|High volume of fraudulent orders|
One of my companies (ecommerce) has been getting hit hard with fraudulent orders for almost a year.
We use all of the popular sophisticated tools and 3rd parties to check the order for flags in real time before it's processed. That stops about 3/4 of the transactions however the other 1/4 go through. Some weeks there's only a few dozen while others there are thousands processed.
For those that do get through they use the correct name and address on file, correct cvv code, and oddly enough same shipping address as billing*. Worst of all they go as far as using IP addresses geographically near the home of the person it was stolen from. There's nothing else we can do to stop these orders from going through without causing a problem for legitimate customers. There's too many per day to call and verify.
*We think one reason why they would use the same shipping as billing is that they are placing these somewhat small ticket orders to verify a working card.
Some of the people at my company have tried working with law enforcement including the FBI and government agencies. Maybe they aren't getting through to the right person because these groups have never followed up.
Because of this fraud we've accumulated a large amount of data on these people. Everything is logged and recorded. You would think that some agency out there would be interested in a group that has the true identities and credit cards for tens of thousands of people (likely more). A friend with another ecommerce company has the same issue and they are a little larger ($60M/year). They have taken these same measures and are not sure what else to do. They have had no success with reporting to the government agencies as well.
Anyone out there with unusual and helpful information about this type of problem?
Thanks if you can provide any, PM if necessary.
are you doing the auth and capture together? i do capture on ship, so they're separate. i wonder if the usefulness of your cart (if simultaneous auth + capt) as a test for stolen cards is why they've chosen you...
|*We think one reason why they would use the same shipping as billing is that they are placing these somewhat small ticket orders to verify a working card. |
That would be my guess.
It's a long shot, but if you capturing the browser's user agent (if not, then start), do some analysis and see if it's the same one (or a group of ones) being used. That might indicate the same person/group doing all of these. If so, maybe you can flag orders with matching user agents for manual follow-up.
Similarly, use some analytics and try to determine how the fraudulent order users are coming to your site. Chances are, they may have bookmarked your site as an easy site to use for testing. So you could flag those orders for manual follow-up. Note- if it's a returning customer who bookmarked your site, then it shouldn't automatically raise a red flag.
We had some fraud orders a few years back that apparently came from a link in a Hotmail account (the referrers for all the orders came from a link used for reading a message in Hotmail). Any orders with similar referrers now go under a microscope before processing.
perhaps you website is listed as a cardable site, check the site referrers
do you provide to the customer a response if the card is declined
What do you mean by this?
Nevermind, I found the answer myself. I suspected that is what you meant but I was not aware of the term.
|Carding is a term used for a process to verify the validity of stolen card data. The thief presents the card information on a website that has real-time transaction processing. If the card is processed successfully, the thief knows that the card is still good. The specific item purchased is immaterial, and the thief does not need to purchase an actual product; a Web site subscription or charitable donation would be sufficient. The purchase is usually for a small monetary amount, both to avoid using the card's credit limit, and also to avoid attracting the card issuer's attention. A website known to be susceptible to carding is known as a cardable website |
|It's a long shot, but if you capturing the browser's user agent (if not, then start), do some analysis and see if it's the same one (or a group of ones) being used. That might indicate the same person/group doing all of these. If so, maybe you can flag orders with matching user agents for manual follow-up. |
That's an interesting idea - if they are using a limited number of machines you could do some fingerprinting [arstechnica.com] using all the information that the browser will give you.
|they use the correct name and address on file, correct cvv code, and oddly enough same shipping address as billing*. Worst of all they go as far as using IP addresses geographically near the home of the person it was stolen from |
They may hijacked these systems so you may not be able to distinguish anything. And so they can then test the cards as already mentioned and then find ways of actually converting credit into cash. I don't know what tools you are using but in such cases they won't identify anything. You need to retrieve information from the IP and go from there. Some of these tools correlate the geo-location with the billing/shipping address which maybe inadequate in this case.