That would work if the CC companies cared. Sadly, they couldn't care less how much fraud is piled on the merchants backs.

It's a money issue, it doesn't cost them or their customers a dime and in fact, they make money off of the charge-backs made to us.

The merchants are the ones that foot the bill for CC fraud and that wont change any time soon.

A few years ago, I received a fraudulent order. It was obvious the users card had been lost, stolen or comprimised. The credit card company put me on hold and bounced me around to a few customer service reps and they ended up telling me not to worry about it.

Until Banks have a reason to be concerned about it, they won't be........

Now guess what will have to happen in order for them to be concerned with it.

How would you know the transaction was fraudulent before an order was placed? Did you by chance call the customer because something was not adding up? Then the customer can have the card cancelled. Or, did the chargeback come later? If this is the case shipping to the cardholders registered address with a signature is a successfulm defense against a chargeback.

yea everyone pretty much summed it up. banks do not care since they aren't liable for the chargeback.

but yeah I see that a lot myself. these people test out a bunch of cc's on our sites to see if their valid then go to the smaller sites with less security and fraud screening and put orders through

Banks love fraud - they make huge profits from it - unless the banking industry is suddenly restructured from the ground up, they will never do anything about credit card fraud.

I met a guy out at ETA that is kind of doing what you are looking for. The company is Sellitsafe.com and essentially what they do is database IRC chats w/ compromised Paypal, CC, and other PII of individuals. I'm assuming you could submit it to them. They have a really nice solution for online vendors.

yea everyone pretty much summed it up. banks do not care since they aren't liable for the chargeback.

Banks love fraud

The sentiment of this thread is both inaccurate and unsupported. The fact of the matter is that acquiring banks (the backbone of the processing industry) do not enjoy fraud, nor do they profit from it.

A differentiation must first be made between the different types of fraud to accurately address the catalyst for this thread. Sun818 wrote:

Sometimes fraudsters use my shopping cart to test the validity of the credit card and then possibly use it to shop elsewhere.

What is happening here is just that. Individuals will run countless ill-acquired credit card numbers through any verification system (usually a virtual terminal) that allows unlimited transactions. Each time the information is passed to the processing bank to obtain an authorization (or decline) the merchant is charged an authorization fee. If a fraudster runs 2,000 automated queries through a merchant's virtual terminal this is an expensive prospect.
The bank is not at fault here. The processing bank is simply providing the service that they are contracted by the merchant to provide. The person at fault is the merchant for not implementing the proper (and simple) safeguards to prevent against such attacks.

How to prevent "authorization bombardment attacks":
These attacks are essentially SPAM. They're a repetitious submittal of information from a static source. To combat these attacks simply block the submission of data from a common source after X attempts. This can be done any number of ways by using an identifier like an IP, and HTTP user agent, or better yet through a session variable. Only allow any one customer to make X amount of authorizations in any given day.

Avoid Real-Time Authorization
I've owned and worked with sites that process a significant number of transactions daily that do not employ a real-time system. If this is possible for your organization - it is a great way to combat fraud. Database orders, review order info, and then manually process transactions through a terminal or virtual terminal.

Human Review
Too many businesses, both online and off, process credit card transactions in a careless manor. Each and every transaction should be reviewed by a human prior to processing and it should be screened for key indications that it may be fraudulent. Very specific and thorough lists and tutorials about what to look for can be found at both VISA and MasterCard's websites here:

VISA
[usa.visa.com...]

MasterCard
[mastercard.com...]

Chargebacks
With the exception of American Express (who tends to rule in favor of the customer very often), chargebacks are not the devil that many merchants make them out to be. Most chargebacks are lost by merchant because they (or their software) are ill-prepared to handle them. Again, tons of great information on preventing (and winning) chargebacks can be found at both VISA and MasterCard's websites.
Read all about it here [usa.visa.com]

[edited by: jatar_k at 9:21 pm (utc) on May 10, 2006]
[edit reason] fixed sidescroll [/edit]

AuthorizeNet wants to charge me $99 a month for their "fraud suite". At $0.10 per transaction, a fraudster would have to run up 999 transactions before it made financial sense for me to use their services. I was just looking for a way to report these compromised credit card numbers to a central clearinghouse that could communicate to the respective banks for us.

