Posts filed under 'Fraud'
Paypal has a built in shopping cart function that allows paypal users to easily add products to their website. The cart works by letting users paste an html form on their website, and when a visitor clicks on the form button, the specific product is added to their cart as they are redirected to paypal. It is a very simple, easy to use shopping cart system.
Lack of proper security:
The problem with the paypal shopping cart, is that is has a major flaw. The seller’s email address is publicly displayed in the product form on their website. This makes is easy for spammers to search for paypal product forms, and harvest the email addresses from them. What makes the problem even worse is that the email address are all but guaranteed to be good and used. They are also the same email addresses of active paypal users. This opens these users up to massive spam, and opens them up to phishing attempts of their paypal addresses. Every website that uses the paypal shopping cart, has their paypal email address displayed in the html code of their website.
If you use the paypal cart:
If you use the paypal shopping cart setup a separate email address for your product forms. This way at least you can cut down on some spam to your general email inbox. Otherwise, I would suggest finding a separate shopping cart for your website. It may take a little extra work, but you are the only one that will pay for Paypal’s lack of security.
Fixing the problem:
It wouldn’t take a lot of work for paypal to fix the problem. They would need to integrate a program that stores your email address, and replaces that space in the form with an encrypted code that links a visitor to your account. Are they going to implement something like this? Highly unlikely.
I wish that I could say that Paypal is going to take a proactive approach in resolving this simple problem, but I just cant see them going out of their way for that. Whatever the case, paypal’s system is an example of completely irresponsible programming, and their customer are the ones that are affected by it.
I completely missed this blatant disregard for customer privacy until a commenter on the blog let me know about it. Here is his original press release: http://www.riverpages.com/paypal-spam-risk.html
July 19th, 2006
Original Article
Here is a very significant story regarding banks making consumers liable for fraud if the cause was their own computer. While I think that businesses would appreciate any removal of liability on their behalf, I think it is presumptuous to assume that the average consumer has the time or resources to ensure that their computer is secure.
“HSBC has already been considering it,” Murtagh said. “There is the potential that the banks will go back to the consumer and say, ‘We’ve offered you good practice guidelines online and 12 months free antivirus. If you don’t [make use of these] we refuse to pay out.’”
If something like this occurs in the UK, I think that it could become the standard. Considering that banks are planning on offering free subscriptions to anti-virus and anti-spyware software, it seems that these consumers have no excuse.
July 17th, 2006
I have stumbled upon several sites that sell equipment and supplies designed to steal people’s credit card information. These products are normally small stand-alone portable magnetic card readers that store credit card information. These readers are battery powered, and some can store the information from thousands of credit cards.
A brief overview of skimming:
Credit card skimming is when a person records the information on a credit or debit card without the owner knowing about it with the intention of using that credit card information illegally. Skimming most commonly occurs in restaurants, where the card owner looses contact with the card Chan a purchase is made. It takes about two seconds to scan a card through a portable reader, and the reader records all of the information on the credit card. Portable card readers are small enough that someone could easily conceal one in the pocket, sleeve, and even in their hand. Occasionally thieves will setup more complex skimming devices at ATM machines, or gas stations, but restaurants are statistically the highest risk for skimming.
What bothers me about these devices in general is that they carry almost no logical, legal purpose, and they are still sold as if they do. There is virtually no practical use for portable card scanners that record the credit card information. Portable magnetic readers like this, depending on how complex, can read not only credit cards, but drivers licenses and any other card that uses a standard magnetic stripe. It is a direct Visa and Mastercard violation (PCI / SDP Regulation) to store any track date, so there is literally no legal use for these devices.
What is on your magnetic stripe:
Magnetic strips on credit cards are actually made up of three strips that contain information. These strips, called tracks, contain all of the information needed for a business to process your credit card through their merchant account. Credit cards normally have information stored on track 1 and 2, and this information contains the card holders name, account number, expiration date, and an encrypted PIN number.
