18 replies to this topic

[khime]

Just a warning to all internet retailers accepting credit card. We have had cases even when the delivery address matches the cardholders address and even when 3-D secure authenticated then there is just a criminal at the other end waiting to receive the goods.

We have sent 2 items of high value next day to this 3-D secure authenticated customer thinking it would be ok as no chance of fraud if address matches and also 3-D secure authenticated. So the guy gets his order and reorders again this time using a different card for another item for next day delivery but the card AVS didnt match. (we spoke to him and gave an excuse saying its his girlfriends card, we didnt deliver this in the end and canceled it).

He then reorders using the original 3-D authenticated card for another item next day delivery and rings us up on his mobile to confirm this would be done. As it was 3-D authenticated we thought should be no risk to send, but because of the busy Christmas period we didnt do this. Next day he then reorders another item for next day delivery and our alarm bells start ringing. So we ignored the pending orders.

We then get a call from the Bank of Scotland advising us this customer is a fraud and not to deliver to him! I couldn't believe that this could happen. Obviously I'm worried that even with the 3-D secure authentication the card company will chargeback for the first order delivered. Can anyone confirm if this could happen?

I was thinking how it was possible for card companies to allow criminals register cards to the correct address and commit fraud then I thought about this and I think I know the answer but I wont say. If you want to know what I suspect then PM me.

So WORD OF WARNING, even if address matches and 3-D secure authenticated and it is for a high value item for next day delivery then you MUST do additional checks by yourself.

Warning signs
a) only mobile number provided
free email address used
c) The person is not registered to that address (in UK you can check BT phonebook and electoral roll)
d) "poorer" area (you can check the financial risk of that area using postcode e.g http://www.checkmyfile.com/) If its a less well-off area then it is unlikely they are able to afford high-value goods

I hope this helps merchants with combatting fraudsters!

[Vger]

The thing about 3D Secure is that if the card passes the test okay then the liability is transferred to the bank or card company - so there should not be any chargeback scenario.

Vger

[IridiumCorp]

If you have completed the 3D secure requirements then liability is shifted to the card issuer and they should not start a chargeback.

Did the bank take your money back?

[tronix]

We use 3dsecure with all transactions (visa/mastercard secure) - this basically means no chargebacks and no fraud. Using this method together with our payment gateway which records all ip addresses and then scores each transaction to help minimize any risk. Unfortunately this was not implementd universally or compulsary by many of the banks and credit card companies (i wonder why?) and has resulted in a situation where many online transactions do not comply - thus lost sales or fraud

IT GETS WORSE - we spoke to our bank recently and they informed us that as the insurance companies are now withdrawing the guarantees for this scheme which means that the banks are also withdrawing from it. This is bad news as although we have been thankful to have a liability shift from us to the banks - the bottom line is it's still the insurance companies who, in todays current climate of credit crunch, are calling the shots. It seems to me that they know they can prevent online fraud - but to do so would mean they lose more money than they make - Its no wonder we are in recession!!

Edited by Jan Zonjee, 25 March 2009, 16:29.

[khime]

In the end I didnt get a chargeback for the fraud with the payment secured by 3D-secure so that was a good thing.

I'm not suprised that they are insurance are withdrawing from the scheme as the fraudsters seem to have beaten the system already.

What we use is Sagepay Direct and the 3TM fraud rating included is quite accurate in spotting the fraudsters so we always wait for the fraud score before sending goods out.

We are still getting fraudsters ordering off our site and we just delete the orders and restock the items.

The pattern is so familiar

1) High fraud score on 3TM
2) Free email address and the user name bears no relation to the customers name
3) Usually using a card that is different country to the delivery country
4) Multiple declines on different cards (our Sagepay system records all failed transactions)
5) The "area" they want it delivered to doesnt match the value of the goods they are ordering
6) They always order "in stock" items to get it quickly before the card us blocked.

I wish there was a way of reporting these sales and get the police involved but I doubt they will do anything. I just feel sorry for the people whos card details they are using and the inconvenience of sorting it all out. In the end though the banks wont care as its the merchant who gets the chargeback and loses the money.. GRR!

I wish there was a courier company that would provide a service that would ask for ID or to see the card they are using and signing a slip that matches the back of the card. I think that would solve alot of the problems and I would be happy to pay for that service for an order that I wasn't sure about.

[toyicebear]

The mian problem is that the system is set up with a fixed validation code for the customers.

Card companies should give electronic keycards for internet transactions, this would then be way more secure...since such a code only have about 30 seconds validity...

So even if someone captures and/or store the security code, they would be unable to use it for making fraudulent transactions.

Edited by toyicebear, 11 June 2009, 13:39.

[jhande]

Here's something that has me wondering...

I have a charge card which is actually a debit card linked to one of my bank accounts.

I keep a limited amount of money in that account just in case of fraud.

Anyway...

Besides my card number and CVV there is a online SecureCode number.

