Fighting Online Credit Card Fraud
Jim Grill 11/10/2001
Introduction
Tools of the trade
Foreign e-commerce
Introduction
As an online merchant, making my living on the Internet, I am now more aware of credit card fraud than ever. If you depend on e-commerce to make your living you may find this writing to be of interest to you.
"It only takes a few bad apples to spoil the bunch", I remember my third grade teacher, Mrs. Moon, telling us when we were all complaining about a new rule. The fact is that rules and laws are created because of a situation that calls for them. My class with Mrs. Moon was the last class of the day and she would let us quit our work early and have a "social time" where we could all talk for the last 15 minutes of class every Friday. All we had to do was make sure we finished our home work over the week end. All it took was for one little loser kid to not do his homework and that was it. This gets better. Keep reading.
The Internet is a lot like third grade class because it is still so new. When I first started surfing the Internet back in late 1994
there were no online stores, There were no stock quotes, and there were NO RULES. That's right... imagine a fresh new world with no limits and no laws. To many of us who remember the old BBS communities before the Internet was available, this was the equivalent to moving to a new planet with no laws or rules where everyone could live in peace and harmony. We shared ideas, knowledge, open source software, and chatted endlessly with all kinds of interesting and intelligent people from all over the world. It was a nerd's bliss. Enough of the history lesson. Let's get to reality.
Today the Internet has evolved and has become the same tainted mess that our physical world is. There are stalkers, liars, thieves, spammers, get rich quick scams, child pornographers, and general scum online today. I wouldn't go into a chat room if my life depended on it.
Credit card processors are aware of this and make it very difficult for a new online company to qualify for a merchant account. Credit card fraud is at an all-time high and most credit card fraud takes place on the Internet. The vast majority of credit card fraud occurs without possession of the card. So where do thieves get credit card information from? The answer is the Internet. Internet fraud is a self perpetuating problem. Thieves break into e-commerce servers and steal literally hundreds or thousands of credit card numbers with expiration dates and billing addresses. The more people shop online the more fraud will occur and the less processing banks will want to deal with it.
Fact Vs. Fiction
The card holder is the victim... NOT! The truth is that the online merchant is the REAL victim. Most of the time all the card holder has to do is call the card issuing bank and tell them that they didn't make the charges and they will not have to pay. Processing banks actually turn profit from online fraud. All the card issuing bank has to do is charge back the merchant to get all the money back. Then they charge a $10 - $15 charge back fee to the merchant as a penalty for accepting the transaction. Then to top it off some card issuing banks actually charge the card holder up to $50 depending on their agreement with the bank. In that case the card holder too becomes a victim but not from the thief; from their own bank! The truth is that the banks refuse to take any accountability.
"Why should they" you ask?
First of all, since the inception of e-commerce, processors are making money hand over fist. People use credit cards more than any other payment method. The banks charge interest to customers and they also charge between 1.5% to 2.5% to the merchant as well. In some cases they also charge a flat fee of up to $0.35 or more for each transaction on top of the percentage. With a vested interest in the success of e-commerce you would think they would take some steps toward securing the future of online shopping and fraud and try to protect their merchants.
CVV2/CVC2
The only thing that has really been done to help eliminate non card possession fraud is the implementation of the CVV2/CVC2 number, which is a three digit number on the back of some Visa cards or a 4 digit number located on the front of some AMEX cards. The only way to know this number is to actually have the card in possession and as long as online merchants do not store this information and it is only used to validate the charge it works well but is not fully supported by most processors. Hopefully this new security feature will
be in use across the board very soon. All MasterCard cards, both credit and debit, were required to contain CVC2 by January 1, 1997; all Visa cards were required to contain CVV2 by January 1, 2001. At the time of this writing neither are fully supported by processing banks.
Address Verification System - AVS
By far, the best tool for online retailers is the Address Verification System, or AVS. AVS allows a merchant to verify a customer's billing address through the card holder's bank. If you sell a tangible product one of your best defenses is to only ship to the billing address of the card. No thief in there right mind is going to have stolen stuff sent to the card holder's house. Online Credit card thieves are gutless weenies who hide behind the protection of their little wanna-be hacker computers. They are not like conventional thieves, who almost deserve a little respect for at least having the balls to commit crime in person. These online thieves are very evasive of any real contact and will almost never return an email and will never use real information. If you are one of the unlucky online merchants who do not sell a tangible product like me then you're really in trouble. Since the thief does not care about the billing/shipping address since there will be no deliveries the AVS system becomes less reliable in non-tangible sales transactions.