Skimming control:
The government and media have been looking closely at credit card fraud, including the skimming that is done with portable readers like these. But, there hasn’t been any significant laws or legislation placed against actual devices that are created only for the purpose of recording magnetic strips. It is illegal in some states to posses portable card reading devices, but there’s nothing stopping the website’s from selling to people in those states. Website’s that sell these devices enable anyone to order a personal skimming device, without any clarification of their intended use. Portable skimmers can cost as little as a few hundred dollars, and can go up to about a thousand dollars for a high-end reader. There is also a guide located at http://camelspit.org/handyswipe/ that explains how to make low-cost portable card reader.
Once card information has been obtained, there are a few options that the thief has. They can attempt to make counterfeit credit cards, sell the credit card numbers, or attempt to make purchases for merchandise online. Often the card numbers are sold to persons with the capabilities to make counterfeit cards. This equipment, which can also be easily purchased, can make a believable replica of a real credit card, and the magnetic information from a stolen card can be encoded on it. That card can be used just like a normal credit card. Since only a small percentage of businesses actually check customer Id’s it is very easy for a thief to make purchases with the fake card. Thieves will also commonly try to make online purchases, but the success of this is greatly reduced with the use of Card Verification Codes, since this information is not encoded on the magnetic stripe.
Why should business care about this:
Besides the obvious negatives regarding fraud in general, it is businesses who lose the most from credit card skimming. A card holder has no liability for purchases made fraudulently on their credit card, therefore all liability falls in the hands of the business that accepted that skimmed credit card. A business cannot win a chargeback due to a fraudulent transaction, even if the card was swiped and the receipt was signed. For this reason, businesses need to check the Id of the card holder, and check the signature on the back of the card against the Id. Online businesses need to use card verification, and should always require AVS.
Website’s that sell equipment that could be used to steal credit cards:
http://www.tyner.com/magnetic/compare.htm
http://www.incodenet.com/magnetic/miniport-comparison.htm
http://www.hackershomepage.com/
http://bcdata.com/portablemsr.html
http://www.mag-stripe.com/portable.htm
Conveniently Coincidentally, many of these sites that sell portable card readers, also sell equipment used to make counterfeit credit cards.
Where to report fraud:
If you think that you credit card has been stolen, immediately contact your credit card issuer. They will cancel your current card, send you a new one, and stop any further transactions that may be fraudulent. Also check your credit card and/or bank account statements for signs that of unauthorized use of your account.
If you feel that your identity may have been stolen, contact the three major credit bureaus. Request a fraud alert be placed on your credit file, asking creditors to request your permission by phone before any new accounts are opened.
Equifax - (800) 525 6285 - http://www.equifax.com
Transunion - (800) 680 7289 - http://www.transunion.com
Experian - (888) 397 3742 - http://www.experian.com/
You can also report credit card fraud to the FTC, but it is rare that any formal investigation would take place unless your fraud is part of a larger group of similar frauds.
FTC - (877) 438 4338 - http://www.ftc.gov/
If your credit card, wallet, or purse was stolen, you should file a police report with a local police department as well as cancel your current credit cards.
Additional information related to credit card skimming:
Bankrate - On the dark side of credit card fraud
ICMA - Hypercom Launches Attack on Credit Card Skimming
Microsoft - What to do if you’re a victim of credit card fraud
Transaction World - Credit Card Skimming Growing Trend or Media Hype?
**Disclaimer, there is no implication to any website listed as to whether they do sell equipment to thieves, only that the equipment that they sell could potentially be used for credit card skimming.**
Other blog posts related to skimming:
Fraud Alert: Credit card skimming
July 13th, 2006
Credit Card Factoring is a type of business fraud that I commonly refer to in the blog.
What is factoring:
Credit card factoring is essentially processing transactions through a merchant account for a business or entity other than the specific business that was screened for the merchant account. Credit card factoring, also known as credit card laundering, or even money laundering, can exist in many forms. The most basic form of factoring would be a business processing transactions for another business. Another common case of factoring is when a business opens a branch, DBA, or sub-business and attempts to process through the central company’s merchant account. This case is often seen when a business starts a website, and tries to process credit card transactions without opening a separate merchant account for their website.
