
Credit card fraud warning signs - hamstercat
http://www.candyjapan.com/fraudulent-transaction-warning-signs
======
rb808
CC fraud is such a big problem, it must be a huge advantage for Amazon. Most
of their purchases come from repeat customers that they can be confident
exist. Smaller shops have to figure that out nearly every purchase.

I never thought of that before. Maybe there should be a central shared central
repository of who are known good customers/address/cc combinations, or maybe
that is what stripe etc do already.

~~~
arbuge
Services such as Stripe and PayPal indeed serve as central repositories for
fraud intelligence. I imagine that other payment gateways also provide a
similar function, though those two are the ones I'm personally familiar with.
We've operated a small ecommerce business for almost 8 years and although
PayPal fees are probably on the high side, fraud has been a non-issue for us.

~~~
wslh
> PayPal fees are probably on the high side, fraud has been a non-issue for
> us.

It should he an issue for you. That is because PayPal is stopping a lot of
payments with false positives. I live outside US and using PayPal is generally
a pain in the ass.

~~~
arbuge
Hmmm... that does sound interesting. Might you have any hard data to back this
up?

If it's true I'd expect that we'd get alot more complaints from customers that
their cards are being rejected.

~~~
hrktb
Would a customer complain to you because of a paypal doesn’t cater to them ?

In particular, credit card setings are multi-step and all done on the paypal
site, I wouldn’t imagine going back to some merchant site to complain about
that process.

~~~
arbuge
I would imagine that at least some would, given that they're interested enough
in the product to initiate the checkout process.

In the absence of any hard data on this, I'm writing it off as nectodal.

~~~
wslh
> In the absence of any hard data on this, I'm writing it off as nectodal.

The Internet is full of this stories from people with good karma. Just look
for it on Internet. Probably you are from one of the few countries where the
experience is different.

------
ohthanks
I periodically deal with recurring fraud from what seems to be a pretty
organized network.

\- Orders are placed with stolen credentials with correct billing info that
matches AVS.

\- Shipto address are located near billing info, typically in the same
state/metro area.

\- They are often rural addresses, trailer parks, what appear to be rent
houses that may be empty.

\- Phone number provided has correct area code and rings a call center that
has stolen billing info available and will confirm billing address order
details verbally.

\- Ip is geolocated at/near the billing info area via a proxy.

\- Email addresses are often setup on custom domains.

We catch them, but only because they don't vary the pattern much and we know
what to look for. I don't know how fraud tools would be able to effectively
filter in these cases without a lot of false positives.

~~~
move-on-by
As someone who uses a custom domain email address, this makes me sad

~~~
ohthanks
I didn't mean that a custom domain is an indicator. Just that they go to the
trouble to register throwaways for this use and it isn't limited to just free
email services.

~~~
greggarious
>I didn't mean that a custom domain is an indicator. Just that they go to the
trouble to register throwaways for this use and it isn't limited to just free
email services.

Yeah, I'd assume someone with a firstname@lastname.com email and a web
presence is probably an indicator it's legit rather than fraud :)

------
dawnerd
Fraud prevention can also be extremely annoying to customers when not done
correctly. I've yet to be able to buy something from newegg without them
cancelling the order saying its fraudulent. I'm not sure why they still
continue to flag my orders considering I've contacted them every time and
they've ended up authorizing it. At least now they don't immediately blame my
credit card...

If it was a smaller company and more of an impulse buy I could see a bad
system definitely hurting sales. I'd probably not order from newegg again if
they weren't one of the few places that ship harddrives correctly and have
reasonable prices.

~~~
auganov
Years ago I used up my free digital ocean credits, wanted to start paying.
They asked for more details which I provided, then asked for my facebook
profile. A pretty unusual request, but I complied. They told me the names
don't match up and just won't deal with me anymore. Literally gave me no
obvious way to proceed. Felt pretty violating to give up personal info just to
get brushed off.

Happily used AWS ever since.

~~~
slivanes
Why didn't your names match?

~~~
auganov
Had it in the diminutive form. As in Deb instead of Deborah, pretty common in
my home language.

Wish I could remember what the first step was, think it was pretty informal
too, but can't be sure. Just remember feeling dumbfounded they wouldn't simply
come back with another option.

