Forum Moderators: buckworks
Why do I get a huge amount of orders from Nigeria and other scammers? I just don’t get it. This is like one making a tshirt with one’s last name on it, and then seeing that the biggest demand for it is from Nigeria. By now I would expect half the Nigerian population wearing one of my tshirts.
Here is my rant and examples of scams, and how sophisticated these scams are getting.
First wave.
Order with shipping info to Nigeria, Romania, and other select countries are banned. They are all scams.
Second wave.
Scammers are now hiring people in the US or the UK to act as a shipping proxy for them. So the Nigerian scammer places the order with a shipping/billing address in that valid country. Normally we can verify a US and Canadian card billing address but for some foreign cards it’s a little harder. Especially when it’s a UK card and the shipping address is in the UK.
So we ship to the UK address, and then these mules ship to their Nigerians buddies or employers. Sucks to be me.
To combat this, on all orders my custom cart does a whois on the IP, and stores all other ISP origin , language info, etc. Of course all Nigerian, Indonesian, Romanian and a few other country’s ISPs are punted right away. This filters out a lot of scam.
Third wave
Now the scammers are using AOL or Compuserve. This means that the IP address that AOL is reporting is from the US. Nice. So even if the guy is sitting in his Nigerian house, the IP that I get is from VA, US. Great. Not sure what to do now but I’m leaning to just blocking all orders from AOL. Is there an alternative?
Forth wave
So I block the AOL access and other proxy servers. Now the mules (the people that are hired to accept orders) are placing them. Better yet the Nigerians are installing a proxy program on those people’s computers and are ordering themselves. How do I know for sure? The orders are coming in with valid phone numbers for the mules. So I called one and said I was from the “Website fraud investigation agency” and scared this little family in the backwoods of Kentucky. The guy spilled it all. They get contacted via, email, or IRC for a at home job. They run a special program on their home computer that installs a proxy that the scammers can then use to order through. All packages get sent to them, their phone number is given on the orders, and they are required to verify all phone calls about any orders, and they send the packages to Nigeria for a fee.
Now how do you combat this…
An order comes in from the UK, the credit card bank is in the UK, the IP resolves to the UK, a trace route of the IP resolves to a city in the UK matching the shipping address. I call the phone number on the order and someone assures me that they placed the order, and EVEN know what the order is because they actually get the email confirming the order (which they did not order but was ordered through a proxy program running on their computer) I can’t easily verify these UK orders as even calling the bank, they tell me that they won’t verify the billing info that I have for that card without the card holders approval to verify their billing info. What’s up with that? I get this type of order from the US also.
It’s all getting out of hand. About a month ago I got around 50 orders like this and got hooked on the first few until I realized that the first 6 digits of the visa were always the same. Some bank got hacked or something. I call the bank and tell them I have 50 of their card holders visa numbers that were stolen. They basically tell me they don’t care.
I tell them, listen, take these numbers and you can at least cancel these cards so the cardholder and other merchants aren’t screwed over. Of course they don’t want the numbers and tell me to piss off. What do they care right? It’s the merchants that have to cover the charge backs. I wonder what visa’s revenue on charge backs is these days. It’s criminal.
The amount of stress and extra hoops to run a business in this sea of fraud is insane. Why don’t they setup a global database that you can verify the address info for ALL cards. I know there is one in the US and Canada but for me it’s a manual phone process which sucks. (I’m in Canada and the credit card processing companies here can’t verify the address like in the US because of privacy concerns) Bull. So it’s a slow manual process.
I have programmed many features into my cart to combat this crap but why do I waste my time. Here is just a taste of it. (Hope not too many scammers are reading this)
- cart cross references all data from past fraud orders, usernames, passwords, address, for all new orders. So if a scammer uses the same password on a new user account, the new account is automatically marked as bad and all the other info in the account as well. This goes for all other order info too.
Works well but even with protection measures like this I still get scammed.
Some days I’m about to lose it.
Any advise? Other options/ideas?
By the way - why Nigeria? Why do these things originate from there?
We stopped shipping out of the US and a rigerous about addresses matching the AVS system. We try to only ship to the address that matched the credit card statement.
Sounds like you are trying your best to do everything right.
What really ticks me off is that when you do find you have crooks ordering on your site - NO ONE CARES! I report it to the complaint center, forward all of the crooks info to the banks, no one does anything!
The banks and cresit cards make it seem like they are the victims, but the reality is that the merchants bear the brunt of this as we are now out the product, shipping costs, time for employees processing, pay a $65 chargeback fee, and what does the CC company lose? Nothing. Squat. In fact they are making money off of this by charging us fees! Who are the worse crooks?
[edited by: engine at 9:57 pm (utc) on Aug. 26, 2004]
[edit reason] No promo, thanks. See TOS [webmasterworld.com] [/edit]
This is like one making a tshirt with one’s last name on it, and then seeing that the biggest demand for it is from Nigeria.
