| This 34 message thread spans 2 pages: 34 (  2 ) > > || |
|Credit Card Fraud|
Why don't banks and merchant account providers care and what can we do?
We repeatedly get fraudulent orders attempts on our website, and some make it through. Generally, these orders are for several hundred dollars worth of merchandise, often in the low thousands.
When we spot them (we do miss some, but we get most) we generally try to call the issuing bank to report the fraud. We can lookup the bank information on our merchant account website by entering the first six digits of the credit card number at issue.
Generally, when we do this, the company simply tells us that the purchase must be bad. We ask them to notify their security department, and they say that's the customer's responsibility. So then we try to get our merchant bank involved. They tell us to call the police. Of course, the police will take a report, but we have to do it locally, and the fraudster is generally thousands of miles away. So, it's all a big waste of time.
Why isn't there some organization that cares? Why don't customer's banks want this info so that they can mitigate their losses? Easy answer is: they simply charge them back to us, the merchants, so they couldn't really care less. They pull the money back from us, plus a charge for the service, and pop out a new account number and card for the customer.
As merchants, we need a better system. We see the same fraud attempts repeatedly from the same IP address, and to the same shipping address. We need some central location where all merchants can report this information and blacklist these shipping addresses (generally stores like Mailboxes Etc. and other drops). Email addresses are easy to change, but often these orders originate from the same IP address - or overseas IP addresses.
You just have to stay educated. Keep yourself up to date with the latest trends in fraud trends. there was another thread concerning fraud where I posted a lot of common red flags, check that out as it should be some what helpful. I work in the fraud dept for the biggest e-commerce outsource provider out there (our only real competitor is Amazon but we have many more partners) so I see A LOT of stuff. If you have any questions let me know.
Here's the thread:
Not bad. I agree on the major fraud alerts:
-different billing and shipping
-inconsistent name and address formatting
-free email addresses
-wrong/disconnected/out of area phone numbers
and some of my own:
-all lowercase information (not sure why . . .)
-expedited shipping, even to an address in the same city (disguises it to look like it's just going to the office)
-IP address from abroad
-order quantities out of whack
I have to say, while we've had many, many good customers in the urban areas listed in the other thread, both Brooklyn and Chicago are at the top of my list for fraudulent areas of the country.
Oh and another great tool is charge verification through Amex. This is where you open a case with them and they attempt to reach the cardholder at any phone numbers they have on file to validate the charge. There is also a form of this through Discover called CNP Code 10. I also have the phone numbers to Bank of America and MBNA where they will do the same thing. Let me know if you would like any of this info.
I think the point of the original post wasn't so much how to know if a sale is fraud, but how do we stop fraud attempts for good.
I have fraud checks in place that almost completely eliminate fraudulent sales going through (still get occasional people that game the credit card chargeback system - but that is rare for me too), but if I have names, addresses and phone numbers of people trying to rip me off, I would like to see them punished even if they aren't successful. As the original poster mentioned, I have contacted banks and they don't care. I have contacted the police and have basically been told not to bother (not a big enough crime to mess with). The thieves are blatant (and most of them are stupid), but as long as there is no enforcement of law they will continue to grow as a problem.
Once upon a time (about 10 years ago) in the UK, a mail order computer reseller received an obviously fraudlent order for a couple of thousand pounds.
Amazingly, the police took an interest. A couple of days later, two police officers disguised as couriers delivered a dummy parcel. The person who signed for it was arrested and subsequently convicted.
Why this doesn't happen regularly is a complete mystery to me.
"I think the point of the original post wasn't so much how to know if a sale is fraud, but how do we stop fraud attempts for good. "
You will never stop fraud attempts for good. And no ones fraud screening is THAT good. You either
A. Do not have a large amount of order volume
B. Are rejecting legit orders because you are overly thorough.
When it comes to account take overs you are pretty much S.O.L. unless the person who did the take over did something careless to make part of the order stand out. Nothing is full proof and never will be when it comes to this stuff.
Believe it or not, years ago I almost had the FBI ready to deliver packages to a recurrent fraudster. Apparently in major cities they have Fedex and UPS trucks and uniforms, and one of their agents was going to deliver, get a signature, and then arrest. Of course, the resources never came through.
I feel like if some law enforcement just did some of these in high-visibility locations, then we'd at least raise the bar a bit. People would be scared where they are now - to use a term from another reply - blatant.
My latest fraudster is only a few miles from my warehouse. I'd like to deliver it myself and give him a piece of my mind.
I think that law enforcement involvement really needs to come sooner rather than later. I know how annoyed and upset I get when this happens to my office (one box did go to this local guy and is supposed to be delivered today but I'm trying to have it stopped). The last time this happened and we thought the FBI might deliver we sent a box of junk. I can easily see someone sending explosives or something and causing some big issues.
the original question was "why dont backs and merchant account providers care?" (about attempted fraud)
simple answer is because there is little they can do about it
most of the frauds come from nigeria or indonesia or wherever - tracing the fraudster is going to be difficult at best, nigh on impossible most of the time
what do you expect them to do?