Telemarketing and call centers used solicit factoring often, but their business practices have come under close scrutiny in the recent years due to massive fraud and losses by major financial institutions.
Why exactly is factoring bad?
First, factoring is used as a method to launder money via credit cards. A business would theoretically process payments for illegal products or services and end up with a clean deposit in their bank account a few days later. It is rumored that a huge amount of terrorist activity is funded illegally with credit cards.
A slightly less severe result of factoring, is the loss of accountability for credit card transactions when a business processes for someone else. In the event of fraud or chargebacks, the processing banks have a hard time figuring out who is responsible for the credit transactions, because they could have been run by multiple businesses. In the end, the customer gets their money back, and the processing bank is left to recoup from the business.
Telemarketing companies have been notorious for employing individuals to open merchant accounts and process transactions for them in exchange for a quick buck. The telemarketing company would keep the bank account empty, and when the chargebacks started rolling in, the processing bank was stuck with the bill. Millions of dollars have been lost to this type of fraud, which has also helped telemarketing companies to be labeled as high risk businesses, whether legitimate or not.
What is considered factoring?
- Processing a transaction for another business or person
- Processing a payment for an illegal or restricted product or service
- Processing the merchant account owner’s credit card
- Processing transactions in a method not allowed by the merchant account type (Ex: ecommerce transactions through a retail merchant account)
- Processing transactions for a separate division / branch / DBA of a company not approved on the merchant account
- Unauthorized scanning / reading / decoding of the information on a credit card with or without the intent to process the card
- Attempt to employ, or solicit another company or person to process a transaction through their merchant account
- Unauthorized re-charging of a credit card (often seen if a business looses a chargeback)
Repercussions for being caught factoring:
Simply put, Visa and MasterCard will have your merchant account shut down, and you can be substantially fined, and placed on the TMF (Terminated Merchant File). Depending on the severity and intent of the factoring, there may be legal repercussions as well. Since deliberate factoring often qualifies as money laundering, there are a variety of laws that are also being broken when a business is guilty of factoring. Also, depending on whether the factoring took place across different states there are federal and state penalties, for factoring. In many states factoring and money laundering are felonies.
Why am I writing about this?
Factoring is something that many businesses do and may not even know its wrong. Factoring is a crime, and is easily avoidable, but is most often done through ignorance or due to the disregard of established fraud prevention measures.
June 13th, 2006
About a day after I published the article about PCI and CISP compliance, Nigel Ravenhill, the Marketing Director for Scan Alert contacted me about the article.
A Little about Scan Alert:
Scan Alert is by far the leader in PCI / CISP scanning. They offer PCI / CISP scanning for just about every type of online business imaginable. Scan Alert serves 72 countries and offers packages for anything from non-profit, to mega websites. Scan alert customers also get to display a hacker-safe logo on their websites letting visitors know that their website is scanned daily and the transfer of information is secure.
Nigel also sent me last years Digital Window Shopping Report, which is a study involving shopping cart abandonment on ecommerce websites.
I have personally heard positives and negatives to using any Scan Alert like program, but their Digital Window Shopping Report has some great statistics about visitor behaviors and website usability.
Download the Digital Window Shopping Report
This is last years report. This years is scheduled to be released any day as I have been told.
May 1st, 2006
Several Web hosting companies that use the Authorize.Net service to accept credit cards online saw a sudden spike in transactions over the weekend. The transactions, most for $500 and $700, were billed to Visa, MasterCard and American Express cards that belong to people across the U.S., representatives for three Web hosts told CNET News.com.
The Web hosting companies discovered the unusual charges through e-mail alerts that Authorize.Net sends after each transaction. Close to 3,000 suspicious transactions were pushed through the merchant accounts of three companies with which CNET News.com spoke, and more likely happened at other Web hosts, these three companies said.
