Forum Moderators: buckworks
We've been trading online for just over three years now and never had a problem with online fraud, or chargeback’s. We have had the occasional one slip through, but very few, and very far between. But since the New Year this has changed. We've been hit three times in the last couple of months by people using multiple stolen credit cards.
We've contacted the company that processes all of our credit card transactions and after describing what has happened to us they have told us that the way we have been hit is a pretty new scam that a few others have been hit by in the same way recently.
My business partner took the call, and I am summarising what was said on the phone, but basically scam is this. A certain bank has had its security compromised, and as soon as cc numbers are generated they are being stolen somehow (apparently no one yet knows how) before they even leave the bank (I know it sounds hard to believe, but this is what we were told). These numbers are then used for the transactions. The thing is, it takes ages for them to be flagged up, it may be a week or so before the person gets the card, and another month or three before they find out that its been used fraudulently, by which time the thief has racked up a fair old bill, and moved on to another card. They also seem to change addresses every few weeks, probably timed with when they think the first fraud will be picked up.
The thing that gets to me is all of the cost of this is being put on to the merchant! How can this be? It's not us that’s messed up with the security (well not as much as other people in the chain), yet its cost us. The only way to get round this is to code 10 every order you get. Yeah right.
We’re pretty vigilant (at least I thought we were) normally, but these orders were within the UK, and for similar amounts to a lot of our other orders. Several were placed in each case with about a week to two weeks between each one, we didn’t pick up on multiple orders until it was too late, although we do get legitimate multiple orders quite often anyway.
Has anyone else had this? Is there any way to try to get compensation without having to try taking a bank to court? Am I wasting my time and should just shut up and take it? It just seems that the smallest in the chain has to foot the bill.
</rant>
Thanks for any comments,
Paul
You may be successful in requesting compensation in return for each complaint you make to them.
P.S. Did the AVS and CVV match up?
Try asking uk online for business, run by our wonderful (maybe) government, and any business groups like them (business gateway and the like)
Find out which bank it was
find out what your PSPs standpoint is
leave no stone unturned
sue the lot of them!
ok so i may be exaggerating but it's how you feel, right?
and you DO have a right
I might not be the most important person in the world but i will stand in your corner pal
anyone else wanna join in the support?
Morocco - Not sure if I'm aloud to say on here, all the same one though.
Another thing I forgot to mention before is that the main one we got hit with used different cards for each transaction, but the only difference in the card numbers was the last four digits. For example one guy placed several orders with us, and as an example the card numbers were:
1111 2222 3333 4567
1111 2222 3333 5678
1111 2222 3333 6789
1111 2222 3333 7890
Very difficult to spot if your not expecting it. Kind of backs up what we were told about them being taken directly from the bank.
Thanks for the support delboy1978uk, problem is this all takes time, and I've already wasted more than I can afford on it....
Specifically, look for multiple orders with different credit card numbers but the same billing/shipping/e-mail/IP address or some combination of those. Most customers don't use multiple cards on repeat orders; if you get an order flagged as possible fraud, contact the customer to verify their info.
I used to work for a .com e-commerce company that had (at the time) some fairly advanced fraud detection algorithms. And looking for the same customer to use a differenc card was a big flag. Used to annoy the heck out of me, because I had to test the system using my own cards and needed to try out different cards from time to time and the doggone fraud filter kept nabbing me...
[edited by: martyt at 4:02 pm (utc) on Mar. 25, 2004]
Unless they ran it through a card generation program and those card were successful.
> Unless they ran it through a card generation program and those card were successful.
As far as I understood it a card generation program will give you a valid number, but unless it's registered to someone it gets flagged when you put it through the machine. The chance of generating a number that is currently in use is very slim.
>There's a considerable difference between MasterCard, Visa, Disc, Amex, and JCB
Not sure what you mean by this, could you expand on it?
>How about implementing some basic fraud detection of your own?
Well we do try to check for the points mentioned, but an automated system would be a lot better, it's something I'll have to look into, we've just never had to use anything more than common sense in the past...
AVS and CVV data is likely to be incorrect on orders using the above method.
> difference between visa, mastercard....
What do the cards start with (first number)?
3 - American Express
4 - Visa
5 - Mastercard
6 - Switch/Solo/Some others
etc...
You talk about chances being slim. A valid card number is not too difficult to find. The first digit gives the card type, the next three give the subtype and issuing bank. Only 12 to go. The last is the check digit. So there is only 11 to go. Matching this with expiry dates could take some time, but once you have one, working out others near it is not too difficult.
I believe that would be the problem. You are assuming it is the bank at fault. Maybe you should phone the bank and inform them of the card range and see what they say about it.
It would not be difficult for you to stop these - you know the card block that is being used. You could perform a full code 10 on these cards only. Or you could take a risk and just cancel any orders that have credit card numbers beginning with the first 12 numbers.
The whole banks abusing the consumer/small businesses has had quite a bit of air time recently, so he/she will understand your issue easily. If the bank is taking advantage of you then they may well be inclined to help. A letter on House of Commons writing paper can't hurt.
OK, so maybe I got up this morning under the delusion I lived in a functioning democracy, but it's an idea.
Lots of people know how, apparently not that bank though huh?
It's not that the numbers are stolen, it's that the numbers follow an algo. :) The card hackers create programs that generate valid card numbers, so much the better for them if the real cards haven't been released yet. They can also extrapolate good numbers from existing cards. A search will turn up a number of different CC# generators and card verification programs.
So, I have to ask if you're making your verification process more stringent? The banks certainly don't seem to be onboard...
I do realise that, but as I said earlier:
"As far as I understood it a card generation program will give you a valid number, but unless it's registered to someone it gets flagged when you put it through the machine. The chance of generating a number that is currently in use is very slim."
Is this incorrect?
What we were told on the phone was that these guys were some how getting hold of cc numbers that had only just been activated, giving them a lot longer to use them. Also the person that they belong to has no idea that the number has been stolen.
> So, I have to ask if you're making your verification process more stringent?
We're trying, it's just pretty difficult when you've got a lot of orders to process, spending a while on each one just isn't an option. We're now code 10ing any order that is shipped outside the UK, this in itself takes a loooooong time, but I feel it's either that, or stop shipping outside the UK which we really don't want to do ;)
phpexperts - Have you seen any drop off in purchases since you adopted that strategy?
Cheers,
Paul
You have NO evidence that they are being stolen directly from the bank.
phpexperts is a URL dropper and that site recommended is his own. Self promotion is not permitted on WebmasterWorld. See the TOS.
I Never said I did have, please don't put words into my mouth.
