eCommerce Horror Story

[djbazzer]

In over 5 years being in international e-commerce, we have received countless bogus orders, but only one chargeback and a couple of loss orders.

 

Credit Card fraud could have been minimised many years ago, except that the banks wanted the retailers to cover the cost !!

 

My best advice is do not ship to Asia, Africa or the Former Eastern Europe as they have the highest incidence of fraud, and to trust your instincts. We have had a high percentage of International orders over the years and we have many valued foreign customers, but care needs to be exercised.

 

As already stated bogus orders tend to be 'easily' spotted as they:-

 

- are usually for high numbers of products (including duplicates) or high cash value,

- often have different shipping and billing addresses (often different countries),

- use free email addresses (but then many of us do),

- use the most expensive shipping option.

 

Just because a payment has been authorised does not mean it has been fully checked, in fact most credit card companies only check payments over a set (unknown) amount (say ?80.00) due to the costs involved (and maybe, because fraudsters go for the big amounts). We have had payments accepted where the customer was called "hfdalr hfgy" and lived at "hosjfpp ioj" (so obviously bogus) and also received the money into our account !!! in our days of automated card processing.

 

 

Post Authorisation

 

If you use a real-time on-line credit card service, opt for Post-Authorisation, if available, as this will reduce your initial and refund charges (paying a charge for accepting the payment, and a charge for paying back the money when refusing/not filling an order,) which can run into hundreds of pounds, dollors, euros, etc. if you get a run of high value bogus orders. You only accept payment (and incurr a charge) when you are satisfied with the order.

 

 

Code 10 checks:

 

Even if the address is validated by AVS, but the order falls into the above criteria, we ask for a Code 10 Check by our on-line credit card service. This is a check by your credit card company, with the card holder's bank, that the card/address are valid and normally takes under 24 hours for domestic banks and a litttle longer for international banks. Unfortunately, as banks are a law unto themselves it may not protect you against chargebacks, but may clarify a doubtful order for you. Most credit card service providers should provide this service - normally free of charge - but they don't expect you to use it every time.

 

 

Telephone Numbers:

 

A simple address check is to collect and check the customer's home telephone number against name/address. Most country's have at least one on-line telephone directory service, and some countries like the USA have reverse look-up (searching by the telephone number.) Problems are that the number could be in a different name or ex-directory.

 

You can always ring the customer to confirm the number is correct or query any problems with the order.

 

InfoSpace is a good starting point for USA and International numbers (http://www.infospace.com/_1_3FGUDJ04P2CCHY__disney.go/wp/index.htm)

 

Telefonbuch.com (German ?) has an extensive list of International White and Yellow pages, by country.

(http://www.telefonbuch.com/english.htm)

 

 

Anti-Fraud Statement

 

As mentioned already, use an anti-fraud statement, saying where you will accept orders from, what checks you will perform, and that you will report all fraud to the police. It won't put off every fraudster, but may save you from the amateur / stupid fraudsters.

 

Ours (on our first checkout page) tends to cause the fraudsters to try and con us, by pretending their address is in a different country !!, which makes them easier to spot.

 

 

 

Get A Signature/Postal Insurance

 

Again as already mentioned get a signature on delivery, as this is some protection against "goods not received" chargebacks. Our only chargeback was from a customer who stated they had not received any of 3 individual packages sent on 2 different days (hard to believe), and we confirmed their address and even their business website. Although we could prove dispatch, stock purchase etc., the chargeback was taken, because we could not prove delivery by signature, in which case you can only claim from the courier, via insurance. Insurance also protects against the occassional lost in post item and may not cost anything (in the UK we get compensation upto ?28 for free, if you obtain proof of posting.)

 

The only problem is you need to weigh up cost against profit. If you sell a low cost item, the relative cost of signed delivery needs offsetting against profit margins and the overall risk of loss. It may be worthwhile to incur the cost for the first order only.

 

 

Don't Ever Think It Won't Happen To You

 

IT WILL .....

 

We were lucky that we requested Post-Authorisation of payments before we had a massive run of bogus card-checking orders, and so our credit card company refunded the ?250 payment/refund charges involved.

 

Credit Card fraud should not put you off an e-commerce business, but make sure you account for it in your costings (along with other losses) and put systems in place to prevent becoming a victim of it.

 

If in doubt refuse the order - most of our losses came from doubtful orders we took a risk on.... and regretted it.

[cardinalcommerce]

After looking thru all the charge back topics I was surprised to see no references to the Verified by Visa and MasterCard SecureCode programs.

 

These global programs provide merchants with guaranteed payments on authenticated transactions which eliminate the "I didn't make that purchase" types of charge backs. Once a transaction is authenticated during the checkout process, the liability for the transaction is shifted from the merchant account to the Card Issuer. This means no more charge back fees, no more loss of goods..etc.