On Sunday morning, in about an hour-and-a-half time period, fraudsters ran close to 1,500 transactions through the Authorize.Net account of Defender Technologies Group, a Web host in Ashburn, Va., said Tom Kiblin, the company’s CEO. “It was just under $1 million that got put through on our account,” he said. Kiblin says he has reported the matter to the U.S. Secret Service.
This sounds like a really bad credit card fraud case, but looking at the situation positively, the business caught the huge amount of fraudulent charges before it became an even bigger problem. If these credit card numbers were obtained from a single source, there should be very little trouble finding where the data was lost at. Visa and MasterCard have systems dedicated to tracking down the source of a loss of information, by matching similarities in charges on different credit cards.
Full Article - http://news.zdnet.com/2100-1009_22-6057305.html
April 5th, 2006
The BBB has co-authored a guide to help small businesses be secure and to help protect user privacy. This is an excellent guide for any small business. It was sponsored by Visa, IBM, Equifax, Verizon, The Wall Street Journal, Ebay, and Paypal. We support and recommend these practices in every way.
Please click on the link to view the PDF, or download the ZIP version to your computer.
Guide to Small Business Security PDF
Guide to Small Business Security ZIP Download
April 4th, 2006
SDP /CISP / PCI is a standard that many businesses must adhere to to help protect consumer data. CISP (Cardholder Information Security Program) is a Visa security standard that is designed to help protect all levels of business from fraud and loss of data. MasterCard has a similar program called SDP (Site Data Protection). CISP / PCI is a standard that is designed to help secure and protect sensitive data specifically relating to the payment card industry. CISP compliance extends beyond online businesses and applies to Retail (brick-and-mortar), and Moto (keyed entry) businesses in addition to ecommerce. CISP compliance is outlined here rather than the SDP program because it is more restrictive and better organized.
PCI / CISP is designed to be implemented by any businesses that accepts of facilitates credit card transactions or the handling of sensitive credit card and user information. Businesses that do not store or handle credit card information, are not subject to CISP regulations.
Visa: Note that these Payment Card Industry (PCI) Data Security Requirements apply to all Members, merchants, and service providers that store, process or transmit card-holder data. Additionally, these security requirements apply to all “system components†which is defined as any network component, server, or application included in, or connected to, the card-holder data environment. Network components, include, but are not limited to, firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Servers include, but are not limited to, web, database, authentication, DNS, mail, proxy, and NTP. Applications include all purchased and custom applications, including internal and external (web) applications.
PCI / CISP Basic Requirements:
- Install and maintain a firewall configuration to protect data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored data.
- Encrypt transmission of card-holder data and sensitive information across public networks.
- Use and regularly update anti-virus software.
- Develop and maintain secure systems and applications.
- Restrict access to data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to card-holder data.
- Track and monitor all access to network resources and card-holder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security.
If you read the full CISP manual, you will find that each requirement is broken into several sub-requirements. CISP attempts to leave no stone unturned and no margin for error.
How To Implement PCI / CISP:
Most of the CISP requirements are simple common sense. CISP is heavily geared toward websites and other easily accessible systems where there is a huge potential for a loss of sensitive data. Many of the technical issues are very complex and the requirements are very strict. I have helped to secure several web servers for CISP compliance, and to say that the requirements are strict is a gross understatement. Not only are there basic firewall and network infrastructure requirements, but there are hundreds of update, software versions, and patch requirements that must be met for a web server to be CISP compliant. A single missing software version update, or patch, or a single compromised web port, will cause a server to fail CISP compliance.
To start on the road to compliance look at the Visa PCI / CISP Pdf linked at the bottom of this document. All of the requirements are listed to be CISP compliant. After you meet all of the requirements, you will need to get with a company that certifies businesses for CISP compliance. They will normally perform a series of checks on your server, and give you the results of their inspection. The checks that they perform are essentially an attack on your web server, and they will try to exploit any known vulnerability. They also check the software, and current versions of several applications on the server making sure they are all up to the current version. You can also start by doing a scan and fix whatever areas are not up to standard.
A Warning: Make sure your web host knows that you are going to be doing these tests, or they may mistake them for a true attack.
