Credit Card Fraud UK

[Ian]

http://www.early-warning.org.uk

 

Provide a blacklist of names/email addresses and sometimes IP's for people who have attempted/committed fraudulent credit/debit card transactions on any of the members sites.

 

 

This is probably only of interest to UK users, although looking at the list of names on the blacklist, they seem pretty international.

[Guest]

Looks good... Thanks Ian

[Ian]

I'm not sure how big their database is though, only 25 entries on both the members and non-members page.

 

They've only been up a couple of weeks though.

 

If this seems to take-off I might consider contacting their webmaster to see if some kind of interactive service could be built. Then an osc shop could validate someone when they register.

[Guest]

If this seems to take-off I might consider contacting their webmaster to see if some kind of interactive service could be built. Then an osc shop could validate someone when they register.

 

That's a good idea. Like the auto-currency rates you can do from the admin. Click to connect to download the latest fraud list to the shop.... Then have the shop e-mail you a report incase any of those buggers have set an account up with your store...

[livio]

This is really what we need ! All merchants could use that database to compare with their own customer database....

 

In case of fraud we could add a record in that Early-warning database so that others are up to date immediately !

 

We have to keep this system open source and free of charge... there are system who provide the same service (Cybersource, fraudscreen.net), but they are very expensive !!

 

Livio

[monkeybum]

It's a step in the right direction.

 

We use this service and the more traders that join the better it will be!

[mattice]

The best thing to have would be a list of creditcard NUMBERS but you cannot share them as it would invite people to go and shop with them.... So I was thinking....

 

We could encrypt the number before sharing it in a way you cannot decrypt it back.

So in your cart you'd have a function that takes the number punched in, one-way-encrypt it and check it against the list.

 

The list itself isn't public, the interface to check a single cc number is.

 

Stolen numbers would be submitted (allready encrypted) through a function in the shop.

 

This way NOBODY has the actual creditcard numbers, only one-way-encrypted outcome.

 

There could be lists of stolen numbers, frequent chargeback nrs etc.

The shopkeeper decides what actions to take.

What do you think?

[Jan0815]

What do you think?

 

Err - isn't that what payment gateways are for? They do all of this for you :-)

 

Jan Wildeboer

[mattice]

I'm a DIY kinda guy ;-)

 

Payment gateways are not always the best option as their rates are ussually alot higher than a contract with the creditcard company directly. Furthermore most of them refuse things like alcohol, sigarettes, gambling, firearms and ofcoarse porn.

The funstuff of life shall we say :roll:

[livio]

if we say 'high', we mean really HIGH :-)

 

an example :

Cybersource rates (tax not included)

 

screening API = 700 Pounds

login registration = 900 Pounds

Support = 350 Pounds / month

Jump start (5 days support on site) = 10500 pounds !

Monthly fee = 350 pounds....

Fee per transaction = 0,126 pounds

[Ian]

Wether your using a direct merchant account or a payment gateway. They should be validating your credit card numbers, not only to prove the details are correct but also that the card number is not on the credit card companies lost/stolen list.

 

I think the reason the early-warning website use email adresses is not only to filter credit card fraudsters, but fraudsters in general.

[mattice]

Wether your using a direct merchant account or a payment gateway. They should be validating your credit card numbers, not only to prove the details are correct but also that the card number is not on the credit card companies lost/stolen list.

The creditcard companies themselves give AUTHORIZATION on a transaction, they do not guarantee the transaction is genuine. Basically they say "Yeah, there are enough funds on this account". That's all. As for Visa (the biggest in quantity of transactions).. they do not even check the address records of foreign cards on mailorder transactions here in Holland., only domestic cards.

 

But you take the fall if you get ripped off.

Sigh.

[Jan0815]

But you take the fall if you get ripped off.

Sigh.

And that is the reason you should review all orders. Don't rely on payment gateways. Always expect the worst. Get paranoid. ;-)

 

If the name on the default address in osCommerce is not the same as the name of the card holder your alarm bell should ring.

