catch credit card fraud Best answer on the web

  • I have a small ecommerce website that sells a downloadable product over the Internet. I accept credit cards online but can only verify the card number and expiration date, not the name, address, or CVV2 code. There is a guy who has been returning almost every day, and uses stolen credit cards to download the product (which changes every day). Whenever I block him he simply switches to another card (he has thousands) and uses a different email address (all free accounts) and screen name. I tried to track his IP address but it is always different (he must be using anonymizer or something similar). I do have a lot of personal information he leaves behind, as well as screen names he used, email addresses he registered with, IP addresses, and lots of stolen credit card numbers. I also have the URL of his personal website, and I even know what he looks like! My question is: is there something that can be done to stop this guy? He returns to my website almost every day for months now, and the FBI won't do a thing about it (I contacted them several times in the past). He caused overall damage of thousands of dollars so far, and it goes on. Thank you.


  • Hello googlefan1-ga

    I have a similar problem but not as severe or persistent as your guy.
    Here are my suggestions:

    1. Only allow purchases to customers who use an ISP email address.
    (supplied by their internet provider)
    - this prevents people hiding behind hotmail or yahoo type free email addresses. (Also reject email addresses from domain names if possible, as I've found some fraudsters register domain names which don't actually point anywhere for an anonymous email... and checking the smartwhois for their domain name reveals just garbage information. However this does cut out business domain names too and this depends on the type market you are in consumer or b2b. If you can't cut out registered domain name email addresses, you can at least check if they are 'fake' or a 'hiding ground for a fraudster, and be extremely suspicious if the whois details reveals registration emails from free Taiwanese, Indonesian or other far eastern email address. 2. By logging their IP address you can track if this is the same ISP as their email address that they have used e.g. using the smartwhois from All Net tools http://www.all-nettools.com/tools1.htm
    Also a non U.S. IP address will normally mean it is a suspicious transaction 3. Do not process the transaction in real time, by all means send email confirmation of order, but manually check out the details above before you debit the card. Some merchant accounts let you defer the transaction so you can verify credentials. 4. Change your credit card merchant account or bureau to one that does support CVV2 - hassle, perhaps time consuming but at least it adds a layer of security. Could be worthwhile switching as the more chargebacks you get, the more likely your card acquirer will revoke your ability to accept card card payment. 5. Add the request for date of birth, so you can use it as security check. Check online at 1800 US Search the supplied person’s age http://www2.1800ussearch.com/search/start.cgi?adID=4010013008
    (the fraudster usually uses the name on the card and will probably not know the age of the person) 6. I find that fraudsters usually order the most expensive products which is a sign of suspicious activity 7. They do not usually supply a full name or is a weird name or handle, - a sign of suspicious activity 8. Request a contact phone number, so you can perform spot checks if needed, a fraudster will be reluctant to give a real number. 9. If you switch your merchant account to Worldpay you could also use their WorldAlert service which is designed to combat fraud by screening purchases WorldPay
    http://www.worldpay.com/usa/index.html
    10. If you believe it is a suspicious transaction you can email them to ask a routine security question as a ‘spot check’ like the name of their issuing card company or to confirm their address, they usually do not bother to reply! 11. Try to track and define the browser they are using from your server logs, or implant more environment data on your order webpage like they do with the anonymizer test: http://www.anonymizer.com/snoop/test_os.shtml
    if your're in luck it 'may' give out a fairly unique identification. If he is using anonymous proxies or anonymizer type services this will be invisible of course.
    Unfortunately it will involve some manual work, but as you said you are a small e-commerce site so this shouldn’t be too excessive. If this guy finds out your site is not an easy target anymore, he will move on. As he seems to be the main root of your problems if he’s gone then you can revert back to automated transactions.
    I’m surprised you have the URL of his personal website and even more surprised you know what he looks like! I suppose you have already have done a smartwhois check on his domain name (that is if he has his own domain name). If he is using his ISP free webspace you might be able to file a complaint to his ISP. If he is using free webspace then that will be tricky.
    I hope that helps in some way,
    if you need any clarification, just ask!
    kind regards
    lot-ga


  • almost forgot, http://www.2checkout.com/index.html also checks cvv2


  • Hi

    If you are selling high value low volume products than it may be wise to do offline processing using something like:
    http://www.ishopbuilder.co.uk


    With this method you can reject an order without incurring any losses.

    I have been able to combat fraud with this method for quite some time.

    Regards
    G,


  • Hi


    Did you try contacting the Secret service? They also handle computer
    crimes.
    Also, have you contacted the credit card companies? They are the ones
    who are also loosing money, they may have more of a pull. You can set
    up a sniffer such as snort and figure out where this guy is coming
    from (since he's using TCP traffic for web traffic) then do a tracert
    to his address, find out who the ISP is and send off an e-mail to
    abuse@ISP.com (where ISP is the ISP's domain).



    Oh,


    One other thing. If he's causing that much trouble, you can hire a
    consulting firm that specializes in security to try and track him
    down. Of course if it's going to cost you more for the consulting firm
    then what he's costing YOU in damages this isn't a good Idea.


  • You may also consider ugrading your credit card processing software/provider. There are 3rd party providers that integrate relatively easily with small ecommerce sites. Validating the credit card number (I assume you actually validate that the number and exp date are valid rather than just use a Mod 10 algorythm that anyone could generate 'valid' credit numbers). One that I have run across is http://www.2checkout.com/index.html via an on line purchase that I made. It appears that they check credit card number, exp date, AVS (billing address verification), and fraud scoring (I am assuming this since they advised to avoid using free email accounts which would raise an orders score). It also appears that 2checkout is very easy to integrate into an existing site.
    If you would like more info or a comparison between 3rd party processors, I am sure a fine Google Answers researcher would be happy to help with a follow-up question.
    Also, as a last resort for enforcement, you could also try the local authorities. Not necessarily what they do but you may find a deputy that would take interest and at least discourage repeat business.


  • Why not ask for the CVV2 number, even if you can't confirm it. It may dissuade crooks from using credit card numbers at your site if they don't have a CVV2 code as well.









    • #If you have any other info about this subject , Please add it free.#
    Your name:
    E-mail:
    Telphone:

    Your comments:


    If you have any other info about catch credit card fraud , Please add it free.
    Posted inhznj.com July 30th, 2010 edit