Very true. I was being simplistic for the sake of brevity, so I went for the evil, all encompassing word 'hacked'. :)

By the way, what we do is to run MaxMind and use our own tests (such as the port 80 test) as well. If one of those tests is positive, the maxmind number gets a little (or a lot depending on the severity of the problem) added to it.

Since we work in a high-fraud area (web hosting) where a quick turnover is expected by legitimate clients, the system then decides, based on the revised maxmind number, whether or not the account should be created automatically, or reviewed by an administrator. In the latter case, the card isn't charged until an admin goes over the account and approves the signup.

If I can get called to verify a $25 phone card air time purchase
you certainly have the right to call either the customer or credit card company IMHO.

[edited by: amznVibe at 4:40 am (utc) on Nov. 3, 2007]

> 1. Use GeoIP to confirm the IP address

Any time a GeoIP does not resolve to any specific location should be a big red flag. Either the IP is spoofed or IP is not from a well known country. GeoIP is good, but sometimes you need to dig a little deeper. Anonymous VPN is easily accessible, so even though you appear to be from the USA, you can originate from a different country. Along with GeoIP, I strongly suggest you use tracert. The final IP may not be resolvable, but the route to that IP can be very revealing.

This GeoIP URL is a good one: [turbo.cdv.tul.cz...]

Include this one in your Firefox quick search and replace the IP address as %s. You can also do this in IE if you are using the free tool, QuickSearch.exe, from Microsoft.

If you don't have the card holder's phone number-get it.

How do you do this?

Obviously asking the thief (on your website) for the cardholder's phone number isn't going to work. How else can you get it?

Directory assistance is one way to verify a phone number, Google is another. Unfortunately, with the prevalence of unlisted cell phones these days, that's getting more difficult. That's particularly true for younger buyers.

King Fisher, authorizing the amount of the sale quickly won't help with a fraud. The card may have plenty of credit, and you'll actually get paid, only to have the bank pull the money back out of your account when the real customer reports it.

Get a signature if you possibly can. We learned the hard way that without one, any order can be the victim of a "chargeback," meaning the customer has 4 months to say they never got the item and get their money back from you. Phoning, email documentation, Paypal receipts...none of it matters without their signature. We had $8,000 taken out of our bank account one morning by Visa because the crooked customer said she never ordered the item. She lied, but we had no written signature proving that she'd ordered it, so we lost the money.

Was this a physical shipped product? Did you get a signature when it was delivered?

If so you would not have lost the money, or she would have to return it worse case.

Did you get a signature when it was delivered?

Nobody checks those signatures at delivery with UPS or Fedex and they can sign "Alfred E. Neuman" and you'll have fun collecting.

I have in the past used the USPS Signature Confirmation or Registered Mail and in my experience our local postal employees ask to see photo ID most of the time. The upside to using the USPS is if they sign for it and then do a chargeback claiming they didn't get the package, they've just committed mail fraud and could go to jail.

That's a nice weapon in the arsenal against fraud ;)

I give up. Paul Newman wuz here...

You could have someone hand deliver the item that way you could check if the credit card is legit and get a signature from the customer.

Getting a signature on delivery does nothing. Write up a credit card authorization form that requires a written signature and fax it to the buyer. It will protect you if the buyer decides to say s/he never ordered the product, that the charge is bogus and she wants her money back.

I have never found banks to be particularly bothered with the merchant's interests.

We are UK based and always use "signed for" delivery, both within the UK and worldwide but it hasn't stopped chargebacks.

One customer only requested details of a transaction she didn't recognise (we use one of those on-line credit card transaction services so their name was listed not ours). A chargeback was made even though she confirmed to her bank by phone and written statement that the transaction was legitimate. Luckily she was quite concerned about this and sent a cheque but we still got landed with all the charges.

Another time a US customer emailed to say he'd changed his mind and returned the goods (which he didn't) and we lost out again. Nobody cared about the signature we had or getting proof of posting from him.

Although it doesn't solve the problem, one way to protect against very large losses is to put a maximum limit on credit card purchases. You can always say you need to arrange special shipping (bulk shipping can save them money) and request a direct bank transfer - which probably will save them money too.

The last one worked for us when we kept getting requests for larger than usual quantities from a Nigerian "customer"

Thanks a lot for the great input everyone. I researched the address and it's going to what looks like a reputable business. This looks thoroughly legit.

Now to deal with the fact that 60% of so of this stuff is out of stock. I think I'll split it into 2 orders and ship one immediately. I don't usually do that but this certainly warrants it.

I will keep everyone posted with any developments. Thanks again.

Hmmm, returns just occurred to me. I'm guessing these items are for a corporate party and they could easily be returned after the party. I do have a very generous return policy which no one uses. Anyone encountered anything like that?