 

If the order is to be delivered to a totally different address your alarm bell should ring.

 

The shop owner is responsible for his business. He cannot delegate this responsibility to the payment gateway or anyone else.

 

This is especially dangerous when you sell downloadable goods.

 

Maybe we should generally put all payment transactions on hold and have the shopowner review and approve them before they get send. Just an idea.

[mattice]

Just because I'm paranoid doesn't mean they're not after me

 

I agree. We manually process all orders. The process itself is automated as much as possible but no order will be authorized before it is actually reviewed by human eyes. Anything strange and the client will have to fax us a confirmation. Anything above a certain limit and the client will have to fax an actual photocopy of his creditcard. I say we rule out 99% of the fraud-attempts that way!

 

The only reason I'd like a database is so we all can benefit from cross-checking. A person that rips you off will go on to the next shop, he will not try it again at your place.... He's got the cardnumber NOW and he knows it's a matter of time before the card gets blocked. So it doesn't make much sense to do all sorts of nice checks on your "own" collected data because it's a one-time-try.

[Ian]

Mattice

 

they do not guarantee the transaction is genuine.

 

As you can guess I am no expert when it comes to Credit Cards clearing/payment gateways.

 

I'm suprised that there is so little checking. What is even more suprising is that if this is the case why are there not more resources out there to 'fill in the gaps'.

 

Or have I missed them. Are their others offering services like early-warning (whether commercial or non-commercial).

[Jan0815]

I'm suprised that there is so little checking. What is even more suprising is that if this is the case why are there not more resources out there to 'fill in the gaps'.

It's a price thing. You can't expect cheap gateways to offer the full range of possible checking. Authorize.net for example will check the address if you want it to and are willing to pay for that.

 

Other companies offer credibilty checks on-the-fly based on socio-demographuc data (People living in Beverly Hills 90201 are more credible than folks living in the dot-com area or napster building ;-). But you will also have to pay for that.

 

So you have to make your own decision. Will the possible fraud cause enough damage to justify these extra costs? Or will I be able to cope with a 5% loss?

 

Or have I missed them. Are their others offering services like early-warning (whether commercial or non-commercial).

The early-warning system sounds interesting, but I am afraid there are a lot of problems attached to it. How about data-protection laws? How about the sources of their information? How do they handle privacy issues? Can i oppose to being listed there? Can I get full insight in the stored data about me? As long as all of this is not solved I would be very carefull.

[mattice]

So you have to make your own decision. Will the possible fraud cause enough damage to justify these extra costs? Or will I be able to cope with a 5% loss?

 

If you look at it from a regular shop-in-the-real-world angle the so called chargebacks for us e-comm guys is whats theft is to them. You'll have to live with it. The sport is to keep the percentage as low as possible...

 

IMHO if you're down 10 to 12% on each transaction allready because of processing and checking costs you will eventually find it is alot cheaper to invest in 'human" checking on your side.

 

And as for the gateways... If you get scammed alot you get the same result as from the cardcompanies ... you take the fall. Read the smallprint, I've not seen a single gateway/processing company that doesn't have a clause that says "If you're chargebacks exceed so and so much we will do something nasty so it's your wallet that gets robbed".... But if there is one I'd like to hear it!

 

This is one of the most unfair and frustrating things in e-commerce; you can't get the data so you can't properly check, nor can you ever LEGALLY proof it was the card-owner that shopped with you... BUT if it's smelly you loose, not Visa or their electronic gateway friends.

 

As you can guess I am no expert when it comes to Credit Cards clearing/payment gateways.

 

Fortunately for all of us at least some of your expertise lies in the coding field :)

[sfatula]

If you do address verifies, and you do the CCV/CID/etc. number, you will eliminate most of the problems. Combine that with only shipping to the billing address (which remember you verified), and you are pretty darn safe if you use a standard shipping company as obviously the item went to the cardholders address and it was delivered. You might also use Cardcops.com. Also, always report any fraud to www1.ifccfbi.gov here in the states. On foreign orders, we do call the country if the order is worth anything and verify with their bank, or we get Visa or MC to do so in most cases. Finally, on larger foreign orders, we use escrow.com. There are ways if you think about it to allow for shipping to a different address, including having the customer get with their bank and have them put their alternate shipping address on file. But there are other controls you could use.

