CC fraud is such a big problem, it must be a huge advantage for Amazon. Most of their purchases come from repeat customers that they can be confident exist. Smaller shops have to figure that out nearly every purchase.<p>I never thought of that before. Maybe there should be a central shared central repository of who are known good customers/address/cc combinations, or maybe that is what stripe etc do already.
I periodically deal with recurring fraud from what seems to be a pretty organized network.<p>- Orders are placed with stolen credentials with correct billing info that matches AVS.<p>- Shipto address are located near billing info, typically in the same state/metro area.<p>- They are often rural addresses, trailer parks, what appear
to be rent houses that may be empty.<p>- Phone number provided has correct area code and rings a call center that has stolen billing info available and will confirm billing address order details verbally.<p>- Ip is geolocated at/near the billing info area via a proxy.<p>- Email addresses are often setup on custom domains.<p>We catch them, but only because they don't vary the pattern much and we know what to look for. I don't know how fraud tools would be able to effectively filter in these cases without a lot of false positives.
Fraud prevention can also be extremely annoying to customers when not done correctly. I've yet to be able to buy something from newegg without them cancelling the order saying its fraudulent. I'm not sure why they still continue to flag my orders considering I've contacted them every time and they've ended up authorizing it. At least now they don't immediately blame my credit card...<p>If it was a smaller company and more of an impulse buy I could see a bad system definitely hurting sales. I'd probably not order from newegg again if they weren't one of the few places that ship harddrives correctly and have reasonable prices.
In Germany we have a system called 'giropay', which is basically instant wire transfer via your online banking. With this system the merchant gets a guarantee from the consumer's bank (as it seems, but I am not sure who in the pipeline eats the cost, as the contracts are ask-only), so that even if there was fraud, he will not loose the money.
This does limit it to 10k EUR per transaction, which should be enough.
The merchant receives the money within 2 bank days in his account, and the max fees for the merchant are 0.89% with a minimum of 33ct, but volume discounts seem likely.<p>What I don't understand, is why the US was not able to set such a system up, but I assume it's related to the general distaste for chip+pin, as well as any sensible security mechanisms for online banking. Yes, pushTan and mobileTan are usable, but they only work if you have a phone you trust with the deductible applicable in case of pishing, or, if you have actual reason to not trust it, the daily online banking limit.
I love the artwork behind the article:
<a href="https://www.candyjapan.com/static/credit-card-fraud_s.png" rel="nofollow">https://www.candyjapan.com/static/credit-card-fraud_s.png</a>
I like how the author doesn't immediately reject orders if they have just one sign (IP address country different from shipping country, shipping to a reshipping center, etc.) but looks at all the indicators as a whole to make a decision.<p>Edit: isn't this how Stripe Radar[1] works?<p>[1]: <a href="https://stripe.com/us/radar" rel="nofollow">https://stripe.com/us/radar</a>
My old employer, a phone retailer, would check how long the user had been browsing the site and what they looked at.<p>We noticed that legit customers tended to take their time on our site. They would look at several pages and not immediately add something to the basket and checkout.<p>Of course, some legit customers would demonstrate the same pattern particularly when a new phone was launched - but that wasn't too common.<p>So if the user spent less than five mins on the site before checking out, or if they only looked at one product page then that order would automatically be flagged for manual review. 60% percent of those orders were rejected.
Overagressive fraud protection can lose customers as well.<p>I placed an order to be shipped to my new address from a merchant I'd ordered a dozen times before for home and work. 2 days after the day the order was supposed to ship, they suddenly canceled it due to "security reasons".<p>I've stopped using that merchant.
Reshipping centers, I don't want to sound weird, are basically hives of scum and villainy in my opinion.<p>I was selling something Ebay (a phone) and I got a really weird address, it was a shipping center.<p>I googled around because I got a strange vibe, apparently, this shipping center had this issue all the time and didn't really care to stop it. I got a horrendous review from the person because I canceled the order and refused to ship it.<p>I am wondering if fraud is honestly the business model of shipping centers. I can't really think of a good use for them nowadays, especially in a consumer context.
> Using an inconsistent and unlikely email address [...] By "unlikely" I mean one that no reasonable person would want to have, usually containing a big batch of numbers in it.<p>This is awful.<p>I create random e-mail addresses for every online merchant I have to interact with. It's by far the best way to avoid both real spam and "promotional message" spam.<p>I don't even use my "real" domains, because anybody who knows my name and the domains I use can construct my personal e-mail addresses. I have special domains dedicated to online commerce, and they look pretty random.