There has only been a few online shops that empliment it, but after filling in my details and clicking on the submit button another window pops up. That window is linked to my credit card and I must fill in my SecureCode before my order will be excepted and processed. As soon as I click on the submit button of the SecureCode window an email is sent to me. The email contains all the details of the order. I'm not sure if this online SecureCode is due to the credit card company or my bank, but it sure seems to make identity theft and fraud more difficult.

I'm wondering why more online shops don't have such a feature implemented.

[toyicebear]

jhande, on Jun 23 2009, 08:21 AM, said:

Here's something that has me wondering...

I have a charge card which is actually a debit card linked to one of my bank accounts.

I keep a limited amount of money in that account just in case of fraud.

Anyway...

Besides my card number and CVV there is a online SecureCode number.

There has only been a few online shops that empliment it, but after filling in my details and clicking on the submit button another window pops up. That window is linked to my credit card and I must fill in my SecureCode before my order will be excepted and processed. As soon as I click on the submit button of the SecureCode window an email is sent to me. The email contains all the details of the order. I'm not sure if this online SecureCode is due to the credit card company or my bank, but it sure seems to make identity theft and fraud more difficult.

I'm wondering why more online shops don't have such a feature implemented.

Many shops and payment processors do have this system implemented.

But its also dependent on that the customer have signed up for Visa 3D secure or Mastercard SecureCode at their bank.

Some shops abuse even this system by storing your card info, cvv info and the SecureCode you give and then process the payment themselves afterwards...

If they then get hacked or just sell of your info then anyone could use your card , cvv and the SecureCode to shop using your card.

Then the whole point of such a system is invalid.

As mentioned above post an electronic key solution with a max. time validity of 30 seconds would make such manual storing and processing imposible and hence the transaction would be actually verified as being from the actual customer.

Or alternatively a one time code pr. each individual transaction is sent by email or sms code which have to be inputted on the payment site within a certain time frame to be active.

Edited by toyicebear, 23 June 2009, 09:47.

[jhande]

toyicebear, on Jun 23 2009, 05:44 AM, said:

If they then get hacked or just sell of your info then anyone could use your card , cvv and the SecureCode to shop using your card.

Guess it's a good thing my card can only be used for the available funds in the account and I rarely shop online.

[matbennett]

We've seen the same, where obviously fraudulent orders have passed 3D secure authentication.

As far as I can tell the problem is that the fraudsters get the details of a card before it has been registered for 3D secure and then register it themselves. They are then free to use it as much as they want and get an authenticated result every time.

This is slightly more limiting to them as, if the original card holder uses the card online they will probably notice a problem (they can't use it themselves!), but it still give the fraudsters a free run until that happens. If you were forced to register the card when it was issued this would seem to get around the problem, but the card issuers don't seem to be moving towards that situation.

To combat this (and related issues) we've been working on a system for osCommerce to record key details about fraud attempts across merchants and then allow this database to be queried when the order is processed. This then automatically flags up transactions that match those that other merchants have had problems with. Although we've only been running this on a couple of stores as a test it is proving interesting. It's quite amazing how many fraudster's emails, addresses, IPs etc show up time and time again. It strikes me that a relatively small group are very active so an information sharing system like this could be quite effective as a way of reducing the problem.

We're about to start beta testing this with some other merchants. If anyone here would like to take part let me know. I've put a thread up about this here:
http://forums.oscommerce.com/index.php?showtopic=341345

Hoping to have it released as a full public contribution before xmas, but want to get it tested with some more merchants first.

[khime]

Hello All

Just an update to to this thread.

We have just been hit with a chargeback confirmation and we need some advice on our next steps to recover the money?

Background

1) Customer ordered a product online in June 2009 and paid through Sagepay
2) Item was in stock
3) CV2 value is passed
4) Address and postcode is green ticked
5) 3D secure was not completed or skipped
6) Ordered off UK IP address and paid using UK card
7) Email was yahoo and mobile phone number provided
8) The 3rd Man fraud checking results as "low risk" transaction
9) We dispatched the item for next day delivery to the cardholders address with tracking number and got the signiture
10) We got a letter in Sept saying customer denies making purchase and the money is taken from our account (as per chargeback rules)
11) We dispute this by providing the transaction details and tracking number as above to the merchant bank to prove we delivered the item to the customer.
11) The mechant bank then replies saying sorry they cant do anything as under the current (UK) rules payment is only guaranteed if the card is swiped and a signiture or pin number is provided!

Obviously this isnt possible with online sales and I was wondering if anyone has any experience how to deal with this? I'm thinking to speak to a solicitor soon with regards to maybe suing the customer as they are obviously trying to defraud us.

We have done all we can to do minimise risk and yet this kind of thing happens. All I can say is that the banks need to get it together to provide a better way of reducing fraud for online purchases but I supposed they dont care as its the merchants who ultimately lose the money.

With regards to the 3D secure I know about it but I have seen most customers not use this facility. I.e they get asked for 3D secure signup when purchasing online but they can skip it and continue the purchase as its a barrier to purchasing. And only certain card providers do this so I dont think this is a great solution.

