Chiyo: You're right, of course. I started to use The Philippines as my example but I wasn't sure about the spelling.

If it's suspicious looking, don't process the order. It's not worth it. We were hit with a large number of fraud orders, first from countries like Nigeria and later from the US. But they all had the same pattern. We started calling the issuing banks who would contact the customer on our behalf to verify the charge. After a while we just cancelled all the suspicious orders without checking. The funny thing is that we sell online services, so I can't imagine what good using a stolen card would do because we just would of cancelled their service as soon as we found out.

So finally we tightened up our AVS checking which helped (effectively blocking foreign orders), but then we got hit with a massive number of declined transactions. So much so that the 25-30 cent transaction charges were adding up to be quite significant. I think they decided to use us as a test bed for randomly generated card numbers or something. I can't think of another reason. It was a major problem for a while.

As I recall we accumulated IP addresses, etc and contacted the police or FBI. They told us that unless the fraud was over X number of dollars (I think $25,000) they won't even touch it.

The credit card companies are liitle to no help since the orders were "card not present" transactions. You have almost no defense on a chargeback with internet or phone orders judging from my experience.

As merchants, we're left holding the bag so be very discriminating.

Crazy_Fool: you stated: "what you're talking about is full-authorisation (automatically authorised) for most transactions and pre-authorisation (manual authorisation) for anything strange, like from certain countries or over certain values etc. this is very easy and it's done in the shopping cart prior to payment, not from the callback which is following payment. the shopping experience is identical for all shoppers regardless of whether transactions are pre-auth or full-auth."

I am glad that you know the results from WorldPay (including AVS results, whether the card has been authorised, if the user has changed their name, address, phone number, postcode, email address or even country within the WorldPay payment screen). You must have a pre-knowledge system that allows you to know this information before WorldPay do. And when I went to pre-auth, they suspended all the other non-pre auth accounts - they do this by default.

I have had orders with UK credit cards where the AVS results all match, they are using a UK card and they know the address. But when they ask for shipping to Uganda, Nigeria, USA or anywhere else it begins to ring alarm bells - especially when you consider these order amounts. To automate this requires a callback facility where I can decide what to do from there.

The call back is especially important when I get fraud attempts regularly. I could lose 60-100 of one particular item per day from my stock figures if I do not use the callback facility to report if the item has been paid for or not.

A call back can also be used to give the customer a different payment success or failure screen depending on the results. So you could for example, give a user an special failure message if the countries do not match (even if the payment has been authorised).

Alby, this information is not on the WorldPay site (as far as I know), you will find the information required if you phone support and ask about callbacks and using them to process pre-auth transactions.

gsx - don't be sarcastic.
like i said, ask them to unsuspend the non-pre-auth accounts and they will, giving you 2 test and 2 live acounts. determine which to use in your shopping cart prior to payment.

if you want to check whether or not they change the customer details on the order page itself, pass the original details through the system as M_ values. use MD5 encryption if you want to hide this from customers that might look at or modify source code. in your callback you then compare $country (from the worldpay payment page) with M_country (as passed through the system). very simple and it works.

you cannot choose full-auth or pre-auth in your callback following payment. you can pre-auth everything prior to payment and then (apparently) you can set up auto-completion depending on certain conditions being met (ie, not from indonesia etc), but this is not a standard service and you'll need to contact support(?) to get it set up.

Here's another story of a busted burgler.

We shipped an order 2nd Day Air to an address in California. This was before we started doing AVS (didn't know how to at first). It had a first initial and last name, and a suite number. Anyway, I got a chargeback notice and was pissed (it was my first).

I got onto the internet and typed the address into MapQuest, and it turns out the office building was across the street from a big hospital. I got the number of the hospital and asked the receptionist the name of the building across the street from them. She gave me the name of an office that was on the floor below them. I called that office and that clerk went upstairs and got the name of the company off the door. I got the phone number off the internet, and called the receptionist. I pretended to do a follow up check to make sure the pacakge was delivered... "We sent a package to M. Agular via 2nd Day Air and wanted to make sure it arrived on time." The receptionist came back and said "Yes, it's here".