I think I know they want tshirts with "their" name them - say thanks to good scammer baiters of 419 eater and others who convince scammers that they will get the money if they do something special (like hold sign with a stupid name they dont understand) and send baiters photo of themselves....
It's good to be a crook these days. With the crap I know I would make a lot of mony at it.
I'm sure there are alot of merchants out there that should be listened to on complaints and taken at face value, but I also wonder how much crap is reported to these agencies.
How does it all effect merchants? Some days I check prices on flights to Nigeria along with prices at the local gun store. :)
Here is part of the many anti-fraud measures that I take:
Geo-locate the user *before* they checkout and hide credit card payment options from risky countries. I currently define risky countries as: Indonesia, Nigeria, Philippines, Nauru, Myanmar, Cook Islands, Vietnam, Romania.
Also, it is a very good idea to check for anonymous proxies and treat them as you would one of the risky countries. There are several ways to detect an anonymous proxy.
1. Proxy IP RBL's
2. Open proxy databases
3. Directly testing the IP on common proxy ports
If anybody would like to swap anti-fraud tips, I would love to share.
try building in a self insurance fee of say 3% - 5 % on your price.
So when something soes go wrong your covered.
It's a joke if you think that 12 hours after you report someone will contact you for more information... However, it's useful to report (and keep track of logs) so in the event you're questioned in regards to a fraudlent charge you'll at least have proof that you tried to be carful and you're not part of the gang.
In regards to the question in general: Many companies ship only to the BILLING ADDRESS. If the customer want's it shipped to a different address, HE needs to contact the bank and add this address on file, contact the company after it's done, company calls the bank to verify - and then ships.
It seems you tend to continue shipping internationaly, where AVS is still not working well, why not add a shipping/handling fee for address verification. You'll require all customers to fax/email/upload to secure server copies of their most recent billing statement that includes their name and address and the bank information. Visa/MasterCard can provide you the phone number of the issuing bank. Call and verify and then ship.
You can consider using VbV and MasterSecure, although some people have complained of a reduction in conversions.
Does anyone have experience with this service and a feel whether it is accepted by the shoppers.
Are shoppers turned off by having to setup their password? Are there already large numbers of shoppers that use the service?
Do scammers typically have a user's credit card number and billing address, and therefore can setup their own password without the owner never knowing about it?
I believe you just go on VbV and enter you visa number and verify your billing info and it allows you to setup a password. So anyone that has a stolen credit card and valid billing info for the card, can setup a valid password, if it has not been setup already by the real owner.
Are there ways scammers are getting by the VbV?
The documentation the provided was all targeted towards enterprise levels implementations ( Java, .net, NT )
So the typical small business guy running our low budget but stable PHP/mySQL/Linux boxes are left on our own scratching our heads.
I don't think it will help that much, but it is on our list of things to do. If Visa made it a little easier we'd have it up.
I put out a memo today about fraud detection and I used part of your post. It explained it clearer than I could.
A bank would need the complete card number in order to identify a particular account.
They don't use all cap-lock anymore. Maybe they frequent here. :)
Oh, I remember now, it's cos credit card companies like chargebacks - I wonder how much money they generate from these? It just makes me soo mad that they make money from us in this way.
so why can't merchants be given these details on request
Huh? You can always call the issuing bank and confirm the info. Some banks might not do that, but they are very few.
They won't tell you the info, but if you read it to them - they can say if it matches or not.
As a matter of fact, you can call the regular customer service line of almost any bank, and when the customer service rep asks you for the name and the card number - just tell them you are not their customer, but with a merchant, and that you need to verify customer info.
As far as getting the phone number of the issuing bank - your bank (where you got the merchant account) will be able to tell you. Some even have that on their websites. I think all banks that use "my merchant view" have that functionality online.
All I can say is that on my Visa's...fraud and fraud screening is no longer an issue I have guaranteed payments, and with the latest developments in the programs conversion rates are no longer affected. PM me and I can put you in touch with the right people.
If you are with a company such as Protx, you aren't given the cardholder details - just the name and address, you don't get the card number etc and banks will not carry out a code 10 without these details.
Protx have told me that banks will not carry out code 10's on internet transactions where the customer is not present.
With third party payment collectors, you are basically screwed.
Ok, this is a huge question but how easy is it for me to do it all myself, ie as a merchant and not through protx etc..
Are there any posts/information that explain what you need to have (security wise) and need to do to do it all yourself?
Not being that technical I'd probably get someone else to do the implementation for me but I'd like to get a feel for what's required.
thanks again
"HELLO SALES,
i am nancy the maneger of nancy company limited, in usa which i will like to tell u that i will like to order for some goods in store.
And i will like too tell u that ,i will to shipp the goods to nigeria to one of my client over which i will like too tell that we give
CREDIT CARD"
I gess she is u-sing the new engrish.
