Forum Moderators: buckworks
[washingtonpost.com...]
With over 7 years of ecommerce experience I completely disagree with these so-called 'experts' as any diligent merchant easily can thwart most fraudulent sales. There have been many attempted fraud transactions on my ecommerce stores in the past but to date not a single fraudulent sale was ever filled and the most we were out was the payment gateway transaction fees.
Consumers are always scared with the myths about online fraud when the stark realities are that the billions lost every year in credit card fraud primarily come out of the pockets of the merchants, not the consumer. In reality you're doing all this for YOUR security as the merchant always gets the chargeback and loses money, not the consumer, and certainly not Visa, Amex, Master Card or the banks.
The main causes of online fraud do not happen because hackers have stolen credit cards as this is another huge myth. The stolen credit card only has value if the merchant that the card is presented to has inadequate transaction validation processes or is just too lazy or too uneducated to properly verify the transaction.
Online credit card validation is theoretically no different than walking into a brick and mortar store with a stolen credit card because if the clerk doesn't bother to verify your identification when processing the transaction the merchant is easily defrauded. A quick visual verification that the drivers license matches the credit card and the picture on the license is actually the person holding the card stops most fraud at the point of purchase. The trick is validating the identification of the person making the online transaction with enough diligence that it's almost as safe for the merchant as a card present transaction.
Slowing down or stopping online fraud
So how do you validate the card holder online when you can't see their ID in person?
First level automated online fraud prevention steps :
1) Block access from anonymous proxy servers as online thieves like to hide their identity. There are lists of known anonymous proxy servers available online you can download and block. This won't eliminate the need for validation of the IP the order originates from, but it will slow down the casual unsophisticated thief.
2) Don't allow separate bill-to and ship-to addresses as most online fraud uses the cardholders billing address but ships it elsewhere. Some businesses that sell a lot of gifts and have to allow a separate ship-to address should be extra vigilant validating the bill-to information.
3) Get ecommerce software that tracks the IP address of the order and reports the country the order originated from. Why this is important is many online fraud sales are attempted via proxy servers in foreign countries so when you file a police report the police can't subpoena the ISP records in a foreign country to trace the identity of the crook. If the bill-to country and the originating IP address country don't match this is a huge fraud alert.
4) Verify the IP address of the email address for the same reasons explained above. If you can't find ecommerce software that does this, hire a consultant to modify your software for you. Manually you can do this yourself by simply pinging the domain name on the email address and then use an IP Address Geography mapping service to get the country.
5) Require full AVS and CVV for all credit card transactions whenever possible as AVS isn't available yet for all countries.
6) Don't allow free email addresses in the order. This is more difficult as services like Yahoo are now offering ISP services and free email, but there are many sources of just free email only that can easily be blocked.
Steps 3 and 4 can easily be automated and your ecommerce software should issue a warning that the countries don't match as this is a huge fraud indicator.
Why is this important?
Many frauds I've encountered had a credit card from one country, an IP address from another country and an email account from yet another country. Some payment gateways are starting to take these issues into account but it's not widespread in the industry yet as far as I know. I prefer to stop the order from even reaching the payment gateway when these issues arise as the processing fees lost are money out of pocket that I'd prefer to keep.
Second level manual validation fraud prevention steps :
Why we do these next validation steps is to eliminate thieves hiding behind cell phones and pay phones in case you happen to call. Just calling the customer first doesn't mean that's the actual customer's phone number, it's just any old number someone happens to be answering.
1) Verify this is a real person at a real address with the phone number posted in the order which can typically be done using online yellow pages or Google.
2) If the information isn't available online, check directory assistance for that area code and ask them for the number and address of the person. This might cost you $0.50 but it could save you a lot more if it's a fake order.
3) Make a quick call to the person that placed the order to verify they made the order and to confirm it before shipping. Most people think that level of customer service is above and beyond and are thrilled although you will get an occasional nutjob, just assure them you're doing it for their security. Not surprisingly some people will respond "what order?" - never ask the customer for their credit card number and never give them the whole number, just tell them an order was placed for a Visa, MC or Amex ending in the last 4 numbers of the card so they have enough to verify the credit card being used and/or contact their credit card company in the event they're being defrauded.
With these simple automated and manual screening processes you can eliminate a large majority of fraud orders, if not all of them.
However, for those companies that sell internationally this problem is a little more complicated and the best you can do is minimize your risk by eliminating certain countries (such as Nigeria, Indonesia, etc.) and requiring a wire transfer for large orders.
Hope this information helps and would be interested in additional procedures others use to stop fraudulent online orders.
Just about anything in the popular press about the web is WRONG. Been true since Day One.
Our own fraud rate is almost zero and we do ship plenty of orders to separate ship/bills and MOST of our customers are now using "disposable" emails.
Our secret: 1) We don't export (from the U.S.); 2) We manually glance at all orders; 3) We thoroughly check very large orders; 4) We don't sell fraud-magnet products, such as Rolex watches.
When was the last time someone on this group said he was being put out of business by fraud? Never!
It is very easy to prevent fraud. The problem is greedy merchants that are afraid to pass up a sell and too lazy to do some reality checks. The scammers prey on this greed and laziness.
Anyone will walk into a store and hand some bozo their credit card, address, phone number and signiture without thinking twice about it. This being the case, it is funny how the card companies, security companies, and related have people all worked up over "identity theft", or how bad things can happen if you order over the Internet.
I have had 2 fraudulent charges on my credit cards. 1 was from someone working at a Denny's in Seattle that I visited and the other must have occured due to my card information being stolen from the card bank's database, because I never used the card and apparently they had my cvv number.
I called up Visa a while back to report a fraudulent order placed with a likely stolen card and they basically blew me off. So I asked them "Who do I call to report this", and they really didn't answer. The credit card company's stance against fraud is basically a dog and pony show, they know the merchant will eat the loss. They don't really care about the "middle man", since they're always going to make their money.
However, there are many things that people like us down in the trenches can do to protect ourselves. Of course always require AVS and CVV2. Then you just use your judgement, high ticket item, multiple items, shipping address not the same as the billing address. You'd be surprised at how much one simple phone call to the "customer" can save you. Many a scammers will wriggle out of the order if you actually get through to them.