I took all the information I gathered and contacted the cardholder. She was extremely grateful, as she was P.O'd too (this perpetrator had bought other things on her card too). About an hour later I got a phonecall from someone who wanted to return an item that got shipped to their company by mistake. It was the M. Agular order. Apparently the person didn't work there anymore (wink wink). I said "you'll have to pay the return shipping", and she agreed (very generous of her).

I called the cardholder back to explain how happy I was of the situation. The cardholder, Rhonda, said "I called her". I was like, WHAT? She said, "Yeah, I called her. All I said was, 'I know what you did'. Maria as it turns out (M. Agular) freeked and and was like 'who is this, who are you?' Rhonda just kept on saying 'I know who you are, I know what you did'" Musta freeked Maria out enough to send the package back.

Man, was that fun!

Just a little FYI, be very wary about sending to Miami too. I got busted once for over $700 worth of merch, called the police, and they said unless I lose over $50,000 they won't help me.

Jaeden

Speaking of Miami.

While we don't ship outside the U.S. we've received some orders to addresses in Miami that are bonded warehouses that reship merchandise outside the U.S. Kinda like a mail forwarding company.

(we will ship to separate ship and bills, btw, and usually have few problems)

On one occasion we shipped one of those orders (it came in by phone, was small and looked good in other ways).
That was 8 months ago and still no chargeback.

Bet few e-commerce types know about such forwarders.

jsinger,

You know, we have sent many orders to those types of forwarders in Miami, and haven't received a chargeback yet either. Those are the only addresses I feel safe shipping too, which is ironic, because you never know who is on the other end.

Jaeden

My alarm-bells started ringing:
Crazy_Fool used the words 'form' and 'hidden fields'. Now, I've just read:
[safari.oreilly.com...]
and that combination is dangerous if you don't or can't validate even the hidden fields in forms. The rule of thumb is: *never*ever* trust *anything* that gets returned in a form - not even your own information. It's ok to use client-side javascript to pre-validate the information, but the final validation *must* be on the server-side and all fields - without exception - have to be validated. Reading the book referenced was a bit of an eye-opener, even though I did knoe or suspect most of the things beforehand.

yours in happy hacking
Bjarne - København ; Danmark ; Europa

As a former fraud investigator I worked many many cases involving Nigerian fraud and I can say with 100% certainty than NOTHING good ever comes out of Nigeria. Fraud is the countries #1 primary revenue producer. The 'deposed dictator fund transfer' email scam actually started as a conventional mail scam over 20 years ago and has ripped off unwitting consumers of over $5 BILLION since its inception.

Nigerians in this country (USA) are responsible for the largest amount of student aid ripoffs ever. They come here on phony visas, get educated in our finest universities, and then go back to Nigeria to set up schools on how to defraud the US and other rich countries to aid their struggling economy. The Nigerian government is even guilty of providing blank passports to their citizens to enable fraudsters to travel worldwide under many aliases with which to commit more fraud.

NEVER do business with a Nigerian under ANY circumstances.

I've been receiving Nigerian scam letters for years. I once asked a postal inspector why the US Postal Service delivers mail that is obviously criminal. Certainly when a rural route in Nebraska suddenly gets 50 letters from Nigeria the post office here must know the purpose (not seed catalogs!)

No way millions of identical pieces of mail leave a country like Nigeria without the gov't and military there being in on it. True? Isn't that aggression, against us?

What would Teddy Roosevelt have done (or Queen Victoria)? At daybreak a squadron of warships would appear in Lagos harbour. 16" inch guns would all point at one target: the Post Office.

The letters would stop: INSTANTLY. Not a shot would be fired.
----

Isn't it odd how the US Post Office did so little to protect citizens from that scam. We have pictures of hippie radicals from the 70s still on "wanted posters," but I don't recall anything about Nigerian scams.

How about a commerative stamp showing Nigerian crooks laughing at us?

---

Sorry about getting so far off topic. This is really a hot button with me.

I agree that if a large percentage of orders from certain countries are fraudulent, then you should not bother processing them.

However, certain statements made by some forum members are too generalized

I have NEVER had a legitimate order from Nigeria. Its almost as if they breed fraudsters!

So everyone agrees that about 100% of orders from Nigeria and Indonesia are fraudulent.

