
Nothing is certain, except death and taxes .. and chargebacks - mahmoudimus
http://blog.balancedpayments.com/death-taxes-chargebacks-balanced/
======
jasonlotito
I'm surprised the part on combatting friendly fraud (4.2) didn't include a
part about contacting the customer directly, most likely via phone. If you are
in an industry where this occurs more often, you might even want to invest in
telephone authentication. While it won't stop the friendly fraud, it will be a
deterrent.

Anyways, contacting the customer can usually get things resolved as well, even
if they went straight for the chargeback.

Never underestimate human contact. You might be surprised why they went with a
chargeback. Some just thing it's the way to get a refund for something that
was wrong. Yes, sometimes the person is just being a douche, in which case you
can assure the person that you thank them for reporting the case, and that you
will be following up by filing a police report. When they realize what
information you have available, some are quick to want to work something out,
usually that involves calling the bank in a 3 way conference call and
canceling the charge back.

It won't always work, but the nature of chargebacks means every little bit
helps.

Again, this also depends on the nature of the industry you are in.

~~~
jacquesm
The best way to combat friendly fraud is extensive logging and 3DS.

~~~
jasonlotito
Yes for logging.

3DS, while effective, is not a bullet proof solution. Requiring 3DS
transactions will impact sales, and can impact them enough that it's better to
not use it. I always recommended a scoring approach (reach a certain
threshold, and we require 3DS).

Even still 3DS only affects the initial transaction. Any recurring payment
won't benefit from the 3DS transactions. There are ways to encourage 3DS use
(discounted membership fees if one performs a 3DS transaction), but outside of
games like that, 3DS only affects the transaction it's made with.

------
nym
Use digital cash- no chargebacks, no middlemen.

The best option today if you don't want chargebacks is adopting Bitcoin for
payments (like how Reddit did for Reddit Gold with Coinbase).

[http://blog.coinbase.com/post/40131065845/hosted-payment-
pag...](http://blog.coinbase.com/post/40131065845/hosted-payment-pages-email-
invoices-and-more)

~~~
jareau
What happens if bitcoins are purchased with a credit card? Who will be
responsible for the chargeback in that case? Coinbase?

~~~
JoshTriplett
Yes, if a bitcoin exchange accepted credit cards, they'd be on the hook for
any chargebacks. Hence why most of the existing exchanges want a bank transfer
instead.

In theory, a bitcoin exchange should have a near-perfect defense against
chargebacks for faulty or missing products or similar, by showing via the
public block chain that they delivered the purchased product as requested.
However, there's no defense against chargebacks claiming that the cardholder
didn't make the purchase (stolen card number, etc).

~~~
jareau
What if the buyer does a reversal of the bank transfer -- usually possible up
to 60 days afterward. (I swear I'm not trolling. I'm new to bitcoin exchanges)

~~~
Judson
ACH transfers are reversible and a few bitcoin exchanges have been bitten by
them since most have/do take dwolla, which is a nice service for ACH
transfers.

Bank wire transfers, though, are unable to be reversed. Its a pity that most
US banks charge for them.

~~~
jareau
Yeah, the US banking system is pretty pitiful in general. We (Balanced) are
trying to make it a little bit better by making ACH faster and easier to
integrate, but we can't do much about reversals. [shameless plug] Example,
checkout our ACH payouts feature: blog.balancedpayments.com/announcing-
balanced-payouts/

------
mrweasel
I would actually be interested in knowing how others deal with a certain type
of fraud.

We currently have an issue where someone is using stolen credit cards to buy
"digital goods".

We in the UK and Scandinavia, so we started out blocking purchases of digital
goods from the UK. Fraud goes to zero right away.

The fraudsters moves to using stolen UK credit cards in Denmark, via a large
number of Danish IPs, fine... We'll just require that the card is issued in
the country where your IP indicates that you're located ( not 100% correct,
but close enough ).

At this point fraud has been reduced to zero for a few weeks. The next we
really where not expecting. The same pattern of buying starts showing up,
seems like fraud and it turns out it is. We now see a stolen Danish credit
cards.

At this point we're more or less reduced to having to approve every purchase
manually. The only real solution currently is 3DSecure for MasterCard or
Verified by VISA. These solutions are very American and not at all what
European customers expect to see. Enabling 3DSecure scares of legitimate
customers, but it's currently the only solution.

The article looks at high velocity, that does nothing in some cases, if people
are out to scam you, they will appear as a new customer for a new IP, with a
new card.

CSC are useless, these are stolen all the time.

AVS is supported by almost no one.

Looking a transaction amount compared to the mean doesn't really work when you
mostly sell one product at a time.

Recently created accounts are actually a good indication of fraud, but mostly
you have false positives.

Blocking high risk countries don't work for digital goods.

Large distance between IP and billing address, doesn't work well in smaller
countries, but worth considering. Somewhat difficult to implement though.

High number of card from the same person... That never happens. Our legitimate
customer are the only ones that might use different cards. In the case of
fraud cards and accounts are often used only once.

It's not that the article is a bad write up, but non of the information will
protect you against someone that wants to scam you. Physical products are
easier to safe guard, because the bad guy will need to pick it up at some
point, digital good is a lot harder to secure.

