More suggestions from our readers on how to reduce credit card fraud for online merchant accounts
How to reduce credit card fraud for online merchant accounts, more suggestions from our readers:
There are so many ways for a criminal to get your info and use it against you, or even someone else.
I was convicted 2 years ago of fraud. I embezzled around $12,000 from my employer using other peoples' credit cards. I was sentenced to a short prison term and then to serve 14 years probation. I am not writing to you to brag about what I did but to inform your visitors of yet another thing to watch for when shopping with credit cards and even more so with store charge cards. I was a manager of a retail store so had access to thousands of credit card numbers, store charge cards, and even social security numbers.
How I would take money from the company was to make a ficticious purchase using a customers credit account (credit card or instore card) and then within minutes I would ring throught the cash register a return and return the item and the money onto my own credit cards. Then I recieved a visa check card in the mail, it was like a gift for me. Now I could return credit purchases to that card and within 3 days the cash would be in my checking account. Also I didn't have to worry about the credit card companies asking where the refunds were coming from (not that they ever did).
Then I would change the address on the customers' store account so that they would never receive their monthly bill. I could even change the address on their major credit card because I had on file on their credit application, their ss# mothers maiden name, everything I could want to prove I was them.
I stole this money over a 6 month period. The largest single amount was around $3000. Another thing to watch out for when filling out in-store credit apps is that the store and the asscociates have a quota for the amount of apps they get.
We (I taught the associates under me to do this) take credit apps that were turned down the month before and change the date on them and resubmit them. Change the name by 1 letter and the social security number by 1 number and submit it to the credit department. I had several accounts approved and opened in ficticious names. I would then max out the accout, the bills would then go to a fictious address.
How was I caught? An associate working with me turned me in and received a $500 reward and 10% total of all recovered money.
The biggest advice I could give would be "stay away from in-store charge accounts." It's a thief's dream come true. -- Anonymous
I'm reading your e-zine of a couple of days ago with keen interest.
I've been hit a few (about 3 or maybe 4) times by scamsters ordering merchandise. I have implemented all of your suggestions. Most were picked up through experience or from ideas I got at antifraud.com. Here is a new twist I am trying and it seems to help.
I have decided what countries are the most likely to have scamsters in them AND be difficult for me to contact a bank there in English.
On my order form I have a pulldown menu for the "country" field. It defaults to the US and goes on to list Canada, Australia, UK, The Netherlands, and the Scandanavian countries. I figure these are semi-safe countries, since I can reach an English speaker at most any bank if I need to. One of the choices is "Other" and if they choose that, they need to fill in their country's name.
If they choose other, when they send in their order and the credit card information, they get (instead of my usually "Thank You, etc" page) a page that informs them that I cannot process an order for whatever country they typed in (I do name it specifically) until they fax a copy of the credit card billing from the bank. Or, I go on to say, I'll accept a xerox of the actual credit card (I probably wouldn't but I say it anyhow). I even tell them I'll give them $3 off their order for their trouble. What happens then is that I get a bunch of orders to ship to Romania, Pakistan, Egypt, Yugoslavia, Russia, and so on. I NEVER hear from them via fax.
That is, until the other day -- some guy in Slovenia submitted an order. Nothing happened. I had a minute so I wrote him (his email address actually looked OK, but I've been ripped off by Romanians with nice looking email addresses). I ask him to give me JUST ONE good reason why I should ship to him. I didn't swear at him.
Omigod! About an hour later I got an email apologizing for being so slow. That was followed by a fax of his card billing. Obviously computer printed on a bank form. Looked great, so I just sent the 2 shirts. (Another tipoff that it might be legit is that he didn't order 12 shirts...) I just got an email from him today (a week later) telling me he loves the shirts and they got there in fine shape.
Well, that was my ONE case of a legit order from these problem countries that I've had since my new policy.
One other little story: There was one deal where I shipped a box of about 6 or 7 shirts to Russia. Ordered by a guy in "New York". After learning a bunch about how all this works, I figured I would someday get a $200 chargeback and that jerk would have the shirts. Well, I may get charged back as it's only been 2 or 3 months, but 2 weeks ago, the shirts came back!! I had insured them with a signature needed and they were never picked up or maybe refused. Anyhow, if I get the chargeback, at least I have the goods back on the shelf. Signing for the goods doesn't, BTW, stop the Romanians. They don't mind signing at all.
Keep up the good work. Bruce
I work for IBM and we have an excellent on-line Employee Store facility that is protected by a firewall. My wife and I are separated, and she bought a very good second-hand IBM PC for her and my kids. I ordered the Lotus SmartSuite 97 for her to put on her machine for my kids to use. I entered my employee number correctly, my credit card information correctly, etc. When I put a "Ship To:" address which was different from my home address in our corporate employee data base, the software package was automatically shipped to me in Colorado instead of my wife & kids in NY. I then had to send it on to them in a 2-Day USPS mailer. This may be a little extreme, but it *does* prevent the type of fraud you describe in your latest newsletter.
A second instance of e-business (R) verification: We are allowed to offer Employee Sales offerings to friends as well as family members. I gave some information to a friend who then ordered an Aptiva computer, a color printer and a scanner for herself. Before her order was processed, I received an email from Employee Sales saying that <first name> <last name> had used my employee number to order products from Employee Sales. If this was okay, I didn't have to do anything, but if the person named was not a friend of mine who was authorized to use my employee number for Employee Sales, I was to reply immediately and her order would be canceled.