NOTHING good ever comes out of Nigeria. Fraud is the countries #1 primary revenue producer.

Such sweeping statements should not be made in a public forum like WebmasterWorld. Remember that this forum has members from all over the world.

vibgyor79,

I do agree with you, but let me pose this question:
Would it be prudent to have a "sweeping policy" for certain countries that are infamous for fraud over the internet?

EquityMind,

Believe it or not, there are actually good, honest people from Nigeria. Unfortunately, if you run an ecommerce site or have an email account, you probably haven't met too many of these "good, honest people".

liamgt,

You provided a list of countries where the most online fraud originates:

1.Ukranine
2.Indonesia
3.Yugoslavia
4.Lithuania
5.Egypt
6.Romania
7.Bulgaria
8.Turkey
9.Russia
10.Pakistan
11.Malaysia
12.Israel

Where did you get this?

Okay, let's hear some comments from people who get lots of valid orders from those countries. In fact, I solicited such comments in an earlier post.

Anyone?

I second jsinger's motion. Can anyone please provide ONE example of a positive experience they have had dealing with this country (Nigeria). I for one, after dealing with fraud out of Nigeria for over a DECADE have yet to see ONE positive reference.

"The Philippines" 50+ valid orders

"Malaysia" 6 orders - six valid

"Egypt" 2 orders - 2 valid

"Russia" 1 order - 1 valid

I would tend to agree that "scams" are more prevailent in these regions (and others cited) but last year a $160 million CD scam ring in Vancouver was taken down.

A scam is the same in North America, and Europe and just as easy as anywhere else.

A valid sale is a valid sale - but obviously the closer to home it is the better we feel.

BjarneDM,

I assume you are talking about the following from Crazy_Fool;

if you want to check whether or not they change the customer details on the order page itself, pass the original details through the system as M_ values. use MD5 encryption if you want to hide this from customers that might look at or modify source code. in your callback you then compare $country (from the worldpay payment page) with M_country (as passed through the system). very simple and it works.

Then that is actually a pretty good method as long as you add a little something extra to the MD5 hash that the user has no knowledge of - this way they cannot generate their own (matching) hash since they cannot easily guess the string you put into the hash function.

I was almost right...
I was about to say this method would work as-is but it does need a little extra - a method where-by the processor can inform the client of the details of the transaction directly (ie without the user being able to access them).

I know for a fact that worldpay supports this type of thing - they refer to it as a callback function.

Incase you were wondering (or if you are just idly browsing this) most one-way hash functions (such as MD5) take a chunk of data and effectively produce a small semi-unique signiture for it. This hash signiture is much smaller than the original input and cannot be back-engineered (hence one-way) to extract the original input.

From this position you can generate the hash for one set of data, then when you need to check if that data has changed you generate another hash for the new data and see if they match - if they don't then you know your data has changed somehow.

This might make more sense if I lay it out as a step-by-step approach - since all these scenarios start the same way and to avoid repeating myself I'll describe it just the once;

1) User enters address on your site
2) Your site stores the hash/address (referred to as data from this point onwards) either as a hidden variable or preferably in the session
3) User is taken to processor to pay
4) User changes address on processor site

Basic method (attempt #1)
In theory when you rely on the basic MD5 method without any extras here's how it should work...

5) Processor returns transaction data via the user
6) Your site compares the two sets of data to detect if the address was changed

In this case the changes would be detected since we have been shown both a genuine "before" and "after".

Basic method (attempt #2)
However if the user was out to be malicious then this is how that first method would be open to abuse...

5) Processor returns transaction data via the user
6) User modifies the transaction address in transit
7) Your site compares the two sets of data to detect if the address was changed

However since the user has modified the data they are passing back when we try to compare the two sets of data they should match - even though the reality of the situation is vastly different.

Hybrid method
Finally if we add a callback to the basic method we get something which is much harder to abuse...

5) Processor returns transaction data directly to your site
6) Processor returns transaction data via the user
7) User modifies the transaction address in transit
8) Your site compares the two sets of data to detect if the address was changed

Now even if the user modifies the data they are given we can still check what the processor actually used since they pass it back to us directly - this makes any attempt to abuse the system a whole lot harder.

- Tony