker 1:I mean, it means zero per authorization fees on bot traffic because the gateway was never even queried.
Speaker 2:Right. It means zero risk of automated account suspensions because your processor only sees clean, legitimate donor traffic.
Speaker 1:And it means zero chargeback stemming from these validation attacks.
Speaker 2:It completely insulates the organization from the financial and operational devastation of a DDoS validation attack. The bots can throw 50,000 attempts a minute at the form, and our proprietary shield simply absorbs and deflects the traffic.
Speaker 1:It provides total peace of mind for the organizations relying on us. And I love this part. At Click and Pledge, we back this pre gateway model with a 100% guarantee.
Speaker 2:Yes, we do.
Speaker 1:If a fraudulent transaction somehow bypasses our proprietary shield, our platform covers the chargeback and the processing costs entirely. We absorb the risks so the organization can focus exclusively on their mission.
Speaker 2:It is a game changer for nonprofits. Right. However, you know the implications of this technology extend beyond just the organizational level.
Speaker 1:What do you mean?
Speaker 2:Well, think about your personal credit card. It does not even need to be stolen in a corporate data breach to be compromised anymore.
Speaker 1:Right, because of what we talked about earlier.
Speaker 2:Exactly. A bot sitting on a server rapidly generating millions of sequences could mathematically generate your exact card number by pure statistical chance.
Speaker 1:So your card never leaves your wallet, you never shop on an unsecured website, but suddenly your number is active in the dark web marketplace.
Speaker 2:Yep. Which leads to my most urgent piece of actionable advice for everyone listening today.
Speaker 1:Oh definitely everyone needs to hear this.
Speaker 2:Log into your personal banking application today, locate your credit card alert settings and configure the transaction alert threshold to the absolute minimum amount permitted by your institution.
Speaker 1:And usually that is 1 single cent, right? $0.01
Speaker 2:Yes. Configure it to alert you for literally every transaction no matter how small.
Speaker 1:Because getting a push notification for every morning coffee is like a minor inconvenience.
Speaker 2:It is. But it is the only reliable method to catch a $1 validation test from an automated script.
Speaker 1:Wow, so if you see a tiny unfamiliar charge from a random merchant or a charity you have never interacted with, you do not dismiss it.
Speaker 2:Never dismiss it. Contact your bank immediately and cancel that card. Because if you fail to cash that invisible $1 test, I guarantee you the $2,400 luxury handbag charge is already processing.
Speaker 1:You have to catch the invisible dollar to stop the visible theft. That is such great advice. Thank you for walking us through the deep mechanics of these attacks and, how pre gateway architecture fundamentally changes the security landscape.
Speaker 2:It was my pleasure.
Speaker 1:For more information about this and all Click and Pledge products, make sure to visit clickandpledge.com and request for a one on one training or demo whether you are a client or curious about our platform. Just ask us, and we will gladly get together with you to chat.
Speaker 2:We really do look forward to connecting with you.
Speaker 1:Don't forget to subscribe to this podcast to stay up to date with all the latest and greatest features of the Click and Pledge Fundraising Command Center.