Toeman to late for that if your return policy is a problem you need to change it now but for this order your not covered

If you have never had a problem with your return policy since it if generous you will

1-you just haven't been in the business long enough.
2-not as geenerous as you think and your ok

best to look at it hard now change what needs to be changed and move on.

Glad to see the order was a good one.

You have to accept that risk per your return policy. Though, you can communicate to the customer that the out of stock items will need to be special ordered-and as such are non-returnable. Be sure your return policy states this as well. Their reaction to this news will be telling-if indeed they intended to return the items.

Legitimate customers are not bothered by a call.

I'll disagree. It depends on whether it's reasonable or not. If the average item a website has is $10 and you order 100 of them, yes, it's reasonable that the company might call for extra verification. If the average item a website has is $1000, and you're placing a $250 order, then they call for verification, that's annoying.

A phone call is an additional hassle, especially if the order is delayed until the customer can respond. Anytime you make a customer jump through extra hoops to place an order, you're going to lose customers, if not on the current order, then on future orders.

Make sure it's a reasonable risk/reward ratio. Losing a one-time $1500 customer rather than risk getting cheated out of a one-time $1500 worth of merchandise may be a reasonable trade-off. Losing a potential $250 repeat customer rather than risk getting cheated out of a one-time $250 worth of merchandise may not be.

Don't fall into the trap of believing that a "legitimate" customer wouldn't mind this or that. Customers are fickle, quick to drop you like a hot potato and switch to another vendor they view as easier to deal with. Crooks, on the other hand, may be more patient and flexible, if it means getting their hands on $#*$!x worth of stuff for nothing.

If you don't have the card holder's phone number-get it.

How do you do this?

Obviously asking the thief (on your website) for the cardholder's phone number isn't going to work. How else can you get it?

Your payment processor should have a feature to "get issuing bank's phone number". This requires the complete card number.

You call this automated system, enter your Merchant ID, then the card #, and it will tell you the phone # of the bank that issued the card:

"The issuing bank's phone number is, 1-8XX-NXN-NXNX. Please feel free to contact the bank, etc., etc., but remember that they're not obligated to release any personal information (more legal BS follows, feel free to hang up)"

I'm not sure if this is a database lookup, or an algorithm (different banks have sequences/blocks of CC #'s reserved for them?), but either way, this is a verification from VISA/MC/AMEX/DISC directly to you, without the customer (potential fraudster) being in the loop.

(Bit of security-system trivia: Exclusive, compartmentalized systems are inherently more secure than inclusive systems. By dividing access into compartments, requesting clearance at each compartment, verifying clearance via routes that exclude the requestor, and ensuring that a breach of one section does not give the attacker sufficient information to perform a breach of another section, the overall security of the system can be improved tremendously.)

In our line of business, we end up using this system several times/day, and the ONLY way it fails is with the following message: "the issuing bank's phone number is located on the back of the credit card". This can happen with:

CC's issued directly by the CC corp., bypassing banks. This is not indicative of fraud, and can be approved by calling the tel. # for address verification from the CC corp. itself.

Brand-new/special series of CC numbers, that for some reason, have not been added to the lookup table/algorithm. (At least that's what I've been told by AMEX and MC, on two separate occasions). Does not mean it's fraud, but it's the 1% of verification attempts that cannot be handled by an automated system. In this case, we have no choice but to call the customer. :( Does anyone know of an alternative?

Hope this helps...

alexnero wrote:

Your payment processor should have a feature to "get issuing bank's phone number". This requires the complete card number.

You call this automated system, enter your Merchant ID, then the card #, and it will tell you the phone # of the bank that issued the card:

"The issuing bank's phone number is, 1-8XX-NXN-NXNX. Please feel free to contact the bank, etc., etc., but remember that they're not obligated to release any personal information (more legal BS follows, feel free to hang up)"

This is done using the Bank Identification Number (BIN) which is the first 6 digits of the credit card number. The rest of the card number is not necessary.

That's sufficient to pull it out of the relevant database. Should give you the Customer Service Phone for 80% of BIN numbers, and most times will be the correct up to date one.

If you have a direct merchant account with AMEX, for charges $200 or more you can phone in and utilize their Charge Verification Program (CVP) for Card Not Present transactions, i.e. Internet or MO/TO.

They will then try for three business days to call the cardholder for you and call you back and let you know.

(You'll need to give them the American Express card number, approval code and date of authorization.)

1-800-876-9786, Monday-Friday, 8:00 AM-10:00 PM EST.

Does any one have a phone number you can call to report attempted theft? I use paypal to process my credit cards but I have an order that came in by email. The usual crap split the sale on two different cards. They say the don’t use web sites but yet you get all the card information via email. Billing info to one address, send item to another address, and area code for the phone does not match any of the areas. The problem is there seems to be no organization that cares until you do run the card.