~~~
brandonb
My company (Sift Science) uses machine learning to fight fraud, and we work
with customers who sell digital goods. You're right that normal country
blacklisting, IP blocking, AVS, CVV, etc. aren't terribly effective.

I think some effective techniques for digital goods are: 1) behavioral
signals, such as how long the user spent browsing your site before making a
purchase, 2) physical device -- have I seen activity from this particular
machine before, even if they're going through a proxy to use a fresh IP? 3)
e-mail address -- is it a legitimate domain? an obvious throw-away account?,
4) mismatch between IP and billing info (as you noted).

In general, fraudsters switch tactics with surprising frequency, so I'd highly
recommend combining multiple types of data into a machine learning system that
will adapt. Otherwise you're going to spend a lot of time tuning rules.

And if you're looking for help, feel free to send me an e-mail:
brandon@siftscience.com. My company deals with fraud all the time. Even if we
can't help, I'd be happy to point you to others who can.

~~~
whit537
Brandon's a great guy, very proactive and helpful. We didn't have quite enough
volume yet (w/ Gittip) to use his services, but I have a positive opinion of
him.

E.g.: <https://github.com/zetaweb/www.gittip.com/pull/387>

~~~
brandonb
Thanks Chad! It's a pleasure to work with people like you!

------
michaelbuckbee
Balanced is burying the lede on this, the final table of correlations between
payment information signal failures and incidence of fraud is pretty
fascinating.

~~~
jareau
A single user attempting purchases with many different credit cards is
fraudulent 100% of the time!!

~~~
huhtenberg
This probably assumes that all cards are under different names.

~~~
dangrossman
The merchant doesn't know what name is on the cards. It's still virtually
guaranteed fraud when one person presents more than 2 or 3 cards on your site
in a short period.

~~~
Domenic_S
Too bad you can never know what "one person" is.

~~~
dangrossman
In theory, everything can be evaded. In practice, it won't be. If you run your
transactions through something like MaxMind MinFraud with Device ID, you will
know it's the same person, even if they clear cookies, switch proxies and re-
register on your store between every card. It costs half a penny per
transaction; anyone can afford basic risk scoring.

Most of the time that kind of tech isn't even necessary. The types of
criminals most online stores deal with are not sophisticated; they're just
people that paid $1/number for a list of phished credit cards on a black
market forum who are going to enter them one-by-one on a few websites to see
which haven't been reported stolen yet.

------
robertst
It would be interesting to see how this compares to other merchants and/or
other payment processors. Does anyone have another source?

~~~
npcomplete
(I wrote the post) I am not aware of any. That's actually one of the
motivations to do this. Someone needs to start !

------
thebooktocome
It's a pity they didn't bother to run it through a spellchecker first.

~~~
mahmoudimus
Sorry about that! Just did a proofread for obvious errors and I think I got
them all. I'm omw out now, but I'll take another look when I get back.

It's open source, you're welcome to contribute a fix:
[https://github.com/balanced/balanced.github.com/blob/master/...](https://github.com/balanced/balanced.github.com/blob/master/_posts/2013-02-21-death-
taxes-chargebacks-balanced.md)

~~~
thebooktocome
You're telling me you've crowdsourced your editing for marketing materials?

Tell me you're not serious.

~~~
mahmoudimus
It's just part of being an open company, read more here:
[http://blog.gittip.com/post/26350459746/the-first-open-
compa...](http://blog.gittip.com/post/26350459746/the-first-open-company)

We crowdsource feedback for a lot of things we do @ Balanced. For example,
we've openly discussed pricing (<https://github.com/balanced/balanced-
api/issues/48>), etc.

Everything's on <https://github.com/balanced/balanced-api>. We're trying a
different approach to payments, for once. Openness and transparency.

~~~
whit537
:D

------
codenerdz
I wonder how would Balanced Payments deal with 'item not as described' fraud
Something that happened with me here:

<http://news.ycombinator.com/item?id=4867484>

~~~
mahmoudimus
Hey there, I'll ping npcomplete to answer this one. He has some thoughts on
"item not as described" fraud.

------
josscrowcroft
That's super weird- I had my first chargeback today, from a customer who
didn't even attempt to get in touch and ask for a refund... apparently this is
quite common!

~~~
mrweasel
Not common, standard. Having the customer contact you isn't a frequent
occurrence, depending on where you do business. The British do not wish to
talk to you, they assume that you're the one trying to defraud them by
default. Swedes will pretty much never do charge backs.

~~~
fudged71
It always fascinates me when the global nature of software uncovers quirky
cultural differences.

------
nova
About the first ones: Unless you are a libertarian transhumanist, I guess.

