VP-ASP :: Shopping Cart Software

Shopping Cart Software Solutions for anywhere in the World

US/Canada(Toll Free): +1 888 587 2278
Europe/UK: +44 (020) 7193 9408
Australia/New Zealand: +61 3 9016 4497

VP-ASP Shopping Cart Customer Forum

Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 VPCart Forum
 Credit card fraud and hackers
 Advice to reduce attempted fraud?
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

lynch
VP-ASP New User

USA
74 Posts

Posted - June 02 2005 :  10:13:10  Show Profile  Reply with Quote
Some fraudsters are using my store as a way to check the validity of credit card numbers. In May 2005, I had over 1700 credit card denials, but less than 200 real orders. I'm using address verification and requiring the card verification number, so all these fraud attempts are unsuccessful.

I'm using VPASP v5.0, and I've just added the IP addresses for the big offenders to my hackers table.

Does anyone have other suggestions for ways to cut down on this? It's inflating our monthly bill with Authorize.Net, and we'd rather not pay to be anyone's credit card validator.

I suppose I'll also call Authorize.Net and see what their fraud detection service costs...

apswater
VP-ASP Super User

317 Posts

Posted - June 02 2005 :  10:17:08  Show Profile  Visit apswater's Homepage  Reply with Quote
Many of our clients are institutional buyers who do not necessarily know the billing address. We have turn on the AVS block but found it was stopping some good orders. I would suspect some of you 1700 are actually good orders. You are better off turning the block off, looking at the AVS response and picking up the phone and talk tot he purchaser. If you cant call them in the USA, it is most likely fraud. We only take credit cards form the US and look very carefully at orders with AVS mismatches. We have had people fax over a copy of the credit card along with a drivers licence before we will process the sale. Hope it helps.

Another alternative that many compnies do is to only ship to the bill to address on first orders.

Edited by - apswater on June 02 2005 10:18:35
Go to Top of Page

greatphoto
VP-ASP Super User

USA
304 Posts

Posted - June 02 2005 :  20:01:15  Show Profile  Reply with Quote
I'd hate to remove the blocks and have fraudulent charges go through....especially when the excessive chargebacks that result cause loss of the merchant account.

How about modifying the gateway add-on so that it doesn't give any feedback regarding card validity to the customer/fraudster? If they don't get instant feedback, they'll probably move on to some other site that will give that to them.

Go to Top of Page

apswater
VP-ASP Super User

317 Posts

Posted - June 02 2005 :  23:21:42  Show Profile  Visit apswater's Homepage  Reply with Quote
The chances are that it is the same person or group doing the fraud. You credit cards should be set to BOOK and not SALE. You switch them to a sale if the info all checks out and you decide to take the risk and ship the product. If you think it is fraud, then you simply cancel the booked order and there is no charge back.

somewhere in your check out you should add a statement that "orders will be shipped upon verification with the card holder." or something like that, if the fraud guysknow you are looking for them they will go off to another site.



Edited by - apswater on June 02 2005 23:23:27
Go to Top of Page

lynch
VP-ASP New User

USA
74 Posts

Posted - June 03 2005 :  08:35:18  Show Profile  Reply with Quote
quote:

Many of our clients are institutional buyers who do not necessarily know the billing address. We have turn on the AVS block but found it was stopping some good orders. I would suspect some of you 1700 are actually good orders.

Another alternative that many compnies do is to only ship to the bill to address on first orders.



apswater:
We currently do not ask for a separate shipping address, and state on our customer info page that we ship only to the billing address for security reasons.

Our retail goods are clothing and accessories, and our customers are individuals. We have a separate department to handle institutional buyers who are buying for groups, and we don't do that through our online store.

The attempted-fraud orders are different from our regular orders -- most of the fraud orders are large (20-25 of the same item, over $1000 total), while real orders tend to be much smaller.

quote:

How about modifying the gateway add-on so that it doesn't give any feedback regarding card validity to the customer/fraudster? If they don't get instant feedback, they'll probably move on to some other site that will give that to them.



greatphoto:
That's what I've been thinking about doing -- if the fraudsters can't get the info they want from our checkout, they should go away, at least.

I'm surprised I'm still getting this kind of stuff, after requiring the CVN. I would have expected the CVN to keep the bad guys away, but I guess they're trying random numbers there too...

Go to Top of Page

rvaga
VP-ASP Super User

USA
254 Posts

Posted - June 03 2005 :  12:04:01  Show Profile  Reply with Quote
Another scam. . .

Someone on Amazon was listing items I sell. He would accept the orders and card numbers (example, from Mrs. Jones), turn around and place the order through my site as if he was Mrs. Jones. I had no idea that "Mrs. Jones" was actually him, using all her shipping/card info. And, Mrs. Jones would receive her merchandise from my site, everything seemed fine, no one the wiser.

The scam? The bad guy had her card numbers. He would not use these, but would sell these valid card numbers to another bad guy. When the card was eventually used fraudulently, maybe months later, it was impossible to trace where the numbers were stolen, because her purchase through Amazon was a legitimate purchase (though customers never realized that the Amazon guy was not me - they ordered via Amazon, and received their merchandise). It fell apart when I changed prices, the bad guy didn't notice, and Mrs. Jones complained that I had changed prices, she used the phone number I have on the packing slip. This is when I found out that her purchase was actually placed at Amazon, and I went to the Amazon site and figured out what was going on. (other people became involved, I'm not that good a detective)

I contacted Amazon, and they did exactly. . . nothing. Except, they emailed me some BS about how secure their site is, and how they are not responsible for actions of merchants using the Amazon site for affiliate type sales. This went back and forth a couple of times, until I told the anonymous "customer service" Amazon person via email that I would place a warning on my web site for people to beware of scams on Amazon, and this would be seen by around 4,000 people per day.

The bad guy's listing disappeared. But like everything else, if there's one guy running such a scam, there must be others.

Go to Top of Page

apswater
VP-ASP Super User

317 Posts

Posted - June 03 2005 :  16:23:57  Show Profile  Visit apswater's Homepage  Reply with Quote
You really need to set your gateway to book the sale. Then you can eyeball the ones you think are bad. If you only ship to the billing address, then you are NOT responsible if it is fraud. You might have to backout the sale when they return it, but you wont get totally burned and it does not count as a chargeback.

Go to Top of Page

lynch
VP-ASP New User

USA
74 Posts

Posted - June 06 2005 :  08:59:20  Show Profile  Reply with Quote
quote:

Someone on Amazon was listing items I sell. He would accept the orders and card numbers (example, from Mrs. Jones), turn around and place the order through my site as if he was Mrs. Jones.



Oh, that's fiendish. And Amazon conveniently holds themselves blameless...

quote:

You really need to set your gateway to book the sale. Then you can eyeball the ones you think are bad. If you only ship to the billing address, then you are NOT responsible if it is fraud.



While I'm responsible for all the implementation and database stuff at my company, I'm not the one processing orders. I'm trying to keep that end as simple as possible. At this point, none of the fraud attempts have been successful -- the AVS and CVN are doing their job. I'm just trying to reduce fraud attempts so Authorize.Net won't send me any more e-mails about suspicious activity.

I have changed the message returned on declined cards so it's always the same, which should make it useless to the fraudsters. I guess I'll see how long it takes for them to learn and move on.

Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Snitz Forums 2000