CISP non-compliance and loss of data penalties:
The fines for not complying with CISP are low, up until there is an actual loss of data. Visa and MasterCard can shut down or fine non-complying merchants, but due to the current lack of organization and the impossibility to monitor every business and organization, larger companies are the only ones who are currently monitored. It is the responsibility of a business to ensure that they take the steps to become CISP compliant. If a business is not CISP compliant and a loss of data occurs, there is a $500,000 fine from Visa alone for loosing data and an additional $100,000 fine just for not being CISP compliant. $600,000 for not-becoming CISP compliant and loosing data because of it, and this applies for any business that accepts credit or debit cards. A single credit card number that is lost and is traced back to a business is considered a loss of data.
Apart from the monetary penalties, it never looks good when a business looses data. News agencies jump on these stories, and instantly make a business look like a criminal organization. I’m sick of reading about them, and I’m sure you are as well, so protect your data.
Overview:
I personally don’t recommend storing credit card numbers at all in an online database. Not only is the CISP compliance very difficult to achieve, but it just isn’t a safe practice. If card information is stored online, it must also be encrypted so that if there is some sort of data loss, the data will be useless. Even with CISP compliance it is still possible for someone to gain access to a server. No matter how secure something is, there is almost always a way for the system to become compromised. Also for retail businesses, employees are one of the largest causes of loss of data. Card information should only be accessible by select people that need access to it.
PCI / CISP Resources:
Visa CISP / PCI Compliance PDF
ScanAlert - PCI CISP Certification
Related Articles:
Credit Card Truncation
April 3rd, 2006
Paypal and other financial institution phishing is a major concern for many individuals and businesses. I personally get several hundred phishing emails per day and a huge percentage of them are ebay and paypal phishing attempts.
Phishing is type of fraud where an email is sent to a person and the sender of the email is acting like a major institution, trying to get the user to log into their website. What the person getting the email sees when they click on the link, is a duplicate of the real website, made by he person sending the email. The duplicate website will have a form that the user inputs information into, and is normally a login box. Once the user enters their information and presses submit, the information is sent to the person who sent the email. The phisher just obtained the login information from the person who was phished. They also now have full access to whatever website the user-name and password are used at. They can empty your bank account, make fake ebay purchases, or anything else that the website allows them to do, and they are doing it as you…
Phishing a normally easy to spot, but recently I have been receiving better planned and implemented websites and phishing emails.
The sure proof guide to not getting phished.
First off you need to know two things. First, reporting phishing attempts does absolutely nothing, so don’t waste your time. Phishing attempts and the website’s that go with them are almost always hijacked, so reporting them will not lead authorities or anyone else to the responsible party. Second, there is nothing you can do to stop getting phishing emails, so don’t concern yourself with that one either.
1. Don’t Click
The most important thing to do, to not get phished, is to never click on a link in an email that asks, requests, begs, prays, or anything else in attempt to get you to login or even access a website. If you need to access the website, open a new browser window, type the website address in the new window, and login to the website from there. Whether you think the email is a phishing attempt or not, this is just plain common sense to protect yourself. If you never click on a link to a phishing website, you will never be a victim of phishing fraud.
2. Delete any identified phishing emails
Identifying phishing emails can be difficult, but a few simple flags will tell a phishing email from a real email almost every time. One thing you should have is a computer based email program. Online email like yahoo or hotmail, are terrible at helping a user to identify a phishing email. If you need an online email, I recommend using gmail, which also allows POP3 access from your home computer. Use Microsoft Outlook or Outlook Express to view your gmail emails. Using Outlook or Outlook Express will allow you to view extra information that is sent with each email. Whether you use an online program or Outlook, there are several flags that will make phishing emails stand out.
- Email sender is not who the message is from.
- The email sender in the header or the from box is different than who the message appears to be from. This would be like getting an email from chase bank, but in the FROM: field, Reply-To: field or in the header itself the message is from someone9876@earthlink.com.
- The link that the page wants you to click on is a large, fake, or obscure address.
