IMO find a better way, its a nice idea in theory but you'd be surprised how many professionals consider an AOL (if you have fraudulent CC then you can get AOL addresses just as easily as you can get free webmail) or Hotmail account perfectly adequate for their needs.

Also you'd need to know about every free email provider which in itself is an impossible task - most fraudsters would use a smaller free-email host precisely because the big providers a) arent all that free really and b) they draw a lot of attention.

Just my 2c...

I guess it really all depends on the sort of segment you are in but for SME's free accounts are surprisingly common, especially since they normally have to pay extra for email with their website (if they have one).

Personally I've seen impressive results with IP geo-location as most of the time fraudulent users claim to be in one country but are actually connected from another and show as such.

You have to guess they take a shotgun approach and simply hit as many sites as possible in an attempt to use up the card before it gets stopped.

- Tony

Unless you really think you are going to lose a lot of money by allowing free email users to buy from you, I would not do it. Too many people use yahoo and hotmail, and there are also many newbies on the web every day who use those email accounts and no other.

Do you not collect other personal information from them, like phone numbers, address, etc? That information, in turn, can be run through an Automatic Verification System available for a fee, by license, I think.

This is my first site where I will actually charge. I'll ask for address phone name etc... but the email is the easiest to verify by making them reply to an email.

Hm ... don't know how to respond to that. If email is your only way to 1st contact customers and verify, then yes, you have a potential problem with people using yahoo and hotmail, etc to defraud you. But you will be losing (potentially) a lot of customers if you shut those folks out.

Plus, I would not rely entirely on email in ecommerce as a way to contact customers or have them contact you. The Interent is rife with problems from worms and viruses that cause websites to be closed, bounced emails, emails that never arrive, or do arrive months later. That's not to say you cannot do ecommerce, but you need to collect also the old familiars: tel numbers, US mail addresses (yours and theirs, and have some redundancy in your system.

Interesting, just looked through my last 50 orders and found that 20 (40%) had email addresses from easily obtainable sources.

Kevin

I agree with WebStart, you should be using AVS to check if credit cards are valid. You might want to also ask for the 3 digit code on the back of the card as well. I would think that you would lose too many customers and generate a lot of bad word of mouth if you just reject people who use yahoo and hotmail.

Don't know our precise numbers, but MANY of our customers use "hotmail" type email addresses. We have a microscopic amount of fraud: about .05% of all orders and perhaps .1% of "Hotmail" type orders.

What does matter: Orders from Nigeria/Indonesia are 99% fraudulent.

Don't sweat the insignificant stuff.

Ok, I'm convinced, I'll accept all email domains. I am glad I checked here first.

However, is there a way to block Nigeria etc... with IP address blocks? If so, where do I get a list of high CC fraud risk IPs that should be blocked?

Thanks

Ok, I found a way to block specific countries. Now which ones should I add to my "Block List".

jdancing,
I would appreciate if you could describe the "how to " or a link for blocking the country specific IP addresses. Thanks in advance

John

Had a fraudulent order from Nigeria come in over the weekend. Thing is, these guys are so obvious it's funny. The dollar amount is unusually high, they always want expedited shipping and then send an email comfirming the order and asking for the tracking/waybill # as soon as possible. Some try to put in another coutry and then re-route. But here is another: they often use last name first and sign emails with the last name. Like Smith Joan and sign the emails Smith.

So this one keeps throwing card numbers at me. It was unbelievable. USA, Europe, cards issued all over the world.

I called the numbers in because, with the increased use of debit cards, people's bank accounts can get drained over the weekend. But it was a small bank and the fraud department was not open until today. I left a message on the report a lost/stolen card line because I figure it's better for her card to be frozen than to wake up with no money in the bank.

That's the downside of having a card/debit card with a small bank, no 24 hour fraud department. If Visa/MC had a national/international fraud card reporting number, would make things a lot easier.

That's a long story, but I just want to share that most fraud is fairly easy to spot if you implement a few policies. I know all the online ecommerce risk management guides and articles act like free email addresses are like the devil, but really, it's not like that anymore. Block those, and you seriously lose tons of business. one of the reasons most people us it is because they are terrified that vendors will spam the heck out of them and sell thier address (despite what the privacy policy may say no one resds it) so they get a throwaway free email address.

AVS is a good tool, but it can be easily fooled by a crook with half an ounce of information. CVV2 really, really helps, problem is, most legitimate card users don't even understand how to locate it (especially if their signature panel is rubbing off) and lots of people memorize thier card numbers anyway, and don't memorize that one, so conversion could suffer if it is mandatory. But also there are other things to look for. Phone numbers not matching shipping locations. Ship to and Bill to are way too wierd. Drop Boxes (NY, Miami and LA), suite numbers, private mail boxes, apartment numbers disguised as suites, etc...

As far as blocking countries, it is relatively easy to get a list of high fraud countries just by searching in any search engine. I would block all of them.