Some companies today offer a fraud prevention solution which is covered, meaning they will pay the merchant for whatever fraud transaction that slipps through their systems. These companies employ pretty sophisticated methods as this is their core buisiness. I work at one such company, Forter. We take pride at the fact that we approve more than the others would, and we take complete financial responsibility for our mistakes so merchants just don't have to deal with it...
Now that everyone has smartphones, I wonder if you could do something with the camera... like require a photo or video of the physical card in front of some visual token on the screen for orders that don't ship to the billing address on file...
You would think with the amount of value / fraud at stake, Visa/MC/AMEX themselves would invest in fraud detection technology and offer that as a service to their participating banks and merchants.<p>They have so much more volume and cost absorption capability that they could spin up a much more talented / sophisticated detection group than any individual bank or merchant could, you would think? And charge for it accordingly?
I've had a case of someone walking into a Verizon store and buy 4 new iphones and charge it to my account. The amazing thing is that between phones, tablets and hot spots, my family has 7 mobile devices. The perpetrator did not upgrade any of the existing phones, but created 4 new phone numbers. This should have been a huge warning sign. I'm 100% convinced that the person at Verizon was in on this. In addition, over the next few days, they've made thousands of dollars in international calls.
To Verizon's credit, they were great at resolving the mess for me as an individual customer, but in the end they ate the cost, which means that it got diluted to all the customers.
The bad part of credit card fraud is that the card network, issuing bank & gateways pass on the liability to the small merchant. There is always a looming risk of losing your account & business due to excessive fraud, something over which you have no control at times. If you become over aggressive with fraud protection, you risk not only losing revenue but pissing off genuine customers.<p>Your gateway would tell you that as a merchant, it's your job & responsibility to accept a charge & related risk of fraud. Well, if big guys handling billions of payments can't catch fraud, it's quite easy for a small guy to miss it as well.<p>When you are selling a digital product, it's very difficult to win a chargeback. Some low level bank employee hardly cares about your meticulous documentation & proof that you delivered the product.<p>3D secure is one way to shift liability to issuing bank but it only works for the first charge (not recurring subscription). There are lots of reasons for getting hit by incorrect chargebacks e.g. mistake on part of a customer because they didn't recognize, customer's card getting stolen midway during a subscription, unhappy customer who wants a refund after using your service for months etc.<p>I wish the industry would side with the merchant as well at times i.e. maybe a rating system to see how easy is the merchant's cancellation / refund policy etc.
You know... there is one entity that is reasonably well funded, has incredibly strong capabilities for card fraud detection, and is well motivated to identify the fraud: the credit card companies.<p>(I work for one, which makes me especially interested in this topic. But I don't work in that particular area, nor do I speak for my employer.)<p>It makes me wonder whether some sort of collaborative fraud detection might be possible. As the merchant, you have access to additional information that the credit card company lacks -- things like the customer's name and the delivery address are (as this article explains) very helpful in detecting fraud, and these are data that the credit card company does not have access to. And of course the credit card company has access to information like the customer's purchase history and their recent transactions, which are useful for identifying fraud from a different direction. If both sources of data were available, it might be possible to detect a higher percentage of fraudulent purchases, and merchants who ship goods could be provided with the information so they could delay or cancel the shipment.<p>Do you think merchants would be interested in such a program?
If you really care about your customer you should be worried about false positive. I hope as a business you do not cancel customer orders because your fraud detection system has flagged them.<p>Depending on your scale you may using 3rd parties like Sift science, Stripe Radar or Roll your own fraud detection system.<p>Flagging orders as potential fraud is the easier part these days. The difficult part is how to come up with a process to verify these flagged orders. This process need to be simple and quick. Because essentially you are saying to your customer we think you are a fraud and can you prove that your not.<p>Banks merchant checks to verify flagged orders is extremely cumbersome. They require you to call a special phone number (which is different for each bank) provide customer Name, Billing Address, Billing Phone and Credit Information. Then they can only give you a response whether it is a match or not. They can't tell you whether it has been reported stolen or anything else for privacy reason. At scale this is a very time consuming process. It becomes even more cumbersome if you are security conscious business and do not store customer credit card information. In that case you have to communicate with the customer asking them to call you to provide your credit card information again.<p>There are solutions like 3D Secure but they are not widely supported and adds its own problems. It is high time credit card companies start providing merchant with a 2nd factor check for transaction. For example maybe once a transaction is placed with a merchant. They can trigger a 2nd factor check where by the bank automatically send a code to their email/phone number on file. If the customer is able to provide a correct code merchant can proceed with the order.<p>Fraud detection will always remain a point of contention between customer and businesses. I just hope business make sensible decision based on their situation. For example I have seen legitimate customer with all the above cases mentioned in the article.
Today my bank detected a fraudulent transaction on my CC. They blocked the transaction right away and cancelled my card after confirming it with me... so they probably can prevent a lot of these cases. Very interesting article nonetheless...
