'Don't Be Victimized by Online Credit Card Fraud -- Prevention Tips' By T.J. Walker
Don't Be Victimized by Online Credit Card Fraud -- Prevention Tips
If you are accepting online orders and would like to greatly reduce your exposure to credit card and check fraud, implementing protective measures can reduce online fraud by approximately 80%. If you would like to have access to more tools and techniques to further reduce and automate this fraud prevention, please consider becoming a member of AntiFraud.Com (http://antifraud.com).
Please note: Some of the techniques contained below require a working knowledge of .cgi scripts and HTML coding. We cannot provide technical support or explanations for non-members. However, most competant webmasters will be able to easily implement these tools and techniques.
This material is adapted from a series of articles written by the founder of AntiFraud.Com that originally appeared in the online newletter The VirtualPromote Gazette.
The Internet is the perfect environment for every crook, thief, and pickpocket to ply their trade with almost complete anonymity. Being in the online software business, I have seen a tremendous increase in fraudulent purchases made with stolen credit card information. In many cases, the thief has more complete and current information about the actual cardholder than the credit card company. In some cases, credit card numbers that receive an approval number turn out to be totally fictitious numbers -- based on the algorithm used to produce authentic numbers.
I recently formed an alliance with a large merchant account provider specializing in providing credit card merchant accounts for Internet and Home-Based businesses. Through working closely with the credit card companies and other online merchants, I know the bottom line is this: You, as a merchant, are the one who is going to get stiffed! The cardholder is not responsible for more than $50 of fraudulent purchases. The issuing bank of a stolen credit card really doesn't care because they will simply charge the merchant back for any fraudulent purchases, plus a $10-$15 charge back fee. In fact, the issuing banks actually make $50 on these situations. They get the $50 from the cardholder (the cardholder's obligation), then they charge back each and every merchant for all the fraudulent charges.
So why is this situation getting so bad? Technology! Yes, the very same technology that allows us to have a profitable online business also allows others to rip us off. The advent of free, web-based, non-ISP e-mail addresses such as @hotmail.com, @usa.net, @juno.com and the hundreds of e-mail forwarding addresses afford a credit card thief a perfect veil to hide behind. The free e-mail addresses can't be traced back to the real owner;it usually takes a court order to get an e-mail forwarding service to disclose customer information. For those of us in the software, subscription or membership business, the e-mail address is the only point of contact we have. That address is where our products are shipped.
To make matters worse, there are now underground software programs available that can generate an unlimited number of mathmaticaly valid, yet fictitious credit card numbers. Combine that with complete anonymity and it spells big trouble for any business conducting online commerce. In addition, there are newsgroups out there that actually post stolen credit card data. So someone picks your pocket now and ten minutes later all your data is available world-wide.
So, what can you, as a merchant, do to protect yourself -- short of not accepting online credit card orders? Over the last few month, my company has had to establish certain procedures for all online orders:
1. No order is accepted unless complete information is provided including full address and phone numbers.
2. We no longer accept any order originating from a free, web-based, or e-mail forwarding address -- the customer must provide an ISP or domain based address: one that can be traced back to a "real" person.
3. Since the list of these types of e-mail addresses is growing daily, we check every e-mail address by going to a browser and putting a www in front of the domain. Try this with firstname.lastname@example.org -- you will see that www.cyberdude.com puts you on I-names' (150+ free e-mail domains) homepage. We don't accept orders unless the e-mail/domain is a legitimate website or ISP -- something that can provide definitive identification of the e-mail address in question. This method is not fool-proof. When in doubt, go to step number 4.
4. If in doubt, we call the phone number listed on the order. We have alerted many cardholders that their card information was being used by making this phone call. On the other hand, the party on the other end may have never heard of the "customer." This results in a call to the issuing bank of the credit card to alert their fraud department.
5. We use the HTTP_USER_AGENT and REMOTE_ADDR code on all our order forms. This line works with most form handlers such as FormMail, cgiemail and others. The exact syntax varies with the form handler, but it provides information about the computer used to send the order, including the IP address. The IP address can then be traced to its owner -- usually an ISP. You can then contact the ISP System Administrator and inform them of the illegal activity. Members of AntiFraud.com are provided an automatied way to do this. Check the documentation for your particular form handler or cgi script for implementation of this input field.
6. Virtual Checks -- we receive a great number of orders via online virtual checks. While this has greatly increased our sales, the same cautions prevail. Having been burnt a few times, we now call the account holder's bank and verify the account number, account holder's name and current funds to clear the check before processing the order.