Faxed Signatures
Sometimes in a situation where AVS alone will not cut it like in non-tangible/service oriented businesses or high ticket items where a thief may be ballsy enough to send the package to the billing address were he can intercept it later you may wish to require a copy of the credit card and driver's license. Although this is still not considered a card-present sale and will not save you in a charge back situation, this may help eliminate the possibility of a charge-back in the first place. By asking the customer to fax a copy of the front and back of his or her credit card along with a copy of a driver's license or another form of official picture ID and signing it you will stop a very high percentage of fraud since most online thieves only have lists of credit card numbers and do not have possession. This will also help stop evil boyfriends, girlfriends, roommates, or step children from using a card that belongs to someone else in the household. Although this is not real common I have had more than one call from someone's mother or ex-girlfriend claiming that they know
who made the charge and they were not authorized. This method is considered harsh and has been known to turn away some legitimate sales, which, in my opinion, is not worth it every single time. I will only use this method on larger than usual sales or suspected fraud situations.
Email verification
Another good way to protect yourself is to check email addresses. There are literally hundreds and maybe thousands of free online email services that anyone can use without providing any real information about themselves. Some of these services include Hotmail, Yahoo, and Lycos, which are the more popular ones. Be leery of anyone who will not use their real email address. You can always check the validity of an email address by taking the domain part of the address and typing it into a browser to see where it goes. For example: johndoe@cs.com. Take the cs.com and type it into your browser like so: http://www.cs.com. You will most likely recognize this to be CompuServe; a major ISP. Now try janedoe@mail.com. Here is the URL: http://www.mail.com. That is obviously a free service providing anonymous email for people in exchange for a little advertising exposure. This is not always a good give away since many people will use a Hotmail account so they can get email anywhere they go without having to enter any of there personal information into the computer they're using. Many people will use a Hotmail account at work if their company prohibits the use of their email system or computers for personal use. Some people will also actually have their own domain or maybe their friend has one and they use an email address from that domain. In this case you can go to Network Solutions and run a whois query on the domain and see who owns it. This will help shed some light on things if they are the registered owner of the domain, but may not be too helpful otherwise.
Here is a somewhat current list of free email domains that I copied from a web site I found in a search engine using the search term "credit card fraud free email service". There are new email services born everyday so this will be something you will need to stay on top of when checking your customer's email addresses.
IP Addresses
IP addresses can be a good give away for catching foreign thieves. If you are already using AVS (and I really hope you are) then you already know what city, State, and zip your customer lives in. You can capture the remote IP address of your customer at the time they order or sign up for a service and compare this information against the American Registry for Internet Numbers, or ARIN by doing a "Whois". If your visitors IP address 202.23.104.2 and the address they gave you is somewhere in North Carolina for example, then we can pretty much guess this is fraud. Unless your customer happens to be vacationing in Japan and ordering web hosting, CD's, or whatever you sell for when they get home. Ha! Yeah right! Whenever you encounter this type of fraud always save the IP address! You can use it later! Keep reading.
If you use the Apache web server you can use one of several different programming languages to retrieve Apache environment variables. Environment variables are elements of data stored by the server to help identify and describe a particular instance of the server. Each visitor to the web server will have their own unique session or instance containing information about them ranging from the operating system the use to the IP of their machine. REMOTE_ADDR is the element we are concerned with. If you use something other than the Apache web server I'm sure there is probably some hope for you, but not much, and you won't find it here.
Foreign Commerce
It is not safe to do e-commerce with foreign countries if your business is in the US. I would even be so bold as to say that it is not safe to do e-commerce with foreign countries if you live in a foreign country. Why do I have it in for foreign countries so bad? The truth is I do not. When I first started my Web Hosting company we were happy to be able to help foreign businesses gain exposure in the US. After all the point of the Internet was that it was world-wide. It didn't take too long before I realized that this was a bad idea.