 

Like AVS tools, you can automate your order review process, so that you do need to manually review all flagged orders. If the transaction was authenticated they you are guaranteed payment.

 

Visa Program information : http://usa.visa.com/business/accepting_vis...gement/vbv.html

 

JCB has also launched a program (JCB J/Secure) based on the same guidelines, and provides the same types of benefits to merchants

 

Participation in the programs allows merchants to begin to accept international transactions without the fear of fraud. Again, once the transaction is authenticated, then the merchant is guaranteed payment. Your payment is guaranteed on all Visa credit and debit card purchases, regardless of whether your customers are enrolled in Verified by Visa.

 

MasterCard program rules vary slightly, but as long as the transaction is authenticated, the merchant is guaranteed payment.

 

In addition, with Verified by Visa enabled, your merchant status will be upgraded by Visa to "CPS E-commerce Preferred" and you will be eligible to lower your discount rate by 5 basis points (from 1.85 bps down to 1.80 bps).

 

Please feel free to post any questions regarding the programs.

[Guest]

What annoys me is that wehen a customer either by their own accord or through fraud asks to chargeback goods, the credit card doesnt get cancelled immediately. They can carry o using it!!

 

I have found that even a lot of legit customers make orders then charge them back knowing that they wil get their money as there is no signature.

 

If the bank automatically cancelled their card and re-issue a new one which takes 14 days, i.e 2 weeks of inconvenience for the customer and then after x ammount of chargebacks on different cards their account gets cancelled as they obviously cannot be carefull enough with their credit card details then this would stop pretty much overnight!!

 

Its not going to stop the illegals, but at least it will stop the home shopper!!

 

We have new laws coming in in the UK next year where the merchant is responisble for all transactions not the banks so i dont know whats going to happen there.

[Guest]

Not all fraud is because of lost cards or the customer not maintaining their details. I had to request a chargeback for one company because they wouldn't cancel a subscription after repeated calls and certified letters requesting them to do so. I do think consumers need to be educated to contact the company for resolution before they request a chargeback though.

 

On the other hand, I am not so sure a credit card cancellation is such a hardship anymore. Both Bank of America and CapitalOne reissued me cards in 48 hours when I lost my wallet.

[Guest]

Ahh, yes but its the thought of inconvenience. Makes people think twice, and although I hate to admit it, I do know of one person who had practically bought every item in his house over the years and never paid for most of it, just charging it back. It doesnt matter if you can prove postage, if you dont have a credit card signed receipt your ******

[cardinalcommerce]

Merchants participating in the Verified by Visa and MasterCard SecureCode programs receive charge back blocking and are not liable for authenticated transactions. The Card Issuer eats the cost of the charge back if the consumer disputes the order for "I didn't make the purchase" type of reasons. The merchant receives payment, no charge back costs are incurred, and no time lost while trying to win your case.

 

This also protects merchants from "friendly" fraud scenarios where a child makes a purchase with mom's credit card, and then mom disputes the charge..etc. The tools are available from Visa and MasterCard to greatly reduce the number "I didn't do it" charge backs and protect the merchants.

 

thanks

[cardinalcommerce]

It doesnt matter if you can prove postage, if you dont have a credit card signed receipt your

<{POST_SNAPBACK}>

 

In the online world, the Verified by Visa and MasterCard SecureCode authentication result is your signed receipt. By having this receipt for your online transaction you do get protection.

 

By using these programs your consumers to "sign the receipt" when they make the purchase.

 

thanks

[Guest]

Well thats good to hear, i wonder if Worldpay will honor that next time I get a chargeback, because in my experience it doesnt matter if you've got anything, they still charge the payment back!

[Guest]

Worldpay is part of your problem. They don't allow many merchant disputes through the card companies because it would be bad for them. We use them at vBulletin and are in the process of implementing a replacement.

 

Honestly, I never had a problem with chargebacks on my personal site because I work with my customers. However, almost all new customers come from word of mouth. I am looking to implement verified by visa and mastercard securecode on the next upgrade though.

[Guest]

Hi There,

 

Im also looking at moving away from Worldpants, erm i mean Worldpay, already been in contact with the bank regarding a merchant account.

[mark27uk3]

Hi,

 

Is Worldpay Uk an aquiring bank of verified by visa, because on the euro site of verified by visa it only shows worldpay.de???

 

Thanks

 

Mark

[Guest]

You should contact them. May be that different laws require them to implement changes differently in various jurisdictions.

[radders]

They are introducng it right now in the UK. I just got their email yesterday.

[mark27uk3]

David,

 

Any chance you can post the email so we can have a look.

