We used to get hit with cc fraud from outside of the USA a LOT, it has petered out. Not sure why USA had low amounts of attempts VS. "the rest" (yes generalized as I did not want to go into demoghraphics). We actually had to put our CC gateway processor on authorize only. This makes it hard some days as I hate taking time to review orders but when we used to get CC fraud we had the normal 2% or 3% for the transaction which made for a losing equation when items are $100.00 and up. Sorry I do not have "hard % numbers" to quote from. We routinely get one order a week for 2K plus (random people/orders). Just seems to be a rule of thumb on this site.

Brian

P.S. Just an aside, I still remember taking out friends to dinner (around three couples) to celebrate our "first big order" around $2500. Man was I bummed out when three months later I get the bill/dispute notification. Payed back the transaction amount + the initail % taken for the sale + dinner + self embarresement = one lage dinner bill ;).

That is one of the "red flags" with any cc purchase: Large orders. If someone shows up for the first time and buys 6 microwaves or "one of everything", you should flag it. Most first time customers at your site will start small with an item or two and as trust with you is established will make larger purchases. If someone goes out of the normal range (starting small and incrementally going higher), you may have a problem.

Thanks guys,

I'm selling digital goods and in my case it appears that quite a few people attempt to place fradulent orders, most of them from US, usually people using AOL as Internet provider. How difficult it is to trace an AOL ip address and how easy is it for someone to obtain valid credit card number to do this?

michaelday, there are people who actually set up phony web sites to fraudulently obtain people's AOL password - possibly their credit card numbers also. Once they have the password and username, they're all set. AOL does have security people to check things like this out, but I imagine somethng would have to be reported for them to know to investigate. But chances are there's more than one vendor getting hit, so one will be first, the others gaining the benefit of it having been reported.

I would try to contact the security people at AOL directly to see if they can offer some clues to help prevent fraudulent charges. It's unlikely that these are paid AOL subscribers; much more likely fraudulently obtained usernames and passwords, giving the thieves anonymity. AOL operates by proxy, but there must be some way they have to check. It's been going on for quite a while.

Marcia,

In my cases the thiefs don't appear to be very sophisticated. They leave ip address behind and also they appear to be working from very slow Internet connections ( I can see this from their download speeds). I'm assuming that they are using randomly generated credit card numbers. But it is funny that it is always AOL accounts. I guess more and more people realize how easy it is to cheat on Internet and that usually there is no consequences. That is what is most scary here. I'm lucky because I'm selling digital goods so it doesn't cost me much when someone commits fraud, but it is getting frustratig to alway have to check every single order for signs of fraud.
I can just imagine what is happening at some larger online stores that ship more expensive goods. And on top of that credit card companies take no responsibility for merchant's losses.

Thats intresting that you mention slow down load speeds. I never noticed that but I was getting hit from IE 4.0 on a Mac and they would hit me in waves of orders.

I started address verification and it has all but stopped the fraud attempts. I went for a period of time where I got a lot of missmatches, I would email them and never hear back.

If they find that you are an easy target they will start coming from every where.

Hi all,

Just a thought, but I have heard of systems that will flag any order with a hotmail or free internet based email account for further checking and verifaction. It has happened me in the past when ordering and using an usa.net account as my email. some required me to use a isp based address (not much use with your aol users I know) and for larger items I have even had to phone the company. Not full proof but enough to scare off the small time fraud.

We sell books from the Netherlands.
The amounts are low so fraud is low too.

But I check each and every adress, even most international orders. I use [teldir.com...] to check most.
If I find a problem I E-Mail a costumer, if it's a fraudulent order then nothing is heard from them in most cases.

Most fraude in the Netherlands is because most websites ship whithout getting payment, and rely on people paying afterwards (most don't have credit cards here). A lot of people are learning that on small amounts you don't have to pay as the changes of even getting a reminder are small.

So I made a rule: no sale on credit. Only prepayment or credit card.

Gr, Theo

This link [builder.cnet.com] on another thread goes to CNet page about contracts. Toward the bottom there is a sample matrix for assessing the threat of payment fraud.

Looks like a good place to start creating your own rules.

On our selling sites we only ship to the credit card's billing address.

It is had to use a stolen card number when only the card holder will recieve the merchandise!

michaelday
digital downloads are always going to be an easy target for fraudsters as they don't need to give a real address or anything. why not burn the stuff onto CD and post it out to them instead ? that would stop the vast majority of your fraud problems.

We use AVS (Address Verification Service) and absolutely will not fill an order if there is a mismatch.

@aol, @hotmail, are good warning signs, but, never underestimate the value of a confirming e-mail before filling the order. Often the AOL user has a different "real name" in their profile that gives them away.