Regards

Simon

Edited by khime, 12 October 2009, 13:18.

[khime]

Hello Everybody

Just to update things

Just spoke to the merchant bank and they said the only way we are not liable for chargeback is if the transaction is 3D secure authenticated (even if we think likely to be a fraud as per my above posts).

So the rule of thumb is that if the sale is not 3D secure authenticated then you are always at risk of chargeback even if you deliver to the cardholders address!

This poses a problem as:

1) not all card issuers do the 3D secure authentication

2) If the card company does do 3D secure authentication the customer can elect not to enrole in it (i.e bypass the 3D secure signup when asked)

We were advised by the merchant not to allow card payments that are not 3D secure authenticated but we feel this will lead to lots of valid sales being rejected.

We are developing a company procedure how to deal with sales generated not 3D secure authenticated. You will have to deal with cases like these on a case by case basis for your own webstore.

I hope this helps clear up some questions about chargebacks and maybe help prevent some fraud

Regards

Simon

[securityshop]

Hi all,

I am new to this oscommerce. I am working for a company and we are looking for 3d secure program for our website. our company website was built by outsource people and shopping cart used OScommerce. I have worked in a another company previously where they had lot of chargeback and they didn't have 3D, but when i spoke with the bank they said it reduces the risk if you have the 3D option. i am looking for oscommerce contribute that offers the 3d secure and which bank offers. any help would be helpful.

thank you,

david

[ATorres]

A major problem with 3DS is that there is a drop off rate associated with the service. Additonally, there was a recent study completed by the University of Cambridge that ripped 3DS apart. - http://www.v3.co.uk/2256859

Edited by ATorres, 15 March 2010, 20:22.

[khime]

ATorres, on 15 March 2010, 20:22, said:

A major problem with 3DS is that there is a drop off rate associated with the service. Additonally, there was a recent study completed by the University of Cambridge that ripped 3DS apart. - http://www.v3.co.uk/2256859

Hi yes, that is one of the reasons we don't have 3D secure enabled as "must have" before authentication as we are aware that this could cost us potential sales due to the poor implemenation.

What we have found is use a courier company that accepts delivery instructions and for any suspicious orders we ask the customer to show the card paid to the driver by before the goods are released. This has stopped quite a few dodgy orders already and the goods get returned to us. Still its annoying that we have found that the customer us a crook and there is nothing we can do about it!

Seems like this card-checking before delivery solution is much more simpler than using the 3D secure technology.

For an alternative solution to 3D secure; for my Natwest card there is a separate machine that I need to put in my card and type a pin number to generate a 6 digit authorisation code if I want to make a payment via online banking. I don't know why this cant be used for online transactions instead of 3D secure as this cannot be compromised using keylogging devices. Obviously its annoying to carry this device around so it should be allowed for the merchant to set a "transaction limit" so that any transactions over a certain amount would need this authorisation code, and any under the limit will not need it - so small purchases can be completed efficiently.

[arnoldblack]

how do u know it wasnt the actual cardholder making the buy but making it look like fraud so he can get the item for free ? how could a fraudster get his 3d code and have access to his home ?

[dontlike2pay]

what is 3D secure? is it same as some Cardholder Authentication in RBS WorldPay page? please see link below with all details.

Royal Bank of Scotland Cardholder Authentication

In that page, It seems Liability Shift is still in place and as long as you are enabled for Authentication during fraud detection process, you are pretty much covered for most payments fraud-wise.

Please correct me if im wrong as I am about to integrate RBS Worldpay into my site.

Thanks

[porpoise1954]

toyicebear, on 23 June 2009, 09:44, said:

Many shops and payment processors do have this system implemented.

But its also dependent on that the customer have signed up for Visa 3D secure or Mastercard SecureCode at their bank.

Some shops abuse even this system by storing your card info, cvv info and the SecureCode you give and then process the payment themselves afterwards...

If they then get hacked or just sell of your info then anyone could use your card , cvv and the SecureCode to shop using your card.

Then the whole point of such a system is invalid.

As mentioned above post an electronic key solution with a max. time validity of 30 seconds would make such manual storing and processing imposible and hence the transaction would be actually verified as being from the actual customer.

Or alternatively a one time code pr. each individual transaction is sent by email or sms code which have to be inputted on the payment site within a certain time frame to be active.

I have to take you to task here. "Some shops abuse even this system by storing your card info, cvv info and the SecureCode you give and then process the payment themselves afterwards.." is total BS. The store doesn't ever have a way to see the SecureCode, let alone store it - that info is input directly on the VISA or MASTERCARD site (depending on the card type). The amount of mis-information on here is unbelievable!

[geoffreywalton]

Unfortunately there are still sites that record the info, store it and then send it to the bank.

There are also stores that just take the card info and process it through a card terminal. I still see site like this.

Then there are the stores that transfer you to card processors site which work the way you describe.

Just because the bank issue regulations does not mean everyone follows them.

Cheers

G