| 10:10 pm on Aug 8, 2009 (gmt 0)|
"The CVV number is not as secure check now as it use to be and more work on your end is required to deter future fraud orders that are sure to come."
This is really true. In the past month I had to get a new card because my old one had been compromised. I had that card 10 days and used it on two reputable sites and then I saw it being used on a third site to buy five domains WITH the CVV. I don't know how this happened, but it has made me completely distrust the CVV now.
As for the phone number, years ago a professional criminal talked about buying throwaway cell phones to use to commit crimes, so I don't think a phone number someone answers means anything either.
I am lucky that in my niche I don't get much fraud. It was mostly clustered around certain items, all of which I have discontinued precisely for this reason. Outside of that, the biggest flags were overnight, which I also discontinued for that reason, and multiple items.
| 11:19 pm on Aug 8, 2009 (gmt 0)|
|fraud orders that are sure to come |
CC companies have claimed online fraud has declined, and I agree. I read several ecommerce newsletters and theres far less talk about security than in the web's early years.
You'd certainly expect online fraud to be increasing with worldwide recession but I see no sign of that. On this group, for example, experienced e-retailers worry about the economy and their revenues, but not about their fraud losses.
| 12:09 am on Aug 9, 2009 (gmt 0)|
I've said this before and I'll say this again, the only way to really combat this problem is to manually check large orders.
You need to verify the name and address info in a 3rd party like Google, or call 411 and ask them the verify the name and street address for the phone number.
Additionally, call them and confirm the order at the phone number listed or a phone number that shows up for their address in 411 or Google.
If you can't confirm the sale within a few days simply refund it and move on, I've done it many times and never regretted it once.
Protect yourself sending it.
When you send the order, use USPS if possible and send it REGISTERED MAIL with RESTRICTED DELIVERY which means only the individuals you specify are authorized to receive and sign for the item.
Then defrauding you becomes a federal crime known as POSTAL FRAUD and you have their verified signature of the delivery.
My post office checks your ID at the time of delivery so they know it's you, there's no getting around this if they claim it wasn't delivered.
Besides, USPS is easy to work with, they pick up too!
Worse case you may get a chargeback anyway if it was a fraud sale but most likely you'll have your merchandise too which will lessen the blow.
| 10:59 am on Aug 9, 2009 (gmt 0)|
Relying on the phone number to check with is not really functional anymore, because so many people have cell numbers now, and often you cannot get any information about where a cell number is located.
Registered mail is extremely slow and expensive. Besides, many people legitimately do not want to have to sign for a delivery because it means they either have to be home when they're at work or they have to go to a post office after work and wait in a line to pick up a package. One of the attractions of ordering online is the convenience, and this is inconvenient.
| 2:03 pm on Aug 9, 2009 (gmt 0)|
So is bankruptcy and "Going Out Of Business" sales.
When the price point gets high enough to make the risk to the vendor painful then you either suffer a little inconvenience or risk going broke, your choice.
The point about phones is most people still have a regular phone and a cell phone, you can use the normal phone as an additional confirmation. Alternatively there are inexpensive databases you can subscribe to that will allow you to confirm someone lives at the delivery location.
USPS isn't that slow, very comparable to UPS but neither are as fast as FedEx ground.
I've picked up packages at the post office that couldn't be delivered when I wasn't at home. It's not that big a deal and if it is, inconvenience is the least of the persons issues.
| 3:14 pm on Aug 9, 2009 (gmt 0)|
Which industries really suffer from chargebacks? I'm sure electronics and downloads, any others?
For those suffering from a lot of chargebacks, does your system display the result of the credit card transaction right away? If so, you might want to consider keeping the result hidden, and then email the customer automatically 12 or 24 hours later if it was declined. That way, searching through their stack of number for a valid one will become much more difficult.
| 5:05 pm on Aug 9, 2009 (gmt 0)|
Incredibill, I think your mixing up Registered Mail with signature confirmation. Registered mail is indeed very slow; it can take literally weeks inside the US. It's also very expensive. A signature confirmation is $2.80 just for the signature. That is supposed to survive a chargeback, but it is adding quite a bit to the shipping, and the person has to either be there or pick up the package at the post office. I don't use it unless the order is over $200 and I feel somewhat suspicious (not so suspicious that I would not ship). I don't blame people for not wanting to have a signature required. I don't like it myself. One of the attractions of buying online is that you don't have to go anywhere to get the thing or be in a particular place at a particular time. It just comes. Requiring a signature defeats that.