 

Thanks

 

Mark

[Guest]

Merchants participating in the Verified by Visa and MasterCard SecureCode programs receive charge back blocking and are not liable for authenticated transactions. The Card Issuer eats the cost of the charge back if the consumer disputes the order for "I didn't make the purchase" type of reasons. The merchant receives payment, no charge back costs are incurred, and no time lost while trying to win your case.

 

This also protects merchants from "friendly" fraud scenarios where a child makes a purchase with mom's credit card, and then mom disputes the charge..etc. The tools are available from Visa and MasterCard to greatly reduce the number "I didn't do it" charge backs and protect the merchants.

 

thanks

<{POST_SNAPBACK}>

Can anyone expand on this? I'm getting tired of sweating every credit card transaction that we have. Luckily (or not so Luckily, depending upon how you look at it), our sales are pretty small, so our risk is not huge - on the other hand, since our volume is so small, a several hundred dollar loss is pretty devestating.

 

From what I've read about the Verified By Visa program it sounds like a great solution, however I don't know how to sign up or where to go to ask questions. Is anyone using this system? And will it work for someone like me that does offline processing?

[cardinalcommerce]

From what I've read about the Verified By Visa program it sounds like a great solution, however I don't know how to sign up or where to go to ask questions.  Is anyone using this system?  And will it work for someone like me that does offline processing?

<{POST_SNAPBACK}>

 

A contribution http://www.oscommerce.com/community/contributions,2636 is available that performs the Verified by Visa and MasterCard SecureCode authentication during the checkout process. The contribution provides details on the registration process and where to get your questions answered.

 

Since the VbV / MCSC programs generate new data elements that must be passed on the authorization, there may be some incompatiblities with your offline processing product. Each case is often unique, and there are ways to participate in the VbV and MCSC programs and continue to do your offline processing. There are merchants out there who have deployed VbV / MCSC and are manually processing orders offline.

 

 

thanks

[SonounUomo]

I understand what your goal is,  I am just punching holes in it,  that is the only way to improve it

 

it is better to be PROACTIVE than REACTIVE with fraud........

 

Meaning you should stop "waiting for it to happen" but rather look at all the angles for holes and plug the holes now before the scammer finds it........

 

The way your doing it is the Mircosoft method of security,  wait until hole is found and then patch it.... :lol:

the best method, is to Request a Copy of the Card and Drivers Lic to be Faxed to you if you expect fraud,  Tell the customer the Reasons the Red Flags Went off in there case, and what they can do to help prevent it in the furter, 

 

the Extra Step will more than likly make them feel safer about shopping with you again, consumers are just as Scared as you are,  there are Sites out there that sell card numbers to Scammers,

<{POST_SNAPBACK}>

 

 

I think this is great, everyone sharing their experiences; it is really teaching me a lot as I am new to this eCommerce.

 

But, a client of mine with my "regular job", has been into eCommerce for awhile. He had someone actually show the credit card & drivers license, yet it was still fraud and was manipulated to look authentic. Luckily, the transaction would not go through because they were dealing with a major financial institution who is quick and keen when it comes to giving out clients money. Saving him about $30,000 and avoiding the scam altogether. Too bad all banks/financial institutions aren't so strict when it comes to verification. Eventually, they will all head towards those processes (well, at least here in the U.S.A.)

[Klipse]

I just got an order from some Indonesian "electronics" company wanting to buy many products.

 

I'm pretty sure it is the same person. I've also whoised their company's domain and it links to some guy in the United States. Looks like a regular guy too. Their company website had nothing and only had emails of the purchasing department, sales, admin etc. I'm pretty sure this person is doing it to many customers. I for one DO NOT KNOW how someone knows our e-commerce website when we haven't even published anywhere and such. And a google search of my company does not ring any results.

 

Ask yourself this:

 

Why would a company from Indonesia purchase something from another country when they can get it much cheaper without the shipping cost.

 

Think.... No person/company in their right mind will supply credit card info that easy if they are asking for a quote. They should have emailed first instead of going through the cc card transactions.

 

 

What was that person's email u know? Maybe we have a common predator.

 

good. I still get about an email a week. Usually want to buy quantity like 25 turbo kits or 15 lift kits, etc. Almost always over $10,000 in value.

 

Once I decided to play along to see how far it would go. Because of how our processes are setup, I NEVER ship until the money is swept into our account. Even for locals. Anyways, this guy in Indo emailed me his cc # and all. plain text! anyways, I ran the card for grins and of course declined. I sent him an email and told him so sorry. he sent me a reply with 6 different credit cards in one email with the same billing address. I didn't bother running those and told him that I was having computer problems and that he should wire the money into my account.....never heard from him again.... :lol:

<{POST_SNAPBACK}>

[sinryder]

hello guys, i just came across this post and after reading your reviews about the Indonesian orders, it really got me worried.

 

i received an order on 8th of March from Indonesian for $965 and i shipped the order on 18th March after checking up on the guy and calling him couple of times.

