Welcome to WebmasterWorld Guest from 184.108.40.206
Forum Moderators: buckworks
I'm sick of just giving into charge backs. If they continue to get worse the could put my quite profitable little website out of business. When we have a chargeback we give them all the info that they want (address verification, tracking info, copy of invoice) and we still lose every time!
What can be done to further combat against chargebacks? What does your website do? What percentage of orders get charge backed for you?
It really <makes me very angry> that everyone gets made whole in these things except for the merchant! While some <expletives deleted> gets a free $600 jacket at my expense! Police, FBI, Secret Service, nobody seems to care unless the fraud goes over $300,000.
[edited by: buckworks at 5:53 pm (utc) on Aug. 5, 2009]
[edit reason] Language [/edit]
This is really true. In the past month I had to get a new card because my old one had been compromised. I had that card 10 days and used it on two reputable sites and then I saw it being used on a third site to buy five domains WITH the CVV. I don't know how this happened, but it has made me completely distrust the CVV now.
As for the phone number, years ago a professional criminal talked about buying throwaway cell phones to use to commit crimes, so I don't think a phone number someone answers means anything either.
I am lucky that in my niche I don't get much fraud. It was mostly clustered around certain items, all of which I have discontinued precisely for this reason. Outside of that, the biggest flags were overnight, which I also discontinued for that reason, and multiple items.
fraud orders that are sure to come
CC companies have claimed online fraud has declined, and I agree. I read several ecommerce newsletters and theres far less talk about security than in the web's early years.
You'd certainly expect online fraud to be increasing with worldwide recession but I see no sign of that. On this group, for example, experienced e-retailers worry about the economy and their revenues, but not about their fraud losses.
You need to verify the name and address info in a 3rd party like Google, or call 411 and ask them the verify the name and street address for the phone number.
Additionally, call them and confirm the order at the phone number listed or a phone number that shows up for their address in 411 or Google.
If you can't confirm the sale within a few days simply refund it and move on, I've done it many times and never regretted it once.
Protect yourself sending it.
When you send the order, use USPS if possible and send it REGISTERED MAIL with RESTRICTED DELIVERY which means only the individuals you specify are authorized to receive and sign for the item.
Then defrauding you becomes a federal crime known as POSTAL FRAUD and you have their verified signature of the delivery.
My post office checks your ID at the time of delivery so they know it's you, there's no getting around this if they claim it wasn't delivered.
Besides, USPS is easy to work with, they pick up too!
Worse case you may get a chargeback anyway if it was a fraud sale but most likely you'll have your merchandise too which will lessen the blow.
Registered mail is extremely slow and expensive. Besides, many people legitimately do not want to have to sign for a delivery because it means they either have to be home when they're at work or they have to go to a post office after work and wait in a line to pick up a package. One of the attractions of ordering online is the convenience, and this is inconvenient.
this is inconvenient
So is bankruptcy and "Going Out Of Business" sales.
When the price point gets high enough to make the risk to the vendor painful then you either suffer a little inconvenience or risk going broke, your choice.
The point about phones is most people still have a regular phone and a cell phone, you can use the normal phone as an additional confirmation. Alternatively there are inexpensive databases you can subscribe to that will allow you to confirm someone lives at the delivery location.
USPS isn't that slow, very comparable to UPS but neither are as fast as FedEx ground.
I've picked up packages at the post office that couldn't be delivered when I wasn't at home. It's not that big a deal and if it is, inconvenience is the least of the persons issues.
For those suffering from a lot of chargebacks, does your system display the result of the credit card transaction right away? If so, you might want to consider keeping the result hidden, and then email the customer automatically 12 or 24 hours later if it was declined. That way, searching through their stack of number for a valid one will become much more difficult.
It seems to me that trying to circumvent chargebacks depends on what you are selling and how much risk you are willing to take to sell it. If you don't want to take a lot of risk, sell things that have a low chargeback rate. You can even ask your cc processor. Then you hardly have to worry about it at all. If you want to take the risk, then chargebacks are just a cost of doing business.
1) Examine the server's IP related variables very carefully (can all be automated).
- Block all of africa, parts of asia and europe where a lot of the fraud originates from.
- Look for forwarding / proxy (X_FORWARDED_FOR). That is a good indication that a proxy is being used for that order. Run those addresses through maxmind's geo databases for city / country info.
