Need help regarding Fraudulant Activities - C.C. Decoder - Ecommerce forum at WebmasterWorld

Forum Moderators: buckworks

Message Too Old, No Replies

Need help regarding Fraudulant Activities - C.C. Decoder

Currently use Miva Merchant as my Shopping Cart

jtmoney77

2:55 pm on Nov 10, 2004 (gmt 0)

Hi,
Around the end of August, our site was hit by someone using a credit card decoder. This person tried making over 30,000 transactions in a matter of a day. One transaction every 5 seconds. According to Wells Fargo, our bank, we owe $10,000 due to all the transactions ($.30 a transaction even if they did not go through)

Anyway, we may now have to go to court regarding this matter. We would like to find the person responsible for this. We looked through our stats but did not see any activity that really seemed to help me figure out where it came from. Has anyone else been through this and could give some ideas on what to do next.

We are not sure what steps to take. We currently use Miva, ValueWeb (host), Authorizenet (processor) and Wells Fargo.

We thank you for your time!

Voxman

3:32 pm on Nov 10, 2004 (gmt 0)

That's one of the reasons we do not use 'live' to the bank processing. We batch overnight then submit which allows for you to 'catch' fraudulent transactions easier (and in your case saving a fortune) Another reason is you are not supposed to really take the money (in the US) before shipment takes place (which using a live system simply doesn't allow for that).

Hope this helps

FraudAdvisor

6:02 pm on Nov 10, 2004 (gmt 0)

jtmoney77

I would be asking your payment processor what in heck it's velocity checking was doing - taking a nap?

Alas you've been stung by an all to familiar activity - merchants have lost their processing accounts due to this kind of activity.

Without knowing the precise details it's difficult to give you any pointers on what to do to prevent this happening - sticky me and we can explore in more detail.

Overnight batching or real time auth isn't really the issue - so long as you don't submit for payment before the goods leave you you are OK with real time auth - although overnight batching may have helped you ID the problem and bin the 30,000 requests.

Get in touch and we'll see what we can do for you.

chodges84

7:06 pm on Nov 10, 2004 (gmt 0)

woah,

that sounds bad. I'm no expert, but shouldn't authorize.net have some way to pick up on this. 1 order every 5 seconds? you may have that many anyway, but from one person?

you must have some kind of case against them surely?

but I'm no expert.

mdean

2:37 am on Nov 11, 2004 (gmt 0)

Wow, that's awful!

We use Miva too and I think I've seen a Miva module at MVCool that prevents a transaction attempt after so many tries. I believe it blocks them by their IP address...so they can't even use different card numbers. So many tries on the same computer and their done....I think.

Rubylily

10:02 am on Nov 11, 2004 (gmt 0)

That's a real nightmare. I don't know how CC processing works in the US but here in the UK I use pre-auth (with WorldPay and my own merchant account) and I don't get charged a penny until I post-authorise the transaction. Huge fraudulent transactions (usually for �K's at a time) were costing me dear before I switched to pre-auth, as I was paying for the authorisation, which I then had to refund etc etc. and if my memory serves me correctly I think I was paying a charge for the refunds too.

Corey Bryant

1:51 pm on Nov 11, 2004 (gmt 0)

Basically since you work with Authorizenet.com (which is the gateway - not the processor) and I am assuming Wells Fargo is the merchant account provider (MAP), both companies are probably dinging you for transaction costs - something like $.10 for authorizenet.com and $.20 maybe from Wells Fargo.

Now are all of these just transaction costs or did you also get hit with a lot of chargebacks?

You should call both companies & speak with them. Since both companies are separate, it might be difficult, but perseverance should pay off.

-Corey

jtmoney77

7:35 pm on Nov 11, 2004 (gmt 0)

This site was built for a client of mine so they have been dealing with the bank (Wells Fargo). Since the bank will not discuss any info with me, I only know what my client tells me what they have to say. It seems they are not being to cooperative. The last thing they said was they will only make him pay for half the charges (that is still $5,000)

I think they should not make him pay for anything. I know some banks would not charge anything if this were to happen.

Anyway, I have emailed Authorizenet regarding issue. They said their engineers are trying to find the source of the activities. To answer the last question, I believe the fees are only for the transactions, not chargebacks.

Ill keep u all updated....

Thanks,
J

lgn1

7:47 pm on Nov 11, 2004 (gmt 0)

Personally, I would not pay Wells-Fargo or Authorize.net a single cent. I would write them a nice little letter, explaining it is the responsibility of Wells-Fargo and authorize.net to spot and shutdown such an obvious security violation. A security flag should have been setoff. Threatening to go to the media, is also a good incentive.

As a precaution, I would also switch to a different bank and processor, so they cannot unilaterially grab your funds.

If these companies don't have security measures to detect this type of thing, you don't want to be dealing with them anyways.

jtmoney77

8:08 pm on Nov 11, 2004 (gmt 0)

Threatening to go to the media, is also a good incentive.

Good idea!

Corey Bryant

8:17 pm on Nov 11, 2004 (gmt 0)

The only problem - not paying the company could possibly put you on the TMF list & then you run the risk of not being able to get another merchant account. Some processors will work with you on opening up a new account if you have kept great records but you have to look into that aspect also.

-Corey

lgn1

12:45 am on Nov 12, 2004 (gmt 0)

Thats why it is important to switch merchant accounts before this gets out of hand 'ie. while you are still negoatiating with Wells-Fargo.

I actually have two merchant accounts. In this business I can't afford to lose my ability to process credit cards. it cost me about $60 more a month, but it is well worth the peace of mind.

Its also a lot cheaper than setting up a new shell company, incase you find yourself on the TMF list.

Corey Bryant

2:09 am on Nov 12, 2004 (gmt 0)

You still run the risk of the processor terminating you when they find oyu on the TMF list. It might not be as bad but there are always some problems. Also make sure that you do not have an exclusivity agreement with your processor. Some processors add this to their contrcts as well.

-Corey