The Front Line of Defense
Isn't the policy of rejecting orders from free, web-based, or e-mail forwarding services a little severe?
After receiving several dozen credit card charge backs resulting from fraudulent orders placed exclusively through free, web-based, or e-mail forwarding addresses, we established the policy of not accepting orders from any of the over 700 such e-mail domains.
We have NEVER had a fraudulent order placed through a standard, ISP-based e-mail address. Conversely, EVERY fraudulent order has come through the free, web-based, or e-mail forwarding services.
Although adding the HTTP_USER_AGENT, REMOTE_ADDR line to your form handler to capture a "customer's" IP address helps, sometimes this information really isn't very useful. There are several sites that a crook can log onto before proceeding to any of the web-based e-mail services that offer total protection of your identity -- when you log onto one of these sites -- you are reissued a random IP address and they keep absolutely no logs of this. Hence, I can log onto one of these sites, go to the hotmail site and send e-mail, or go to a site to buy something, with absolutely no possibility of being traced.
If someone places an order using a standard, ISP based e-mail address such as email@example.com, it is fairly easy to track this individual. However, it is very difficult to track the identity of someone using one of the free e-mail services -- and if they know what they are doing,it is absolutely impossible.
All we are asking for, as a merchant, is positive identification. Would you accept a check from someone using someone else's ID? Would you accept a credit card purchase if someone signed a different name to a charge slip than was listed on the card? Virtually everyone who has a free, web-based, or e-mail forwarding address also has a tracable ISP or domain based address. That is the address I accept for online orders -- nothing less.
Has the screening of all orders cut into your sales?
No. The vast majority of people using the free e-mail services use an ISP to access the Net. Every ISP I know of issues at least one e-mail address with every account. So firstname.lastname@example.org (which one of my employees, a Mr. John Smith of 111 main street) recently registered in about 30 seconds, also has a legitimate, more easily traceable ISP issued address. We simply inform our customers that we don't accept orders through free e-mail services and ask them to use their standard, ISP issued address. We do this by placing a link on our order forms to the redflag.htm. Members of AntiFraud.Com are provided an automated way to screen against this ever growing list. Granted, there are some honest folks out there who really, truly don't have anything but a Juno.com account -- so guess what - they can call us to place the order (yes, we have caller ID on our phones).
Are there problems with real-time ordering processing?
There are many services out there that offer (for a fee or percentage) to process your orders in real-time, while the customer is logged onto the site. The first question you need to answer is whether you need to use such a service. If you are selling any hard goods that are physically shipped to an address, the answer is no. Legally, you can not even charge the customer's card until the order has been shipped. However, the option of real-time processing is very attractive to software vendors or subscription services. This convenience does have its risk.
Many real-time order processors do absolutely no pre-screening of orders. If the credit card goes through verification, the order is processed and the "customer" is immediately given a serial number or subscription user name. You, as the merchant, won't ever find out about the fraudulent nature of the order until you receive the chargeback. Yes, these services will tell you they use the Address Verification Service to insure the address provided is what the credit card company has on record, but that does not mean that email@example.com is the actual owner of that card. I am currently working with a couple of real-time processing services that are installing the same fraud prevention measures that are available to members of AntiFraud.com
The last area of concern is shipping orders out of your own country. I can sum this up with a few short sentences. Make absolutely, positively sure that you have a legitimate order before shipping anything, including soft goods, across the border. Regardless of the circumstances, regardless of the proof you may have, regardless if you have a signed confession from the crook who stole your goods through a fraudulent order, if that order went across the border, you can basically kiss it good-bye. It's hard enough here in the states to get the proper authorities to do something about credit card fraud. Try getting the authorities in a foreign country to pursue such a matter!
To sum up the situation I believe fraud committed against merchants conducting online transactions is increasing dramatically, and will continue to do so. However, there is no need to panic. While many years ago it was safe in most places to leave your house with the doors unlocked, that is no longer true. While only six months ago is was safe to blindly accept any online order, that is no longer true. But, like locking the doors to your house, protecting yourself from online fraud is really not that big a deal. Some common sense, and a few specialized tools, policies and techniques usually will do the trick.
Thwarting More Advanced Thieves, and Those From Abroad
I have recently seen an increase in the number of fraudulent orders originating from European Educational Institute domains. This is probably being conducted by college student/hackers who gain access to the school's e-mail servers.
On these types of orders, call your credit card processor, give them the first 6 digits of the card number and ask for the name and phone number of the issuing bank. If you receive an order from Romania and the Card is issued by the "First National Bank of Chicago," I would think twice about processing the order.