------
namibj
In Germany we have a system called 'giropay', which is basically instant wire
transfer via your online banking. With this system the merchant gets a
guarantee from the consumer's bank (as it seems, but I am not sure who in the
pipeline eats the cost, as the contracts are ask-only), so that even if there
was fraud, he will not loose the money. This does limit it to 10k EUR per
transaction, which should be enough. The merchant receives the money within 2
bank days in his account, and the max fees for the merchant are 0.89% with a
minimum of 33ct, but volume discounts seem likely.

What I don't understand, is why the US was not able to set such a system up,
but I assume it's related to the general distaste for chip+pin, as well as any
sensible security mechanisms for online banking. Yes, pushTan and mobileTan
are usable, but they only work if you have a phone you trust with the
deductible applicable in case of pishing, or, if you have actual reason to not
trust it, the daily online banking limit.

~~~
johnymontana
Banks and credit card companies in the US have a vested interest in ensuring
that credit cards are used to purchase goods and services on credit. In 2017
total credit card debt in the US was ~$941 billion.[1] At an average rate of
15%[2] that's $141 billion per year that banks make on credit card debt
interest (not counting interest on interest and fees).

[1] [https://www.nerdwallet.com/blog/average-credit-card-debt-
hou...](https://www.nerdwallet.com/blog/average-credit-card-debt-household/)

[2] [https://www.creditcards.com/credit-card-news/interest-
rate-r...](https://www.creditcards.com/credit-card-news/interest-rate-
report-081413-unchanged-2121.php)

~~~
hoschicz
How much of the credit card debt has been paid off within a month?

------
mleonhard
I love the artwork behind the article:
[https://www.candyjapan.com/static/credit-card-
fraud_s.png](https://www.candyjapan.com/static/credit-card-fraud_s.png)

------
illustrioussuit
I like how the author doesn't immediately reject orders if they have just one
sign (IP address country different from shipping country, shipping to a
reshipping center, etc.) but looks at all the indicators as a whole to make a
decision.

Edit: isn't this how Stripe Radar[1] works?

[1]: [https://stripe.com/us/radar](https://stripe.com/us/radar)

~~~
Raphmedia
From my experience, nothing drives users away faster than a false positive on
a fraud check. You immediately lose all trust in the eyes of the users.

~~~
bpicolo
Yeah, but that's something you have to accept for the positive benefits. In a
lot of online businesses, credit card fraud is just insanely rampant. You lose
a lot more money by not doing checks with the occasional false positive than
you do by not having it.

The cost of fraud is chargeback fee (usually ~15 bucks) + merchandise. It gets
expensive fast. Every modern e-commerce business has to be fighting it now to
stay alive. For certain SaaS / Software products the cost of failing to fight
it is a tad lower, but for physical products it's killer.

~~~
Raphmedia
Sure, you can't ignore fraud.

We have _a lot_ of those each months.

What is more important is to have a smart way to detect the frauds. Most
clients that had received false positives never came back even with discount
codes and apologies. Nobody likes getting stuck on a checkout page with an
error message telling them they are in the wrong.

~~~
alexbeloi
One way to optimize is to maximize expected revenue - expected cost of false
positives or fraud.

A savvy business will know (or can estimate): customer lifetime value,
false/true positive/negative rates of their fraud detection system, rate of
charge-backs, expected rate of fraudulent purchases, revenue from given
suspected transaction.

If average discounted customer lifetime value is $10k, charge-back rate is 2%,
your fraud detection false positive rate is 0.1% and true negative rate is
99.9%, fraud detection true positive rate is 95% and false negative is 5%,
customer is purchasing a $20 item. Then

* expected revenue if purchase is fraudulent: $0 * (true positive rate) - $20 * (false negative rate) = -$1

* expected revenue if purchase is non-fraudulent: $20 * (true negative rate) - $10k * (false positive rate) = $9.98

* total expected revenue value (with fraud detection enabled): (expected revenue if purchase is fraudulent) * (rate of fraudulent purchases) + (expected revenue if purchase is non-fraudulent) * (1 - rate of fraudulent purchases) = $9.7604

Without fraud detection, your expected revenue is: $20 * 0.98 = $19.6

Simplifying assumptions: false positive results in complete loss of customer
value (realistically, replace this with big drop in customer lifetime value).
Fraud rate is constant (realistically, should be modeled). Fraud rate is
charge-back rate.

In this case, it's easy to see that seemingly low 0.1% false positive rate is
still too high for this small of a purchase and these customer lifetime
values. The 'smart' decision would be to ignore fraudulent purchases of this
size in this case. (for this scenario, you need FPR below 0.004% with all else
same)

Better model still would be a fraud detector that outputs a confidence score
rather than "yes/no", and use the formula above to determine if the predicted
false-positive-rate at this confidence level is sufficiently high to expect a
revenue uplift from enabling the detector.