My wife had to learn just about every one of these lessons the hard way in the first few years of running her own (small retail) business. In retrospect, we should have posted the hard-learned lessons online. I'm glad this person did.
> Later on when the post attempts to deliver it, they will at some point realize that the country is wrong and reroute it to the correct country<p>Will they? Or will they return it to sender with a bad address note? Would the rates be different by country?
If fraud is such a problem for stores would it make sense to offer a discount for payment methods like bitcoin that don’t allow chargebacks? This could reduce the cost of doing business by gaurenteeing payment.
> Two bonus signs for the end. You can use a Geo IP database to check if the shipping address country differs from the IP address country. That's a weak sign (people do place orders while traveling, or to friends in other countries), but can break the tie if there is another suspicion.<p>You can add to that using the first few digits of the credit card to look up the card issuer. If the card is from a bank that does not have a presence in either the region the order is coming from or the region it is being shipped to, that order probably merits a closer look.
So if you see one of these warning signs, what should you do?<p>What if it is a legitimate order? You don't want to turn down a real customer?<p>I presume if you try contacting the person and asking them if it is a fraudulent order, they will deny it. (I suppose if you can't reach them, that is good enough indication to cancel the order as fraudulent.)<p>Can you call the credit card companies or payment processors and ask them to do their own fraud checks to see if it is okay, or are they going to leave you on the hook if it still goes bad? (I suspect the latter.)
I cannot imagine running a bunsiness where I ship things ot people for money without doing address verification. In the mid 90s one of my first database related jobs was parsing the complete US address list we purchased from the USPS and comparing it to our internal mailng list - the process has gotten much simpler over the years.<p>This would have prevented 3 of the problems on this list, and would also result in a much lower rate of failed deliveries (expensive)...
When you accept credit cards, how long do you have to wait until you know the payment went through? Could you simply wait that amount of time for every order?
Run an e-commerce business that sells tires.<p>It seems that a common pattern that’s arising is for a bad actor to use a foreclosed property or rental to ship to, within spitting distance of the billing address, then have the carrier redirect to a pickup store, such as the Fedex store.<p>They have absolutely no problem walking into the store and signing off, all on camera. Troubling times.
I work with Signifyd. We are expanding and hiring more Data Scientists and Fraud Analytics ninjas. Apply through the website. We do care about approving good orders while stopping fraudulent ones. In case of a chargeback, we guarantee it.
Doesn't Stripe cover some / most of this?<p>There are some settings, or at least an overview in the dashboard where you can see if the address was verified and it matched the one on the card. Using billing / shipping address in your order form is obviously for this reason.
I’m fine with fraud detection like this, but probably 90% of my ordering is a credit card, through a VPN, or sometimes from a foreign country, shipped to a freight forwarder, with a VOIP PSTN number. There have to be ways to get around this for false positives.
The payment service I use (Pin Payments) can include a random value in the payment card narrative, allowing you to hold delivery until the cardholder authorises dispatch with the correct code.
> One time when I tried googling for an address, I found that the person was also active on a forum for trading stolen credit card details. That was a bad sign<p>Ha. You don't say!
naive question: Why should merchant be worried about this? Isn't it responsibility of CC company to back up the promised credit? If someone unauthorized used someone elses CC then shouldn't CC company swallow that loss?
Don't roll your own crypto, don't roll your own fraud prevention.<p>Stripe include very sophisticated fraud prevention in their standard pricing and charge pennies per transaction if you're on custom pricing. Numerous third-party providers offer excellent fraud detection and prevention tools for CNP transactions. Unless you're big enough to have a dedicated fraud prevention team, just leave it to the professionals.
A better approach to writing this article would be to gather a wide array of customer features, fit a model using training data from actual fraudulent/non-fraudulent orders, and then interpret the model to explain the features actually connected to fraud.<p>My guess would be that given there's no reason to believe a particular functional form or additivity of effects, a random forest would likely be the most effective classifier, but ultimately I'd just go with whatever empirically does best on the test set.<p>As-is the article is basically a pretty naive approach to feature engineering a few features that may or may not ultimately be useful in the real data. It's a cute anecdote, but hire a data scientist.
Slightly off-topic, but last time CandyJapan made it onto HN, I decided to sign up and give it a try, and was very underwhelmed. I canceled after two boxes. Hey each contained 3-4 candies, and over half of them were very basic candies such as chocolate. In total I think only a single one was the "cool" kind of candies you associate with Japan. Honestly in the ~8 candies I tried, not a single one was even really edible or interesting.<p>Also, I'm not sure how much of this is their, but a lot of the candies had also melted and re-solidified into a single chunk.