It seems to me that trying to circumvent chargebacks depends on what you are selling and how much risk you are willing to take to sell it. If you don't want to take a lot of risk, sell things that have a low chargeback rate. You can even ask your cc processor. Then you hardly have to worry about it at all. If you want to take the risk, then chargebacks are just a cost of doing business.
| 7:54 pm on Aug 9, 2009 (gmt 0)|
If the shipping address matches the billing address, ship.
If the shipping address does not match the billing address, overnight a confirmation code to the billing address which the customer must come back to the site and enter before the item will be shipped to the shipping address.
| 9:18 am on Aug 10, 2009 (gmt 0)|
1) Examine the server's IP related variables very carefully (can all be automated).
- Block all of africa, parts of asia and europe where a lot of the fraud originates from.
- Look for forwarding / proxy (X_FORWARDED_FOR). That is a good indication that a proxy is being used for that order. Run those addresses through maxmind's geo databases for city / country info.
- On your backend, show the whois info for that IP address. Does it match the reverse DNS and address fingerprints? (Someone in California is highly unlikely to be coming in from a VPS provider in New York).
- Use a reverse phone lookup API if you need
- If these basic checks do not pass - call the buyer and see if they answer or call back.
There are a few automated steps that can be taken to minimize your risks.... BEFORE the payment is captured.
Also, see if your credit card company can 3 or 4 days delay in capturing the transaction (incase you're capturing before shipping) to give you time to cancel the transaction for no charge if you determine its fraud.
| 2:30 pm on Aug 10, 2009 (gmt 0)|
I've seen some good suggestions here, but one thing to realize is every business is different. If I'm an electronics retailer I can probably get away with shipping only to the cardholder address, if I'm a gift retailer that would kill my business.
| 10:20 pm on Aug 10, 2009 (gmt 0)|
Fraud orders are easy to spot in our case. The ones that really annoy are the friendly fraud ones. But we have come up with a solution for that one. Since the person is essentially stealing the product by charging it back and keeping it, when we get there chargeback notice with there signature, we make a copy of the signature and put it on a CC receipt to prove they ordered and signed the reciept. I guess you can call it counter-fraud. It happens like twice a year but well worth being as underhanded as the thief since the banks don't back us at all.
| 10:29 pm on Aug 10, 2009 (gmt 0)|
While it's mostly true that the credit card companies don't care about the merchants that much, you can bet that they would definitely take notice of merchants committing fraud like that. All it takes is one customer to deny having signed the CC receipt and most likely you will have your merchant account terminated, find yourself blacklisted from ever obtaining another MA, and possibly facing criminal charges (fraud, forgery, possibly others).
| 10:35 pm on Aug 10, 2009 (gmt 0)|
|if I'm a gift retailer that would kill my business. |
Typical gift retailers don't send things so expensive that people try to defraud them.
Who wants to defraud a florist or someone sending chocolate strawberries via the internet?
It's not like you could easily resell them.
|I don't use it unless the order is over $200 and I feel somewhat suspicious |
Exactly - I wouldn't use signature required on every order, just larger orders or those that feel suspicious.
Besides, don't forget that people often have packages that require a signature delivered to their office, my wife and I used to do that all the time, so being home to get the package is just an excuse.
| 12:10 pm on Aug 11, 2009 (gmt 0)|
|Typical gift retailers don't send things so expensive that people try to defraud them. |
There must be a report somewhere on market spaces and the level of fraud they experience.
Ah... well it's not exactly what I was looking for but it might be worth a read: 2008 Internet Crime Report [ic3.gov]
Slight OT: Among the Appendices is a section titled "Credit Card Fraud Prevention Tips" worth reading to see what the FBI and the National White Collar Crime Center think consumers should look for.
| 3:06 pm on Aug 11, 2009 (gmt 0)|
momotan, I think you shouldn't do that for the reason LifeinAsia says.
| 3:56 pm on Aug 11, 2009 (gmt 0)|
|I guess you can call it counter-fraud. |
You could arrange to meet the crook in a hotel and use a gun to take your money back.
Wait. Isn't that what OJ did?
The law, outside of "Dodge City 1870," doesn't permit victims to commit a crime to redress a crime.
| 5:59 pm on Aug 11, 2009 (gmt 0)|
Let me explain the type of fraud we get and welcome to my biggest headache. If you know of a solution I would love you forever!