Be alert to mismatches in the offered cardholder name and offered e-mail address; i.e. cardholder is supposedly "John Smith" while the e-mail address is "suziejones@aol.com"

The risk is not limited to the amount of sale for those of us who sell our goods and services over the Internet.

Anyone who makes an online credit card purchase from you may have your merchant ID number which amounts to the same thing as your checking account number. ARMED WITH THAT, THEY CAN INITIATE CREDIT/REFUND TRANSACTIONS. This happened to us to the tune of $10,000 last year before we tracked them down.

Gosh I am glad I found this thread!

We have an occuring problem with credit fraud. (webhosting company) One of our biggest was from Malasya (sp? it's late) We got like 25 orders... worked with Visa's fraud dept.. so that all worked ok.. but we continue to get them here and there - usually for full servers (big $$) yet now they come from NJ (alot of them) - about the only thing that has really worked is sending an email requesting confirmation (cuz it's such a big order and all) and calling the number supplied, then refusing the order if things don't check out. AVS does not always work (these guys all have the right address) and many times we end up notifiying the real card owner that their card is stolen! Amazingly, besides their gratitiude, they ask what we do and we have gotten several long term accounts from this practice.

I've heard it told by one person who had fraudulent orders from that country that he started to send a "test charge" of a tiny amount to check it out first. I don't know the details, but he reported that it somehow worked for him.

How many of you are familiar with the AOL Billing Scam? It's a monthly event and was brought to my attention by a friend of mine from England. She asked me to look into it and this is what I found.

At the beginning of every month, Emails are sent to AOL customers stating that their credit card was denied for their monthly renewal and to "go to their secure site with a new credit card in order to avoid a late charge." The return address on the Email is usually Billing@aol.com. It is signed, Customer Service.

The Email contains a link to a page which is a pirated copy of AOL's home page. In it there is a form created by the thieves which requests the following: Screen Name, Password, Name, Address, Credit Card Number, Expiration Date, CREDIT LIMIT, Social Security Number, Mother Maiden's Name, Bank Name and appropriate account numbers, and the four digit PIN on the back of the credit card. Believe it or not, people do fill this out.

The page was hosted on some island in the Pacific. The form was being processed by and ISP in Houston. The form had an Email redirect to a yahoo account. In my conversations with AOL, they said there's little they can do since the site is hosted in a foreign country. But I do know that the FTC and FBI have an ongoing investigation. Seems the thieves just bulk mail AOL accounts and the scam is nothing more than identity theft. And since the physical card itself is not stolen, most card owners don't know what happened until they get their bill.

Just remember when you get a large order - if it sounds too good to be true, it probably is fake.

I sell physical stuff online, and sending items as gifts to an address other than the card billing address is an important part of my business. Managing fraud takes up more time than actually packing and shipping the orders. But you have to be diligent, because fraudsters usually have friends and one defeat often leads to ten more attempts and even more work.

Here is my advice:

-- at the risk of sounding pretentious, every site should have a "risk management policy" in which you identify risk factors from your own experience and published discussions, and decide how you will handle each factor or combination of factors. Once you have a policy, follow it rigidly, no exceptions, ever. On the Internet, no one knows your a dog. Whatever you think you know about your customer is probably an illusion. If you agonize over every case, you will end up spending even more time, and get scammed more for your efforts. I had a customer turn fairly purple once when I wouldn't fill his order, but too bad. Honest people tend to be more reasonable, and anger is itself a strong risk factor.

-- AVS is only a start. You can also call the bank, contact the card-holder through public directories, and send written verification forms to the billing address. I call the bank on every international order (which only costs a buck or so to most countries nowdays.)

A woman on an email list I participate in, with a lot of online merchants, said that she stopped taking international credit card orders altogether. She has the other party do a bank wire transfer, which she says is very reasonable (I think she said $8.00 USD), and perfectly safe. When she receives the funds she makes the shipment.

I use Authorize.net for my credit card internet gateway and they have a program called Fraud-Screen.net. It is some kind of neural network system that analyzes spending patterns of credit card owners and assigns a risk score based on the purchase being evaluated and past purchases, etc. You can set your system to reject orders with too high a fraud risk score.

This system is light-years beyond the AVS system, although I recommend using that, too. It's too bad that non-US cards don't use AVS... It would really help.

Well Reading all of this I would ahev to suggest that you get some sort of scrub... Paysomeoen that has a Neg CC database to scrub your sales and you will cut the fraud down very quickly BUT then again some people have done the ACK thing when they see their CC statment and then chargeback or refund. If you are selling tangibles make sure that you charge a little extra for "signature Required" I know someone who does this and has been able to fight all charge backs and refunds even though he does not have a signature at purchase/

Got an interesting memo from VISA about increased risk to fraud for Internet merchants. Their CISP (Cardholder Information Security Program) procedures are calling for fines of up to $50,000 for *initial* merchant non-compliance.