------
DoubleGlazing
My old employer, a phone retailer, would check how long the user had been
browsing the site and what they looked at.

We noticed that legit customers tended to take their time on our site. They
would look at several pages and not immediately add something to the basket
and checkout.

Of course, some legit customers would demonstrate the same pattern
particularly when a new phone was launched - but that wasn't too common.

So if the user spent less than five mins on the site before checking out, or
if they only looked at one product page then that order would automatically be
flagged for manual review. 60% percent of those orders were rejected.

------
Johnny555
Overagressive fraud protection can lose customers as well.

I placed an order to be shipped to my new address from a merchant I'd ordered
a dozen times before for home and work. 2 days after the day the order was
supposed to ship, they suddenly canceled it due to "security reasons".

I've stopped using that merchant.

~~~
davidsawyer
Reminds me a lot of massive email validation regex: [http://www.ex-
parrot.com/~pdw/Mail-RFC822-Address.html](http://www.ex-parrot.com/~pdw/Mail-
RFC822-Address.html)

~~~
falsedan
Can you explain the relationship?

Also, the regex is longer than the (reasonably clear) code[0] which generates
it…

0: [https://metacpan.org/source/PDWARREN/Mail-
RFC822-Address-0.3...](https://metacpan.org/source/PDWARREN/Mail-
RFC822-Address-0.3/Address.pm)

------
madamelic
Reshipping centers, I don't want to sound weird, are basically hives of scum
and villainy in my opinion.

I was selling something Ebay (a phone) and I got a really weird address, it
was a shipping center.

I googled around because I got a strange vibe, apparently, this shipping
center had this issue all the time and didn't really care to stop it. I got a
horrendous review from the person because I canceled the order and refused to
ship it.

I am wondering if fraud is honestly the business model of shipping centers. I
can't really think of a good use for them nowadays, especially in a consumer
context.

~~~
pmtarantino
I use reshipping centers a lot, even if the store ships internationally. There
are two main reasons:

1 - I may buy a lot of things from Amazon. It's cheaper to pay US shipping for
X times (sometimes they are free) and only one international shipping to my
country.

2 - Customs taxes, etc. The company I use for reshipping takes care of
everything. I pay them and they deliver the items to my house at the time I
ask them to do it. If not, due to the policies of my country customs, I would
have to attend a custom office for every item I purchased, which is a pain in
the ass.

Don't discriminate us, please.

~~~
oh_sigh
Do the reshippers actually pay the duties to the countries or do they just
pretend like you don't need to?

~~~
pmtarantino
They pay but it is included in the price I pay to them.

------
4ad
> Using an inconsistent and unlikely email address [...] By "unlikely" I mean
> one that no reasonable person would want to have, usually containing a big
> batch of numbers in it.

This is awful.

I create random e-mail addresses for every online merchant I have to interact
with. It's by far the best way to avoid both real spam and "promotional
message" spam.

I don't even use my "real" domains, because anybody who knows my name and the
domains I use can construct my personal e-mail addresses. I have special
domains dedicated to online commerce, and they look pretty random.

~~~
cortesoft
If you go out of your way to appear fraudulent, you can't be angry when you
get flagged as fraudulent.

What do you want merchants to do? It appears you have gone out of your way to
make sure all your information is completely unconnected to you, which is
exactly the case for someone committing fraud.

~~~
megous
"All of your information" is a bit over the top don't you think? It's just an
e-mail address. It's not relevant to anything. The important info is address
and name.

I have the same system. It achieves 100% reliable spam protection with zero
false positives and zero false negatives. It's a perfect system, if I follow
some basic rules. It also eliminates phishing, except in case of unannounced
data leaks. I mark e-mails received from random e-mail addresses I generated
in the past with green color, so it's immediately obvious what is legitimate
and what is not.

It'd be a bit ironic if someone would think that I'm a fraud, because of this
system that is designed to protect me from fraud. :D

Never had an issue with businesses accepting my addresses, except one person
looking at me strangely, when I was opening a bank account with a random email
address, when I told him that no, I'll not repeat the address to him. :)

All the person on the receiving end has to do, is open the email address
domain in the browser, and there's an explanation what's up right there.

If I were a fraudster I'd make an address that looks perfectly ordinary. It's
so weird for someone to assume that weird looking address indicates fraud.