Of all the fraud I had to deal with as I was learning the ropes of e-commerce over 99% was perpetrated by foreigners. The largest percentage of fraud was from 202.0.0.0 - 203.255.255.255 IP addresses, which is the Asia Pacific region. I will not ever do any business with a foreign country ever again. It is a shame to have to block entire countries but I am not willing to lose my merchant account and pay charge back fees or deal with angry card holders calling and asking why the hell my company charged them $345 last month. Most foreign card issuing banks do not adhere to the same standards as American banks and they do not fully support AVS if
at all. Even if you decide to do e-commerce on a world-wide level you will have literally no way to tell if the sale is fraud or not. Plus since the crime they commit is an American crime and they live in a foreign country there is no way to press charges or recover any losses at all.
There was a case I had one time where I caught a thief when he signed up for our hosting service on two separate occasions a few days apart. He used a different name and address each time but he had no choice but to use the same IP address. At the time I was not tracking IP's accurately enough to catch that but the guy used a really interesting password for his account the first time and used it as the username the second time. It seemed like a hacker type nickname to me too, which always raises concern. I decided to email him and ask why he was a thief and what hew thought he had to gain. I was very surprised when he emailed me right back and told me that he didn't care what I said and that I was powerless against him. He even gave me his cell phone number and told me to call him if I wanted; he didn't care. I felt as though his phone was probably a clone and he probably didn't plan to pay for it either so I didn't call but emailed back instead. He replied and began to tell me how much his country (Lithuania) hated Americans and that he knew there was nothing I could do and he thinks it's very funny and well worth it to get even with Americans by stealing there money. I realized then that we are from different worlds not just different countries. Americans are typically happy go lucky people who show a lot of tolerance and acceptance for others. Our nature is to help and trust others and always give people a chance. What the hell does that have to do with e-commerce? EVERYTHING when you have EVERYTHING to lose by trusting people who hate you for no other reason than plain jealousy! I digress.
Detection
I have managed to stop nearly 100% of all our online fraud using the methods I have described. Things to take into consideration before taking ALL my advice is that I'm a web hosting company providing a service to computer savvy people. I sell no tangible product and have nothing more than just a charge back to lose; in other words I will not lose any real money since I do not ship any product. What I DO have to lose is my merchant account. Merchant accounts are very hard to come by for Internet companies and are even harder for non-tangible/service oriented businesses. My biggest problem is finding a merchant provider who will not put ridiculous limits on my company. If plan to grow I do not need a merchant company who is going to shut my business down if I go over my monthly limit. I am very happy to have landed my account and am NOT willing to risk that as it is my life's blood and without it I will have NO business at all.
The first thing I do when an online sale is made is I look over the information carefully looking for signs. I check:
- The overall sale. Does it seem normal? Big ticket items like my most expensive hosting plan raise a flag.
- Complete information. If your sign up or check out form don't require complete information then look over the order for missing or incomplete information.
- The addresses. If the home address and the billing address are different it raises a flag.
- The email address. If the email address is from a free email service or a small homemade looking web site it raises a flag.
- Check the user's IP address to see what country it comes from. If it's different cancel the order.
Prevention
Even though it is against most processing rules SAVE all your data. Especially save you fraudulent sales. You need to compile data. Trust me... no one else is going to do it for you. Save your data in a safe manner so it can't be stolen if you have a break in. The easiest way to this if you don't have a team of programmers handy as I do is to use PGP, an encryption program to encrypt your sales data and save it in alphabetized or dated files on your hard drive. It's up to you how you do it; just try to be responsible and respect the privacy of your customers because they are YOUR customers and you have their best interest at heart... don't you? You should.
If you save everything then when you get a charge back you will be able to look up the customer by the date of the transaction. This will almost always be about three months ago by the time you get the charge back. Since most thieves use fictitious names the only way you will be able to look up the transaction is by the card number or the reference number of the transaction. I find that having the card number is the easiest way to track it down. Now that you've found it you can look more carefully at why this happened.
I'll be willing to bet you will see the problem now that you are looking more carefully. Chances are you will be able to find a pattern over time and you will know what to look for. The most important thing to save is those pesky foreign IP addresses.
Once you have a good list of email addresses and IP addresses you can stop
most fraud before it becomes a charge back.
If you use the Apache web server, do real time online processing, and want to block foreign countries CLICK HERE.
© copyright 2001 - 2002 Jim Grill
|