We are getting chargebacks where:
1) The customer's billing and shipping address matches
2) The billing address is approved by authorize.net
3) The CVV code matches
4)The order amount can vary, but always within the normal range of orders places via our website, nothing suspicious
5) IP address matches billing address geo-region
6) Customer's browser set to English
7) Phone # area code matches billing address geo-region
8) email address is not a bounce and someone replies to verify the order
9) someone actually picks up the phone and verifies the order, usually without any accent
Ready for the one and only thing in common? They made the order via Ebates.com. We have an affiliate marketing program
and one of our affiliates in Ebates - they give a rebate to their users based on a % revenue share that we pay Ebates.
The fraud we getting hit with is from people who install basically spyware / botnet type software. They use prepaid cell phones or VOIP virtual numbers (I'm assuming) and use that person's real IP (via turning the victim's computer into a proxy) and real mailing address for the order. They must have gotten the credit card # and CVV by sniffing their traffic or logging their keystrokes. so these criminals have offshore accounts where Ebates sends money to if the merchant (us in this case) doesn't catch it in time. (within 30 days).
Many people get a package to their house they didn't order and just keep it don't report it to anyone, those are the fraud orders that sneak through. Some people do call us to tell us they got a package they never ordered.
The credit card company never lets us keep the money for the order as it WAS fraud, but not committed by us, and we lose the product, processing fees, and get hit with chargebacks and associated chargeback fees. Sometimes we end up even paying the commision to Ebates (and the fraudster) if we don't catch it within the 30 days (How can we if nobody alerts us within 30 days?).
So.... does anyone have any solution for this?
| 6:12 pm on Aug 11, 2009 (gmt 0)|
|So.... does anyone have any solution for this? |
1) Terminate Ebates as an affiliate due to unacceptable levels of fraud from their traffic.
2) If you do keep them as an affiliate, deduct any charge backs from their commissions (standard industry practice). You could also consider setting a longer period before sending them commissions.
3) Adjust #7 (especially for Ebates orders)- do a white pages lookup on customer name and reverse lookup on phone number. If you don't get a match, call the number you find in the white pages lookup, NOT the phone number they provided.
| 6:42 pm on Aug 11, 2009 (gmt 0)|
LifeinAsia, it's not just Ebates, a few other partners have this problems as well if they offer cashback. Bing Cashback for example has the same problem.
regarding your suggestions:
1)The % of overall fraud is low, the dollar amount is high enough to hurt though and it hurts our standing with our merchant and raises the overall cost of doing business so we'd like to eliminate the fraud if possible.
2) we do that and in terms of a longer period I'll have to check to see if I can change terms of individual affiliates as we use Google Affiliate Network (formally DoubleClick Performics) to run our program
3)We do look up the name and address but often there is no phone # provided. for a $40 order, we're starting to get into a lot of overhead making it not so profitable.
Not bad suggestions as we are already implementing most of what you set forth and it's cut down the bulk of the fraud, but not all.
The thing that pisses me off the most is when I reply to the chargeback and I show proof of billing match/ shipping match / CCV match and proof of delivery and they say to me "tough luck" and then we get hit with a $25 chargeback fee in addition to lost processing fees.
| 6:53 pm on Aug 11, 2009 (gmt 0)|
What percentage of numbers would you lose if you required a phone number?
Another option for orders from cash back programs- call the credit card bank and verify the phone number on the order with the phone number the bank has. No match=no order.
Yeah, it's more work. But so is dealing with charge backs.
| 7:28 pm on Aug 11, 2009 (gmt 0)|
Gomvents from your post I can't see a way you can stop it without spending huge blocks of time devoted to your affiliate marketing programs.
I would really have to question if the affiliate marketing program is worth the cost your paying and the possibility of losing your merchant account over.
You also have to consider with a high percnetage of charge backs your fee to do business with the processing company continues to go up and up and up until your cost of doing business makes you raise the prices of the items you sell to offset the processing fees.
I myself would have to cut them lose and forget as if I lost my merchant account I would be out of business.
You can't get pissed off when it is fraud and the person that was charged is as much a victim as you are. You also have to consider this. You sent the tracking number to the one that did the crime he then sends a mule to watch the house sees the truck and intercepts the package and sometimes he can't get the package and you get a call.
Get pissed at the weak link in your business and plug the hole.
| 9:30 pm on Aug 11, 2009 (gmt 0)|
bwnbwn, they aren't stealing packages, it's to get the cashback money.
LifeinAsia, great idea - but how can I know which bank they use?
We only have a problem with about 1 out of every 5,000 orders overall and that's due to about 1 out of every 300 we get from Ebates being fraud. So the fraud is not to the point where it'll put me out, just want to try to stop it in it's tracks if possible.