There are many steps that can be taken to prevent Internet fraud, and most of them just require a little programming ingenuity. -- Tom
I appreciated the article this month very much. It is apparent that the merchant is in this alone. The police and the credit card companies show no real concern. Although they are polite and will take a report, they leave me with the impression that they put it in the round file.
More than likely this is because they are not at risk they charge it back to the vendor and the police have bigger fish to fry. The Internet has no discernable jurisdiction.
I have been on the Internet three years and we have kept the fraud down. We maintain a file of anyone that is turned down by us for any reason that could be fraudulent. As you explained, the free services are a problem because anyone can get an account under any name.
We have a mail order terminal and we only accept orders with a Y for everything matching. If there is any other code we call the issuing bank.
We send a confirming email to the customer. If it bounces we know it is no good. We call the telephone number if provided. Mostly I want to hear a recording with the person's name. If a business number is given then we call the number and ask for the person. If they work there that is enough.
We expect orders to be a certain amount. If the order is too much then we really check the order. Overnights are suspicious.
Most of the things that you mention are right on regarding the handling of this problem. Particularly of note is the East European Countries and Russia are very high in fraudulent sales.
If you do an international order most of the foreign banks speak English and have 24 hour service. We request that the customer on foreign sales to provide us with the Bank name and telephone number.
One of the really sad problems is that if a customer complains to the Bank whether they are right or wrong the bank will debit the merchant's account. You can't even challenge it. They impose a fee of $500 just to look into the matter and it is not refundable.
If you are a mail order merchant without a signed slip you have no recourse with the bank so it is important to be very wary.
The first year we were in business we were getting two or three chargebacks a month. We have since, with extreme caution, reduced that to about 7-8 chargebacks a year.
We do between 15-20k a month in Internet sales and our average sale is $45. The point is, with an eye open to the problem and some extra diligence and without help from the banks, it is possible for the merchant to maybe not eliminate the problem but reduce the impact.
I would like to make the customers wary of another problem -- CODs. We used CODs as a payment method for six months without a problem. Then over a week's period someone put in seven or eight orders with all good information.
None of the orders were ever retrieved from the post office. We didn't lose the product but we lost the time the merchandise sat at the post office. The post office holds items 30 days. We lost the cost of shipping and the COD charges. Needless to say we stopped COD. We felt we were opening ourselves for a lot of problems from some kid thinking it was a fun thing to do.
Thank you for the wonderful service you perform. I have been getting the newsletter for some time and I will be teaching a course soon for the virtual university. I will mention your newsletter in the course.
Best regards, Harv R.
First -- let me say that I LOVE your newsletter. I work at an educational institution and we see lots of email from people who are trying to be helpful but who are inadvertently passing on time-consuming, bandwidth wasting hoaxes. Your newsletter address and the address for the CIAC are in a standard reply that I have set up on my email program. When I receive a "hoax chain letter" I encourage people to send those two addresses "back up the line" to the person who sent them the hoax (hoping we can create a "backwash" of true information).
Second -- for many, many years my husband (an artist) sold his work at art fairs and by mail without ever receiving a bad check or credit card. However, this past year, we have been hit several times and, like you, had to take the hit directly in our wallets. We received no help from the banks or the authorities. We are in the process of setting up an online storefront for his work and our first concern was verification of checks and credit cards. I was so very pleased to receive your newsletter and the list of resources on this topic.
Thank you! Thank you! Thank you!
Sherry Lynn B.
Your excellent note #23 was posted to AFS list.
If a merchant accepts e-gold (our mechanism enabling the use of gold as fungible, divisible medium of exchange, see
- cost is less, often MUCH less, than accepting credit cards [1%, deducted from payee, in metal, subject to maximum of USD 50 cents worth (equivalent value)]
- payments clear, irrevocably, in about 10 seconds. We're not talking confirmation number indicating guarantee of eventual payment, we mean fully clear, spendable.
- this is only possible because system does not accept spend order which would result in overdraft
There is no application process or initiation fee. We do not distinguish 'merchant' account from 'consumer' account. There is no such thing as a chargeback.
If one implements a simple system, it can be up and running with no programming in as long as it takes to whip out an html page
The definitive implementation, which automates the process and provides server-to-server positive confirmation is
It doesn't require rocket science either, and can be implemented, tested, and deployed entirely on self service basis.
We will be implementing digital certificate based digital signature this summer for improved non-repudiation. Currently we rely on SSL protected Account number and password combo, same as OFX standard for banks.
I've posted a spreadsheet to model various volume assumptions to determine degree of savings relative to credit cards
We are, so far, tiny -- but larger than the entire eCash system developed by Digicash (all issuers combined, in terms of value in electronic circulation). They (eCash) go to great lengths to obscure how dismally they are failing in marketplace.
Thanks for the most recent issue of ScamBusters, it was very informative.
I thought, however, I might share an additional caution with you about what fraudsters can do with stolen or fraudulent credit card numbers. A while ago in news.admin.net-abuse.email, a Usenet newsgroup dedicated to eliminating email spamming, there was a discussion of throw-away accounts at certain ISPs which allow near-instant activation of pay accounts with the use of a credit card. Spammers evidently have a nasty habit of opening accounts fraudulently with fake or stolen numbers.
You correctly suggest being careful with free email accounts, and as a precaution asking for a pay email address. However, one must still beware as the pay email address will not necessarily guarantee legitimacy as they may have gotten the account using the same type of fraud!
Again, thanks for a very enlightening newsletter!
- Alan K.