 

card used: Visa

AVS was ok

CVV was provided

same billing and shipping address

contact number worked ( called this person couple of times to verify the address and card details.

 

Usually i ship the orders after all this, but for this order i was a bit more worried so i called him again and asked to fax or scan and attched the copy of his Licence or ID/PR card.

 

well first he said hes really bz and he dont feel comfortable sending his personal info, but after telling him that his order wont be processed, he agreed and sent his ID Card in .jpg format.

every thing matched the name, address , date of birth, country and also got his pic on it.

 

 

what do you guys think about it ?

i hope this guy is no f$%kin me up :((

 

any info is greatly apprecaited

 

thankyou

[fgwhite]

what do you guys think about it ?

i hope this guy is no f$%kin me up :((

 

any info is greatly apprecaited

 

I think you've done everything right. I remember running across a database of known stolen cards but couldn't find it - just now. (If anyone knows where it's at please post a link.)

 

In your case, the issuing financial institution should take some responsibility if your transaction goes bad.

[sinryder]

hello guys, i just came across this post  and after reading your reviews about the Indonesian orders, it really got me worried.

 

i received an order on 8th of March from Indonesian for $965 and i shipped the order on 18th March after checking up on the guy and calling him couple of times.

 

card used: Visa

AVS was ok

CVV was provided

same billing and shipping address

contact number worked ( called this person couple of times to verify the address and card details.

 

Usually i ship the orders after all this, but for this order i was a bit more worried so i called him again and asked to fax or scan and attched the copy of his Licence or ID/PR card.

 

well first he said hes really bz and he dont feel comfortable sending his personal info, but after telling him that his order wont be  processed, he agreed and sent his ID Card in .jpg format.

every thing matched the name, address , date of birth, country and also got his pic on it.

what do you guys think about it ?

i hope this guy is no f$%kin me up :((

 

any info is greatly apprecaited

 

thankyou

<{POST_SNAPBACK}>

 

 

hello guys,

well i received an emailed from that guy and he said he received the order and now he wants to place another order for about $1600

i really dont know if this guy is foreal :(

 

he just sent me his card details through email again and told me to charge it and ship it ASAP

 

what else can i do to secure my self. I tried calling visa at 1800-847-2750

and entered the account number ( card number ) but it didnt give any info like issuing bank details and stuff.

 

any help is greatly appreciated

 

thankyou

[evermorian]

i really dont know if this guy is foreal :(

what else can i do to secure my self. I tried calling visa at 1800-847-2750

and entered the account number ( card number ) but it didnt give any info like issuing bank details and stuff.

<{POST_SNAPBACK}>

 

Your merchant services provider (the bank or company who set up your merchant account) should be able to give you information on the issuing bank. The first six digits of the card number (known as the BIN or ICA number) uniquely identifies the issuing bank. Some merchant service providers offer online look up services to their customers.

 

If you call the fraud department of the issuing bank, they can call the customer from the number in their records and verify the specific charge. They might even call or FAX you an approval after they check with the customer. I'm not sure if this gives you any legal leverage but, it shouldn't hurt.

 

It took half a day on the phone with several different entities to uncover the secret of identifing the issuing bank. Now, however, it makes investigating these suspcious orders much easier.

 

Andrew Crawford

[sinryder]

hey thankx for the info, i finally got the issuing bank number

BANK INTERNASIONAL INDONESIA

(62) 21 318 3888

 

but another problem now, i called the bank and they are speaking indonesian :(

i pressed couple of options but no luck.

 

any help is apprecaited

thankyou

[evermorian]

but another problem now, i called the bank and they are speaking indonesian :(

i pressed couple of options but no luck.

<{POST_SNAPBACK}>

 

You might try calling your local university and checking with the foreign language and anthropology departments. Most major universities will have someone around who speaks Indonesian and would be willing to provide simple translation services like that for a small fee. I have a friend who is an anthro professor and speaks Indonesian and has been known to do that on occasion.

 

Alternately, you could try something like Google Answers or even just look up a translation service on the web.

 

You can probably add the fee to the customers' order as a "verification fee" or something.

 

Andrew Crawford

[sinryder]

thankx guys for all your help :)

 

i received another order for about $700

 

the address is in Miami

 

something like this

 

3564sw84 ave

miami, Florida, 33155

United States

 

the AVS And CVD are a match, i called the customer and told him that i need a front and back copy of his card + a valid photo id with the shipping address on it.

 

well he faxed me the copy of the card and the photo id. Card looks fine but his photo id is from brazil. He said he got some business in States and is in town for a few weeks, Also wants an express shipping. i even asked him for the issuing bank number so he gave me the HSBC customer service line which was no help. They said they cannot disclose a customers info :(

 

what else can i do to find out of this order is for real ?

 

any help is greatly appreciated

 

Thankyou