I work in the anti-fraud department of an emerging online payment system and as you can imagine we are continually being hit by fraud. I disagree with those of you who say that most fraud comes from outside the US as from experience I can say that the US is our biggest problem – here I’m not saying that the fraud is committed by US nationals but that the fraud originates from US issued cards.
We check most of what has been discussed here – CV2, IP addresses, card bin (check that the IP country matches the bin country…etc), check for proxies, social security numbers…etc.. however this has still not stopped fraud and we are looking into further tightening of our anti-fraud measures.
And that’s why we’ve currently been looking into Verified by VISA. Thing is, does it really give us sufficient protection? Does it really shift liability to the banks? And if it’s not possible for a user to charge back due to ‘non-authorized’ transactions, can a victim chargeback on the basis of say ‘service not received’. Any feedback on this (supported by proof if possible) would be highly appreciated.
Other than this the only other really effective anti-fraud measures are calling clients and asking them for documentation. Technology has helped us reduce fraud but its not a substitute for manual checking, which is unfortunate in a sense as calling clients or asking them for docs is not only expensive but results in a serious drop in client acquisition.
The banks don't care for one simple reason - they make a profit from it by fining the merchant and still charging the transaction fee.
The law should be changed so that the bank cannot take back any more than they paid you in the first place. All the money and charges should be reversed (in full) right back to the customer. As the banks could not make any profit (they would lose money, as merchants do - or at least the goods), then the banks would take a different approach: they would care.
PCInk - that's just silly - banks don't make profits by waiting for a fraud to happen then charging you a small fee for refunding it - they make their money from genuine transactions
the fees you pay for accepting fraudulent transactions are because *you* accepted the fraudulent transaction - maybe you ignored the warning flags (AVS / CVV / VbV / MCSC etc) - maybe you got matches on AVS etc but shipped to an alternate address - or something else
but the bottom line is if you don't accept the fraudulent orders, you won't get chargebacks
and anyway, you're well behind the times - VbV / MCSC mean liability is shifted to the card issuers / banks etc
update, get a new online payment system!
>>>>>and they say that's the customer's responsibility.
How is the customer to know? That is stupid, because the customer does not find out until his card is declined because it reached a limit, or he receives the statement.
I have know idea why the banks don't care, it is puzzling. We don't even tell anybody when we get a fraud order anymore, and have not for a few years. Its a big waste of our time. We are really good at spotting fraud, and it has been a long time since we were stung by a fraudster.
Most of the fraud orders we get now are to be shipped to the USA. They set up some third party (who has no idea what is happening) to accept the incoming packages, then forward them out of the coutry.
The other issue we are constantly seeing, is people testing a credit card to see if it is still active. But, we manually charge credit cards here, so we are screwing over the fraudsters.
yeah vbv5 is great however not everyone is signed up for the verified by visa program.
vbv protects you regardless of enrollment
|the fees you pay for accepting fraudulent transactions are because *you* accepted the fraudulent transaction - maybe you ignored the warning flags (AVS / CVV / VbV / MCSC etc) - maybe you got matches on AVS etc but shipped to an alternate address - or something else |
A live external payment page does not mean I processed the transaction but I get the blame and fines/fees as if it were my fault (e.g. think PayPal/WorldPay payment pages - live contact to the banks - the way many small ecommerce businesses operate).
|The banks don't care for one simple reason - they make a profit from it by fining the merchant and still charging the transaction fee. |
This is correct. Everyone has very simple ideas on how credit cards can be more secure and are puzzled as to why nothing is implemented.
The reason is simple, the banks and credit card companies see chargebacks as a revenue generator. When a customer reverses a charge they say was fraudulent, the merchant eats the loss, not the bank. Plus they make the chargeback fee, usually around $50
It's just like returned checks and over charge fees that banks charge. In fact if you look through the financials of most banks they make over 50% of their profits from fees.
|A live external payment page does not mean I processed the transaction but I get the blame and fines/fees as if it were my fault (e.g. think PayPal/WorldPay payment pages |
so as a responsible merchant, you'll be using worldpay's pre-auth and ignoring anything that looks like a fraud (so the payment expires and can't be charged back), and you'll be checking AVS results and shipping only to the cardholder's address and you'll be covered by VbV and MCSC for a lot of transactions ...........
of course, if you're not doing the above (and taking other anti-fraud measures) then you're not taking responsibility seriously and yes, it is your fault
if you have a shop and someone hands over a dodgy £20 note, do you accept it then blame the banks? no, of course not. so why accept dodgy credit card transactions?
the tools are there to let you identify or prevent most frauds - use them.
|plus they make the chargeback fee, usually around $50 |
Holy cow, you need a new merchant account if you pay $50 for a charge back! Should be around $15 unless you are high risk or something.
|Should be around $15 unless you are high risk or something. |
It actually should be $0, but I believe also my last fee was around $50.