- A phishing email will always try to get you to visit the fake website to enter your information. When you place your mouse over the link, look at the URL that appears. Another way to view the link in a web based email is to right click on the link and select ‘copy target’ or ‘copy link location’. Then paste the link in your web browser address bar and look at the link. If the email is real, the link will be directly to the website organization. If the email is fake, it will normally have a large obscure website address.
- Good Link: http://www.paypal.com/us/
- Bad Link: http://mabarrackfurniture.com.au/images/www.paypal.com/cgi-bin/webscr.php?cmd=_login-run
- The email ends up in your spam box.
- As simple as it seems, emails that end up getting hit by spam filters are filtered for a reason. While recently I have been seeing phishing emails routinely make it through the most strict spam filters, the majority of phishing emails will get caught in web based, and outlook spam filters. If it goes in your spam folder, it did so for a reason, so be extra careful with that email.
3. Use a different email address if you run websites
This is targeted at webmasters and others who manage websites. If you have websites and you have customer service email addresses on them, never use those email addresses for paypal, ebay, your bank, or any other personal, financial, or access related purposes. Keep the email addresses on your websites completely independent of ones you use for paypal, ebay, etc. The reason is that, spammers get huge lists of email addresses by scrubbing websites for email addresses. They send phishing emails to the email addresses that they collect. If the phishing emails you get are sent to the email addresses that your website’s use, then you instantly know that they are fake.
4. If you click on a link, make sure you are where you should be
If you do click on a link in your email, make sure that the link sends you to the actual organization’s website and not a fake. Look at the address bar. Does it look right?
Notice how the link in the address bar is not paypal, but the page looks just like the login page. This a phishing page. Never enter your information if the address in the bar is different from the organization that you are trying to visit.
A good phishing example:
This example is one of the best phishing emails I have ever seen. It instantly made me want to click on the link. It passed every spam filter I have and if I did not know exactly what to look for in a phishing email, I could have been a victim of it.
The email is a simple paypal payment receipt that stated that I paid for some merchandise, and that they payment was received. The payment is for something that I do not recognize, and it is being shipped to someone else.
The email address showed to be from paypal. The email related to an auction on ebay that was real and had ended recently before the email was sent. The only way that I could tell it was fake, was the link sent me to a website that was not actually paypal.
The bottom line is that it is very easy to tell a phishing email from a normal email, but phishing continues to be a huge area of fraud on the internet. If you follow #1 you will never be the victim of phishing.
March 28th, 2006
Nearly every online business will run into a visitor that is trying to make fraudulent purchases on their website at some point. Hopefully the transaction or situation can be identified and corrected before it ever becomes a real problem.
Unfortunately, fraud has become synonymous with online business. There are so many ways that fraud can be committed through a website, with several desired outcomes for fraudsters. Not all fraudulent transactions are made to obtain merchandise. Card testing is another problem that some merchants face, where the transaction is not meant to obtain goods.
It is important for merchants to be able to identify fraudulent situations and purchases before there is ever a shipment of products. Voiding a transaction is far easier to do than obtaining merchandise lost to a fraudulent transaction.
Businesses will always suffer more from fraud than consumers!
Lets face it. Merchants will lose every time fighting a fraudulent order chargeback that was successfully processed through their business. Credit card fraud regulations are designed to protect the consumer and only the consumer. Businesses have very little recourse if they process a fraudulent order and ship the product. The best method to fight fraud is to prevent fraud. To do this, merchants need to take a proactive approach to combating credit card fraud.
The 2 main types of fraud that merchants face while doing business online are card testing and fraudulent orders.
Card Testing (or Carding):
Card testing is a type of fraud that many merchants are not aware of. It can have devastating effects on a business even though the business may never ship out any merchandise due to a fraudulent transaction. Card testing is the systematic testing of credit card numbers, in pursuit of finding a valid credit card number / expiration date combination. Card testing can be spotted by observing a large number of declined transactions through a payment gateway, usually in a sequential and consistent pattern. Many declined transactions followed by an approved transaction for a single user can also be card testing. Card testing is usually done with small amounts. The tester only wants to find valid numbers, and is not after tangible goods, yet.