I think I will investigate this with Discover and American Express since they have their own customer service.

Auth.net has an SIM and AIM integration method. If you're using the SIM then you are at their mercy for the "fraud suite", however, if you are using the AIM you can integrate the safeguards that I've noted above on your own pretty easily.

The reporting of this type of fraud is difficult because it involves so many different numbers. You'd be better off reporting the offending IP to the ISP rather than calling your merchant service provider. The problem here is that the chances are pretty good that this is an overseas IP anyway where no action could be taken.

central clearinghouse that could communicate to the respective banks for us

This is your processing bank.

If it is a specific fraudulent transaction that is in question the procedure is different. Contact the security department at your processor (not necessarily your merchant service provider) and provide them with the offending credit card number. They will in-turn contact the issuing bank of the card to report the problem.

Contacting AMEX and Discover probably won't get you too far since you would need to contact the card organization responsible for the issuer of the card in question. Contacting AMEX to report fraudulent activity involving a VISA card will get you sent to VISA's security department.

"Human Review
Too many businesses, both online and off, process credit card transactions in a careless manor. Each and every transaction should be reviewed by a human prior to processing and it should be screened for key indications that it may be fraudulent. Very specific and thorough lists and tutorials about what to look for can be found at both VISA and MasterCard's websites here:

VISA
http://www.usa.visa.com/business/accepting_visa/ops_risk_management/index.html?it=gb¦/¦Operations%20and%20Security%20Resources

MasterCard
http://www.mastercard.com/us/merchant/security/what_can_do/getting_started.html
"

Good info. Never seen the visa resources page for CNP transactions. It is a good start. Some other good common red flags for online cc fraud

-inconsistent text formatting

Ex:

Billing addy
joe smith
134 first ave
cityname, NY, 4356

Shipping
BOB SMITH
176 WEST AVE
CITYNAME CA, 90235

-apartments in urban high crime areas (miami,nyc, chicago)

-free e-mail accounts w/ popculture references

example: JayZthugx69@hotmail.com

billing phone # is a fax
billing phone # is disconnected
billing phone # is a cell phone from a different state

consistent orders only days apart with an increase in price each time (usually always bad)

And as far as having a human review each transaction I guess thats possible if your a smaller merchant. If your a big merchant you should invest in fraud screening tools like cybersource or retail decisions. They allow you to build your own velocity rules and thresholds to cater to the kinds of orders you see. Retail also has a new neural model that is pretty good called Prism.

Other good basic tools are whitepages.com. Compare address and phone numbers. If you want to get more complex with public record searches invest in accurint which is powered by lexus nexus.

[edited by: lorax at 12:51 pm (utc) on May 11, 2006]
[edit reason] removed 2 URLs, delinked the rest [/edit]

justgowithit - good points to many merchants are quick to place the blame outside of their own organization and not do the due diligence that is necessary, nor take responsibility when a chargeback happens. I just had the conversation with 2 site owners this week and though they were looking for sympathy I pointed out that he must do what he can to confirm an order prior to shipping.

fraud master -

apartments in urban high crime areas (miami,nyc, chicago)

What a crock of …. I have lived in all three of these and you can fool yourself that only certain zip codes are going to commit fraud if you like but fraud knows no bounds it's in the city as well as the suburbs. Wake up, it could be your neighbor, oh no not Mr. Jones he seemed so nice they said as he was led away in handcuffs as the ring leader of an internet fraud scam.

i said it is a RED FLAG. I never said it is always fraud.

Trust me I see this stuff EVERY DAY at work. The company I work for is the outsource provider for 57 big name websites, all of which you have heard of.

Statistically there is a lot of fraud going to apartments in the bronx or in brooklyn. Its just the way it is. Do we cancel every order shipping to an apartment in these cities? No. Are we a bit more thorough with $1000 order shipping over night to an apartment in chicago when the bill to addy is wisconsin? Yep. Fraud is everywhere not just in the urban city's but from a risk management perspective you are factoring in a lot of statistics in which you have to be more thorough in some cases based on these statistics.

You might want to think twice about any potential red flags coming out of Florida also, especially checks.