Unfortunately, this type of fraud is ever-changing, ever-evolving. You circumvent one method and they discover a new one. I will post revelant news to AntiFraud.com as new trends become visible. To be instantly updated with this news, please consider becoming a member of AntiFraud.Com. On one front -- the site we have been working on is up and ready to assist you. But on the other front, it seems certain criminals out there are getting a little smarter when it comes to committing online fraud. If I didn't know better, I would swear these guys must have read my previous articles and have adjusted their methods to compensate.
However, there is no reason to panic. In any criminal activity there are usually three classes of perpetrators. First, you have you rank amateurs who are easily thwarted with simple precautions. Then you have "small-time hoods" who, while a little more proficient than the rank amateurs, are not much more of a threat. Then you have the professionals. These guys do this for a living and have enough smarts to outwit the precautions that deter the others. Fortunately, their numbers are few.
You may recall some of my previous suggestions for preventing the majority of online fraud. We no longer accept any orders from a free, or web-based, or e-mail forwarding address. This list is currently over 1500. Secondly, unless we recognize the e-mail domain as being from one of the large ISP's such as ibm.net, mci2000.com, earthlink.net, etc., we always go to a browser and put a "www." in front of the e-mail domain to look at the website associated with that domain. We make a determination from there where to check further. We also use coding on our order forms that captures the IP address of the sender.
So how has the game changed? We have encountered 3 different cases of this during the last two weeks. I am not making any accusations nor condemnations, nor am I suggesting that you refuse to accept orders from the individual cited in the example below. I am merely stating facts as we discovered them. You will have to draw you own conclusions. OK -- my lawyers say I can continue now:
On February 21, 1998 at 1:53a.m. EST, an individual placed an order for our Web Promotion Spider software using the name of Alex Williams from Nashville, Tennessee. "Alex" placed his order using a Master Card and the e-mail address of firstname.lastname@example.org. Since this is neither a free nor an ISP based e-mail address, I went to http://www.dknight.com. As of Sunday, March 01, 1998, the page had nothing more than an "under construction, come back later" notice.
This made me a little uneasy so I quickly went to http://antifraud.com/ipcheck.htm to do a WhoIs on the domain name of "dknight.com". I quickly found this domain is registered to a Mr. Fahad Al Blehed with both phone and fax numbers of 000-000-0000. This made me even more uneasy so I used the same form to WhoIs the IP address he was using at the time he placed the order. You know, it's funny, the IP address of 126.96.36.199 belongs to the PTTNET Dialup Network -- out of Moscow, Russia.
Now, you can call me paranoid or overly suspicious, but I sort of doubted that Mr. "Alex Williams" of Nashville, TN, was over in Russia placing an order for web promotion software for a site that barely existed. A quick call to VISA/Master Card security confirmed the card number provided belonged to neither "Alex Williams" nor "Fahad Blehed." The card was immediately put on hold while the actually card holder could be contacted and, needless to say, I did not process the order.
Had I processed the order, I would have been out not only the $100 software but also a $15 chargeback fee when the actual card holder disputed all the charges. So, was all the extra effort worth it? It took me less than 3 minutes to complete all the steps above, including the call to VISA. I saved a $115 plus a blemish on my merchant account record. Let's see, $115 for 3 minutes of work, that works out to $2,300 per hour. My corporate attorneys barely make that much 🙂
In another case, we received an order from a email@example.com. This domain belongs to a Mr. Chong Shihwai of Shihwai Networks located in West Caldwell, NJ. Unfortunately, there is no such person. However, the individual that does live at the WhoIs-identified address for this domain has received over a half-dozen invoices from Internic for domains the real culprit has registered and is using as fronts to commit credit card fraud. In our case it was a stolen VISA card from Australia. The poor guy in West Caldwell has received hundreds of phone calls from merchants trying to track down Mr. Shihwai.
As a side note, I went the extra step in all these cases and contacted the System Administrators of both the hosting services and the ISPs to alert them to the illegal activity being conducted by these individuals. Hopefully, I stopped them from victimizing too many other merchants.
Review all the steps we use on our AntiFraud.Com site. Take an extra step or two if you are at all suspicious. You might save yourself and many others from getting burnt by these guys. If you would like additional tools and technology to automate these techniques, please consider becoming an active member of AntiFraud.Com. And, be careful out there.
As originally published in the VirtualPROMOTE Gazette (www.virtualpromote.com). Reprinted with permission.