Card testing can be very costly to a business. Most businesses are charged for every transaction, declined or approved, that they attempt. Card testers can attempt thousands or even tens of thousands of tests in a day. At about $.25 / transaction, it can get extremely expensive. Visa and MasterCard also monitor gateway addresses that have huge numbers of declines on them for the same reason. Allowing the continuance of a card tester can ultimately lead to a merchant being shut down, even if the merchant had no idea it was happening.
Card testing has 2 different phases. Phase 1 is trying to find a real card number. Phase 2 is finding an expiration date to match the card number previously found.
By using the Luhn algorithm, a tester can produce a list of valid credit card numbers. The next step is to test these numbers to see if the card is real. Once the tester finds a real card, they submit expiration dates until the card is approved. The tester builds a computer script to place automated queries into a merchant’s payment gateway. These scripts can be very complex and some can foil fraud detection software.
Card testing is reliant on 2 factors of an online payment gateway. Removal of either of the 2 factors will completely prevent the effectiveness of card testing. First, the merchant’s website must give different responses for a declined cards based on the decline reason. This is key, as a tester needs to know why the card was declined, was it a bad number or bad expiration date. Secondly the tester needs to be able to get an approval without a valid address.
Once the script finds a valid card number, but getting a wrong expiration date response, the card tester then tests expiration dates until he gets one that matches. Now he has a valid credit card number and expiration date.
Preventing Card Testing:
Preventing card testing is fairly simple. Monitor the declined and approved transactions processed through your gateway daily. Make sure that the payment gateway’s decline response is the same no matter what the reason for a decline is. Finally, make sure that a valid verified address is required before approving a transaction. These three steps will prevent card testing almost entirely.
Fraudulent Orders:
A fraudulent order is when a person illegally orders something on a stolen card in order to actually receive a product. The thief may have drop off addresses where they can pick up a delivery anonymously.
Fraudulent orders can be very costly because a merchant is setup to lose their shipped goods and later lose when the real card owner charges back the fraudulent purchase. Most fraudulent orders are never recovered after they are shipped.
Preventing Fraudulent Orders:
Fraudulent orders are more difficult to stop than card testing, but through analyzing orders that are processed through a website most can be eliminated. Fraudulent orders have the tendency to look abnormal compared to a normal order. Whether a large amount, requesting expedited shipping, strange shipping addresses, or other factors, most fraudulent orders are different than normal, and thus stand out when compared to regular orders.
Common Fraudulent Order Flags:
- Abnormally High Ticket Price.
- Different Shipping and Billing Addresses.
- Orders from Nigeria, Anywhere in Africa, Indonesia, the Philippines, or foreign orders in general.
- Requesting Expedited Shipping.
- Offering More Than the Listed Price for the Product.
- Unusual Quantity or Type of Product Ordered.
- Free Email Address (hotmail, gmail, yahoo, etc.)
- Fake Sounding Name (Ex: Rickey Rickerson).
- Persons Requesting a List of Products From You First.
- Incorrect or Fake Phone Number
Always use AVS and CVV/CV2/CVC (Card Verification) on every transaction you process. This will at the very least guarantee that the card holder has the card, and it is being billed to an address registered to the card.
If possible, check each order that is processed through your website. If you come across a suspicious order, call the customer to verify who they are. If the order is extremely large or talking to them is unconvincing, request them to fax a copy of their drivers license to you, and a signed invoice. These may be a small inconvenience to some of your customers, but the cost of fraud to your business is far greater than not taking the extra steps. Most customers are happy to verify information with you, as preventing fraud is a concern of theirs as well.
Also if you can, require a signature with every package that you ship. A signature is the only way to prove proof of delivery.
If a fraudulent order is successfully placed through your website, ‘YOU’ are the last defense. Remember that the perfect customer also fits the profile of someone ordering fraudulently.
Reference Blog Posts:
Credit card verification numbers
Reasons For Credit Card Chargebacks
September 1st, 2005
Next Posts