And by the way, you don't have to process a fraudulent order to get hammered with the chargeback fee. I had a customer who returned merchandise to a wrong address (someone completely different), she requested a chargeback because we didn't refund her for the merchandise we never received. The bank took the money back from us and we got the chargeback fee.
Later we got the chargeback reversed, but we could not get the fee refunded.
"so as a responsible merchant, you'll be using worldpay's pre-auth and ignoring anything that looks like a fraud (so the payment expires and can't be charged back), and you'll be checking AVS results and shipping only to the cardholder's address and you'll be covered by VbV and MCSC for a lot of transactions ...........
If your only shipping to the billing address you are way behind. You cannot run a successfull e-commerce sites with restrictions like that. People send gifts, people travel and they're going to want to ship items to other locations.
Customers can call the card bank and have the shipping address added to their info so it can be verified.
I guess you would have to do this by phone though?
over a dodgy £20 note,- But its easier to tell if your standing in front of them.
In 20 years of retailing I took two cheques that bounced on both occassions I knew something was up.
The customers wouldnt make eye contact etc etc when they handed the cheque over.
How do I tell that a transaction is ultimatly fraudulent if I cant have them in teh room with me?
in some parts of inner city London some of the shops have banned our west affircan friends from coming and doing business. Illegal I know but so.
Visa's customer is the cardholder. You are just the dirtbag out there shilling on the Internet. Your job is to give them their "share" of your revenue (and even their "share" of your refunds). Visa couldn't care less about you, your profits, your mother, your hopes and dreams, or anything else. They will, however, do anything and everything to make sure their cardholder is happy and doesn't cancel his card.
I gave up years ago reporting fraud. No one cares, not Visa, not MasterCard, not our acquirer, not our online processor, not the FBI, not local police. The reason why no one cares but you and me is this: you and I pay for fraud, no one else. Merchants carry all the risk and absorb all the cost, then we write Visa a cheque (figuratively, of course, they just net it off your deposit).
It's nice to commiserate and share our misery, but it won't do us any good at all. We need Visa (directly or indirectly) and they will always be in the position to force us to swallow the cost, and the risk for every transaction (including Verified by Visa transactions).
OK - so my favorite fraudster is back. Same IP address, same shipping address, even the same order. The guy isn't very original, or good at disguising his intentions. And why he thinks this one will get through when three previous ones haven't, I can't guess.
So I'd like to go visit him with a crobar - the shipping drop is only a few miles from our office. I'd also like to do one of these:
But instead, the only thing I can really do in these situations is to find the real cardholder and make contact, and to call the issuing bank, and warn them that the card has been compromised.
It's amazing that with all of this info, I'm still essentially powerless.
Should I send him a box of rocks, and photograph him signing for the UPS package?
[edited by: lorax at 12:15 am (utc) on May 31, 2006]
[edit reason] no URLs please [/edit]
I would suggest against retaliation, especially if he's close by. If you can drive there to photograph him, he can drive to your place with a can of gasoline and destroy your business, or just cut your phone and network connections with a pair of bolt cutters. I think he'd gain more satisfaction out of the exchange than you would.
Definitely a good call.
So what do I do, just keep calling issuing banks to get the cards cancelled ASAP in the hopes that he stops before I miss one?
we're fighting fraud by implementing
- verified by visa
- MasterCard securecode
order processing only.
they have to register their card with the bank and buy online using a password. We went from at least 10 fraud trans. a month to ZERO in at least 4 months now. - the downside? a lot of banks don't participate, so we have to turn away customers. also, we do not ship our product but deliver through email, so protection is paramount in our industry - all sites have this protection.
I guess I need to fess up - we don't check CVV2 codes.
We're worried that we'd lose business if we insisted on it. Not fraudulent business, but just consumers who don't understand, or don't have it written down in their Rolodex or Palm Pilot. If they have to wait or delay for any reason, a sale could be lost.
Interestingly, the big boys like Amazon still don't ask for this, as far as I know.
Does anyone have any clue how much business is lost by asking for this information and verifying it? If I can convince my office that it's minimal, we may start requiring it, but at some point, even a little fraud is acceptable in exchange for enough more orders.
Next question is: does requiring it really cut down on fraud at all? Do the scammer who already have the cc number, expiration date, and billing address not also have the code?
We implemented CCV checking and it didn't impact conversions much (maybe a 2 or 3% drop) but it didn't slow down fraudsters, either. They know the CCV code, and will continue to place orders.
We found only one way to get rid of fraudsters: Manually verify all orders that are suspicious (using the lists provided earlier as guidelines). Eventually, when you cancel the fraudster's orders without ever notifying them (because you can't, their contact info is bogus) they'll get bored with you and move on. They appear to be organized, which is why it often seems to come in waves, and they'll stop wasting time on you if your orders never show up.
By the way, if you wonder who's receiving these orders placed from Nigera, Israel, etc. it's the people who have responded to the "Make thousands each month working from home" ads. You, too can earn from being a freight forwarder.
| This 34 message thread spans 2 pages: 34 (  2 ) > > |