 

We have successfully caught and prosecuted our one order that we accepted knowing better not too long ago, after 4 years of having ZERO purchases that we accepted that were fraudulent. The above steps caught all of them, even the one we stupidly shipped (but got back due to some other precautions, yes, we got lax). So, you do not HAVE to lose. But, yes, it takes effort. And no, people who shop are NOT anonymous for the most part, there are ways to track them down. And no, definitely, no automated solution will possibly catch your theives.

 

Read your agreement carefully with each card company you accept, and feel free to call them and ask all those questions. Here in the US at least, I find them invaluable.

 

But, agreed with all who say it is YOUR responsibility as the merchant. Sometimes, you simply do not accept the order.

[burt]

In a nutshell, under the Terms of the UK Data Protection Act, if you release details of a customer then you are breaking the law.

 

Even if that Customer has defrauded you, there is no excuse for releasing his(her) details except to the relevant legal authorities.

 

If it was found out that you released to this early-warning site, then you could be in massive trouble...

 

Just a thought :?

[sfatula]

What early warning site are you speaking of? If you mean one from my post, FBI IS legal authority, and cardcops is used to get education about fraud, not report anyone. Otherwise, what did you mean?

[JohnnyGTO]

I can atest to this first hand. My father took an 11K order, called in for authorization using the delivery address overseas as the cards billing address and the clients name as that on the card. Neither the address nor the card holder name where close or even on the same continent! So he gets the authorization code and we get stiffed fo 11k!

 

Sons of B&^%@s at processing company and the card company point out that orders into some countries should be suspect, that they have literal industries based on CC fraud! If they are so suspect why are'nt they flagged, because and I quote," That would be profiling"!!?

 

Now I need to try and switch processing companies or go out of business, the proccessing company just took 4k proccessed from an order and will take the remaining 7k bit by bit as I get orders. :-(

 

Anyone got any suggestions?

 

 

Wether your using a direct merchant account or a payment gateway. They should be validating your credit card numbers, not only to prove the details are correct but also that the card number is not on the credit card companies lost/stolen list.

The creditcard companies themselves give AUTHORIZATION on a transaction, they do not guarantee the transaction is genuine. Basically they say "Yeah, there are enough funds on this account". That's all. As for Visa (the biggest in quantity of transactions).. they do not even check the address records of foreign cards on mailorder transactions here in Holland., only domestic cards.

 

But you take the fall if you get ripped off.

Sigh.

[sfatula]

Foreign orders are indeed a problem. For 11K, I would definitely call the bank directly, which Visa will give you the bank phone # is the customer does not. At least this is of some worth. Still for 11K, what i do is I insist on Escrow.Com or some similar service. I find them very useful on large overseas orders.

[JohnnyGTO]

As far as the bank and the processing company is concerned its my problem, pay up. The Jerk even had the balls to try submitting a second and third order. FBI was not interested, foriegn ISP was not interested (it was a free email service) and local sheriff is useless. So no more foreign orders and no more orders to users of mail services like Hotmail or Yahoo.

 

Foreign orders are indeed a problem. For 11K, I would definitely call the bank directly, which Visa will give you the bank phone # is the customer does not. At least this is of some worth. Still for 11K, what i do is I insist on Escrow.Com or some similar service. I find them very useful on large overseas orders.

[jon_l]

One thing I have done before is....

 

Charge a random amount to their card (say between ?0.01 and ?1.00) and then get them to tell me what the amount is. If they can't tell you the correct amount, it isn't their card. If they can, then they have access to the statement, either by mail or phone.

 

I'm not saying this is a cast iron safety measure but I think the card company would have a harder time wriggling out of responsibility if it is a fraudulent transaction.

 

Jon.