- On your backend, show the whois info for that IP address. Does it match the reverse DNS and address fingerprints? (Someone in California is highly unlikely to be coming in from a VPS provider in New York).
- Use a reverse phone lookup API if you need
- If these basic checks do not pass - call the buyer and see if they answer or call back.
There are a few automated steps that can be taken to minimize your risks.... BEFORE the payment is captured.
Also, see if your credit card company can 3 or 4 days delay in capturing the transaction (incase you're capturing before shipping) to give you time to cancel the transaction for no charge if you determine its fraud.
While it's mostly true that the credit card companies don't care about the merchants that much, you can bet that they would definitely take notice of merchants committing fraud like that. All it takes is one customer to deny having signed the CC receipt and most likely you will have your merchant account terminated, find yourself blacklisted from ever obtaining another MA, and possibly facing criminal charges (fraud, forgery, possibly others).
if I'm a gift retailer that would kill my business.
Typical gift retailers don't send things so expensive that people try to defraud them.
Who wants to defraud a florist or someone sending chocolate strawberries via the internet?
It's not like you could easily resell them.
I don't use it unless the order is over $200 and I feel somewhat suspicious
Exactly - I wouldn't use signature required on every order, just larger orders or those that feel suspicious.
Besides, don't forget that people often have packages that require a signature delivered to their office, my wife and I used to do that all the time, so being home to get the package is just an excuse.
Typical gift retailers don't send things so expensive that people try to defraud them.
There must be a report somewhere on market spaces and the level of fraud they experience.
Ah... well it's not exactly what I was looking for but it might be worth a read: 2008 Internet Crime Report [ic3.gov]
Slight OT: Among the Appendices is a section titled "Credit Card Fraud Prevention Tips" worth reading to see what the FBI and the National White Collar Crime Center think consumers should look for.
We are getting chargebacks where:
1) The customer's billing and shipping address matches
2) The billing address is approved by authorize.net
3) The CVV code matches
4)The order amount can vary, but always within the normal range of orders places via our website, nothing suspicious
5) IP address matches billing address geo-region
6) Customer's browser set to English
7) Phone # area code matches billing address geo-region
8) email address is not a bounce and someone replies to verify the order
9) someone actually picks up the phone and verifies the order, usually without any accent
Ready for the one and only thing in common? They made the order via Ebates.com. We have an affiliate marketing program
and one of our affiliates in Ebates - they give a rebate to their users based on a % revenue share that we pay Ebates.
The fraud we getting hit with is from people who install basically spyware / botnet type software. They use prepaid cell phones or VOIP virtual numbers (I'm assuming) and use that person's real IP (via turning the victim's computer into a proxy) and real mailing address for the order. They must have gotten the credit card # and CVV by sniffing their traffic or logging their keystrokes. so these criminals have offshore accounts where Ebates sends money to if the merchant (us in this case) doesn't catch it in time. (within 30 days).
Many people get a package to their house they didn't order and just keep it don't report it to anyone, those are the fraud orders that sneak through. Some people do call us to tell us they got a package they never ordered.
The credit card company never lets us keep the money for the order as it WAS fraud, but not committed by us, and we lose the product, processing fees, and get hit with chargebacks and associated chargeback fees. Sometimes we end up even paying the commision to Ebates (and the fraudster) if we don't catch it within the 30 days (How can we if nobody alerts us within 30 days?).
So.... does anyone have any solution for this?
So.... does anyone have any solution for this?
regarding your suggestions:
1)The % of overall fraud is low, the dollar amount is high enough to hurt though and it hurts our standing with our merchant and raises the overall cost of doing business so we'd like to eliminate the fraud if possible.
2) we do that and in terms of a longer period I'll have to check to see if I can change terms of individual affiliates as we use Google Affiliate Network (formally DoubleClick Performics) to run our program
3)We do look up the name and address but often there is no phone # provided. for a $40 order, we're starting to get into a lot of overhead making it not so profitable.
Not bad suggestions as we are already implementing most of what you set forth and it's cut down the bulk of the fraud, but not all.
The thing that pisses me off the most is when I reply to the chargeback and I show proof of billing match/ shipping match / CCV match and proof of delivery and they say to me "tough luck" and then we get hit with a $25 chargeback fee in addition to lost processing fees.