The 12 requirements for Internet "pure play" merchants, "brick" merchants with a "click" component, processors, re-billers, hosts, merchant "enablers", "screen scrapers", or website operators are:

>Install and maintain a working network firewall to protect data accessible via the Internet
>Keep security patches up-to-date
>Encrypt stored data
>Encrypt data sent across open networks
>Use and regularly update anti-virus software
>Restrict access to credit card data to "need to know" employees
>Assign a unique ID to each person with computer access to credit card data
>Don't use vendor supplied defaults for system passwords
>Track access to credit card data by unique ID
>Regularly test security systems and processes
>Maintain a policy that addresses credit card information security for employees
>Restrict physical access to credit card holder information

Hi

My advice, watch for large orders (as said earlier) and also I have noticed with the type of items that we sell that there is a pattern to buying, where as a fraudster will just grab anything and everything, obviously there is always the exception but it is part of the whole picture to look at.

If you are unsure try to get extra information, speak to customer by phone, if no phone no. request fax/scan of credit card statement showing address portion. We have even requested scan of front and back of card before. If the order is fraudulent watch the responses you get!

Shipping to billing address only does not offer full protection it is dependant on who is processing your card, fraudsters sometimes use card number generators and have goods shipped to a physical address connected to them AVS should pick this up but some systems do not

I would not ship to Romania or Eastern Bloc countries at all, same with the Far East. Try getting local police to prosecute these criminals, in some countries they dont care/have not got time/do not understand the technology

There are lists on the webs of some email accounts that are well known for fraudulent transactions

Use this to find out WHO is trying to defraud you [ripe.net...]

Let them know on your site that you are FRAUD AWARE

GOOD LUCK!!

Nice thread,

One thing I have not seen mentioned is the if you get a large order .... make the people fax you back a signed contract. If people are buying large ticket items then this is a must and they should not have a problem with you making sure orders are valid. Before you release anything over the value of $250 or more get a signed contract via fax. The phone call and paper work costs far out weigh the costs of a chargeback.

Still you can get chargebacks I am fighting with the card companies over a charge back with a signed contract as we speak. Service was provided we have proof, and have relayed this to the cc companies and the only thing that may save us a loss of $850 for services rendered. In this case we were never contacted till the cc company had already taken the money out of our account.

I also at one time owned a subscription based site we lost a merchant account on that site because of chargebacks. If you dont have a signature or delivery reciept then your out of luck we were told. As a result I sold the sites because I was losing money on bandwidth and content I had already purchased. Though the cc companies felt my costs should not matter over fraudulent consumers word. All in all the chargebacks will not stop because the credit card companies make to much money off of them and like the power of dictating your business .... So to protect yourself get all the info possible which can include the last 4 numbers of a social security number. As a last ditch effort the last 4 digits of a social security number can make it much easier if you turn the money owed to a bill collection service. At the point you turn the bill over you may have to only take 40 to 50% of what the original cost is but heck its better then nothing.

Formost and most important get a signature, you do not need someone in and office 24 / 7 for this. Just make everything that is of a certain price or more have to be verified by a human and signature faxed back before the content is shipped or electronically recieved. If a few people do not like this well that is tough because we are here to make money. It can be as simple as a email they must print and fax back in, after clicking on the order button. All in all it is another safeguard on your hard earned cash. If you do not watch your money these cc companies surely are not going to help you because they are making a killing on the systems that tack on all these chargeback fees.

Trafficnapper,

Great post!
What kind of subscription site did you own and where did the most of frauds come from?
I own a site that sells digital goods. The site is only four months old now so I haven't got any chargebacks yet but am expecting to start getting some soon. From your experience, how long it takes from the purchase to chargeback? One month or more?

people who use aol service seems to be less skeptical and more likely to be ones who would spend money on the net though.

I haven't used CC processing on my sites yet because of the fraud problems (like above). However, I have come across a company called PayBox (http://www.paybox.co.uk) that is a German company (I believe its half-owned by Deutsche Bank) which uses the customer mobile phone for authorisation. The process is similar to below.

1. Customer enters their mobile number instead of CC number on your website
2. An operator from Paybox phones them and asks for a predetermined PIN number
3. The transaction is authorised and a SMS message is sent to the customer to confirm.

However, one big problem is the customer needs to register with paybox first (similar to paypal?) and set up a Direct-Debit.

What do people think of this kind of payment method? Do you think customers would use competitors websites because of the extra hassle? Your comments would be great.

Thanks - Nick

(PS After reading what I typed, it sounds like I work for them, but I don't - Just trying to save you time viewing their site!)