Also we ship via USPS do there is no package redirection scam and the tracking is only a delivery confirmation, they don't have any idea exactly when the package will be there and tracking is updated at midnight usually so the package will likely be there all day before tracking indicates as delivered.
I feel bad for the people who's cards were stolen / computers were hacked, but there needs to be some higher level of accountability.
I don't even mind refunding the purchase amount and losing out that cost (of shipping and product) for the rare times. I just wish my merchant account provider would eat the related processing and chargeback fees at that point, and not count it against us.
| 9:48 pm on Aug 11, 2009 (gmt 0)|
It's based on the first several (6?) numbers of the card. I think you can find a list of telephone numbers if you Google. Alternatively, you can call Visa/MasterCard 1-800-228-1122 with the card number and they can give you the bank's phone number (although that makes it a 2-step process).
| 10:37 pm on Aug 11, 2009 (gmt 0)|
If you do a search on "list of bin numbers," you will find the lists that give the bank identified by the first six digits of a credit card.
| 2:13 am on Aug 12, 2009 (gmt 0)|
|does anyone have any solution for this? |
I would do everything LifeInAsia recommends plus one more:
- Sue the CC holder
So what if their computer is hacked, that's their liability, not yours.
Not running AV to keep your computer clean and hacker free is negligence, they should foot the bill, not you, and perhaps a reasonable judge would agree.
If they do run some AV and it's not catching the hackers then maybe they'll sue the AV maker to fix their junk and we'll litigate this problem out of existence.
I would go to small claims court for recovery and see what happens.
It's worth a shot!
| 2:41 am on Aug 12, 2009 (gmt 0)|
incrediBILL, I'm in Woburn, MA - I should sue some poor shmuck in Las Vegas, NV because they didn't update IE? It's certainly way too much trouble than it's worth but I probably should report it to their local ISP and police dept so they know what's going on.
| 6:36 am on Aug 12, 2009 (gmt 0)|
|I should sue some poor shmuck in Las Vegas, NV because they didn't update IE? |
Yep. Unless you just like losing money.
I play to win and I take chargebacks real seriously so I'm the wrong person to be on the short end of that stick and if it's more than $500 then I'll probably try the small claims route.
Worse case I suppose you could always file a police report.
| 10:17 am on Aug 12, 2009 (gmt 0)|
Gomvents, I believe you need to work with your affiliate so they will remove the incentive for scamers to use this process of stealing funds.
One way perhaps is for the affiliate to give some sort of credit to the products, customers buy next time, instead of paying cash. Coupons, vouchers and the like they can use with their next order, resulting to a discount.
Because, if a customer's system is compromised you can assume it all, they can even use the browser and from the IP there isn't much you can tell. (maybe a port scan of the standard ports sometimes will reveal the proxy but its a long shot).
Going through the bureaucratic legal avenue is just not viable since you going to be after the wrong entity most likely.
| 2:16 pm on Aug 12, 2009 (gmt 0)|
Gomvents 1 in 5000 orders is not at all what I thought from your post. I would then myself not cut them lose as that % is by no means out of the norm.
As lifeinasia posted that would be the only sure way of stopping them but as he and I said it would add about 10-15 minutes per order but only on the ones from the affiliate marketing programs would need this extra time.
2nd that as this would then add extra paper work time and expense on your part.
|Going through the bureaucratic legal avenue is just not viable since you going to be after the wrong entity most likely. |
[edited by: lorax at 12:41 pm (utc) on Aug. 13, 2009]
[edit reason] typo fix [/edit]
| 2:49 pm on Aug 12, 2009 (gmt 0)|
Gomvents, unless I've misunderstood you think that these orders are being placed with the goods shipping to the registered address of the card holder, the criminals pocket the cashback from your affiliate, and then the cardholder (who has received the goods, even if they didn't order them) does a chargeback down the line when they get their card statement through.
If this is the case, presumably they are just thinking they've got an accidental freebie when they originally got the package, and keep quiet about it.
Could you perhaps mitigate this by the paperwork that you ship with the goods? Instead of just a delivery note, send an itemised receipt which states that payment has been received in full on a card, and provide enough information that a person would realise that it is their own card than has been used. EG:
Invoice status: PAID
Payment received in full on Visa card registered to Mr U R A Mug.
For billing enquires, please call on 0800......
Which would hopefully increase the number of calls you get from people asking what you think you are doing with their card, rather than just thinking they've got a freebie. This would let you get your products back, and stop payment of the commission in time.
| 3:42 pm on Aug 12, 2009 (gmt 0)|
| This 71 message thread spans 3 pages: < < 71 ( 1  3 ) > > |