Another option for orders from cash back programs- call the credit card bank and verify the phone number on the order with the phone number the bank has. No match=no order.
Yeah, it's more work. But so is dealing with charge backs.
I would really have to question if the affiliate marketing program is worth the cost your paying and the possibility of losing your merchant account over.
You also have to consider with a high percnetage of charge backs your fee to do business with the processing company continues to go up and up and up until your cost of doing business makes you raise the prices of the items you sell to offset the processing fees.
I myself would have to cut them lose and forget as if I lost my merchant account I would be out of business.
You can't get pissed off when it is fraud and the person that was charged is as much a victim as you are. You also have to consider this. You sent the tracking number to the one that did the crime he then sends a mule to watch the house sees the truck and intercepts the package and sometimes he can't get the package and you get a call.
Get pissed at the weak link in your business and plug the hole.
LifeinAsia, great idea - but how can I know which bank they use?
We only have a problem with about 1 out of every 5,000 orders overall and that's due to about 1 out of every 300 we get from Ebates being fraud. So the fraud is not to the point where it'll put me out, just want to try to stop it in it's tracks if possible.
Also we ship via USPS do there is no package redirection scam and the tracking is only a delivery confirmation, they don't have any idea exactly when the package will be there and tracking is updated at midnight usually so the package will likely be there all day before tracking indicates as delivered.
I feel bad for the people who's cards were stolen / computers were hacked, but there needs to be some higher level of accountability.
I don't even mind refunding the purchase amount and losing out that cost (of shipping and product) for the rare times. I just wish my merchant account provider would eat the related processing and chargeback fees at that point, and not count it against us.
It's based on the first several (6?) numbers of the card. I think you can find a list of telephone numbers if you Google. Alternatively, you can call Visa/MasterCard 1-800-228-1122 with the card number and they can give you the bank's phone number (although that makes it a 2-step process).
does anyone have any solution for this?
I would do everything LifeInAsia recommends plus one more:
- Sue the CC holder
So what if their computer is hacked, that's their liability, not yours.
Not running AV to keep your computer clean and hacker free is negligence, they should foot the bill, not you, and perhaps a reasonable judge would agree.
If they do run some AV and it's not catching the hackers then maybe they'll sue the AV maker to fix their junk and we'll litigate this problem out of existence.
I would go to small claims court for recovery and see what happens.
It's worth a shot!
I should sue some poor shmuck in Las Vegas, NV because they didn't update IE?
Yep. Unless you just like losing money.
I play to win and I take chargebacks real seriously so I'm the wrong person to be on the short end of that stick and if it's more than $500 then I'll probably try the small claims route.
Worse case I suppose you could always file a police report.
One way perhaps is for the affiliate to give some sort of credit to the products, customers buy next time, instead of paying cash. Coupons, vouchers and the like they can use with their next order, resulting to a discount.
Because, if a customer's system is compromised you can assume it all, they can even use the browser and from the IP there isn't much you can tell. (maybe a port scan of the standard ports sometimes will reveal the proxy but its a long shot).
Going through the bureaucratic legal avenue is just not viable since you going to be after the wrong entity most likely.
As lifeinasia posted that would be the only sure way of stopping them but as he and I said it would add about 10-15 minutes per order but only on the ones from the affiliate marketing programs would need this extra time.
Going through the bureaucratic legal avenue is just not viable since you going to be after the wrong entity most likely.2nd that as this would then add extra paper work time and expense on your part.
[edited by: lorax at 12:41 pm (utc) on Aug. 13, 2009]
[edit reason] typo fix [/edit]
If this is the case, presumably they are just thinking they've got an accidental freebie when they originally got the package, and keep quiet about it.
Could you perhaps mitigate this by the paperwork that you ship with the goods? Instead of just a delivery note, send an itemised receipt which states that payment has been received in full on a card, and provide enough information that a person would realise that it is their own card than has been used. EG:
Invoice status: PAID
Payment received in full on Visa card registered to Mr U R A Mug.
For billing enquires, please call on 0800......
Which would hopefully increase the number of calls you get from people asking what you think you are doing with their card, rather than just thinking they've got a freebie. This would let you get your products back, and stop payment of the commission in time.