~~~
cortesoft
> It's so weird for someone to assume that weird looking address indicates
> fraud.

I mean, they aren't assuming that... they are basing it on data. They have
lots of data on fraudulent purchases, and apparently that is one of the
indicators.

------
reembs
Some companies today offer a fraud prevention solution which is covered,
meaning they will pay the merchant for whatever fraud transaction that slipps
through their systems. These companies employ pretty sophisticated methods as
this is their core buisiness. I work at one such company, Forter. We take
pride at the fact that we approve more than the others would, and we take
complete financial responsibility for our mistakes so merchants just don't
have to deal with it...

~~~
usr1106
Paying for fraud that slips through should be the easier part.

Do they compensate for lost business because of false positives? The problem
is that even the wannabe seller cannot quantify it.

At several occasions I have not been able to order something online, because
they would not accept my card.

------
a-dub
Now that everyone has smartphones, I wonder if you could do something with the
camera... like require a photo or video of the physical card in front of some
visual token on the screen for orders that don't ship to the billing address
on file...

------
supernova87a
You would think with the amount of value / fraud at stake, Visa/MC/AMEX
themselves would invest in fraud detection technology and offer that as a
service to their participating banks and merchants.

They have so much more volume and cost absorption capability that they could
spin up a much more talented / sophisticated detection group than any
individual bank or merchant could, you would think? And charge for it
accordingly?

~~~
robalfonso
Visa/MC/AMEX make a MASSIVE amount of money on Fraud - it's in their interest
to perpetuate it. I've experienced this myself with > 6 figures in CC fraud in
a month. Here is the financial break down:

Every time a customer gets a charge due to Fraud, they file a chargeback. If
we are able to contest it, all is well, other wise they hit you with a $25-$35
fee PLUS the charge is reversed so depending on margins you are out you're
costs on the transaction as well.

If the # of fraud transactions gets bad enough (even if you are working with
them diligently to get things under control) and not able to stop it, they
will charge you a chargeback penalty fee.

This essentially says you are high risk and so now give us 50,000 or 100,000
dollars or you can't accept credit cards AND you have X days to resolve this
and get you're charge back rate to a reasonable level or we will hit you with
another charge bigger charge in 30/60/90 days or whatever the risk management
department wants.

They may also come back and say now we've told your processor (stripe,
braintree, etc) that THEY need to charge you more because we are charging them
more to deal with you. So instead of 2.5% of each transaction they are getting
3% for example.

It all adds up to billions across the world economy, it costs them only to
deal with it administratively and they are collecting many many times that in
fees from the merchants. It is very much a scam and the average customer
doesn't realize the massive hit companies can take for the convenience of
Credit Cards.

~~~
lotsofpulp
as far as I know, chargeback is always at least $35, even if merchant wins.
Big retailers might be able to negotiate this.

------
jerzyt
I've had a case of someone walking into a Verizon store and buy 4 new iphones
and charge it to my account. The amazing thing is that between phones, tablets
and hot spots, my family has 7 mobile devices. The perpetrator did not upgrade
any of the existing phones, but created 4 new phone numbers. This should have
been a huge warning sign. I'm 100% convinced that the person at Verizon was in
on this. In addition, over the next few days, they've made thousands of
dollars in international calls. To Verizon's credit, they were great at
resolving the mess for me as an individual customer, but in the end they ate
the cost, which means that it got diluted to all the customers.

------
inetknght
I find it strange that the de-facto thing to do for fraud is to simply not
accept the order. Why not report the fraud to authorities instead?

~~~
michaelbuckbee
Fraud falls into a weird category of crime where:

\- happens globally (far outside of local police jurisdiction)

\- per event small monetary value

\- widespread but difficult to tell how connected (is it tens of thousand of
fraudulent events from a single actor or tens of thousands of different
actors?)

All of which adds up to there not being a clear cut law enforcement agency to
handle these types of things (aka you can't reasonably ask the local police to
help you track down a scammer in singapore).

~~~
splonk
Yeah, essentially no local law enforcement is going to care about some guy
successfully scamming you for a $100 chargeback. We were basically told not to
bother for anything under $25k from a single actor, and even for amounts over
that I think we only managed to get law enforcement action through personal
contacts.

I think the one case that law enforcement did act on was a group that was
using a newly built neighborhood as a drop point for stolen goods. It was
complete enough that there were addresses to ship to, but nobody was living
there yet, so it was easy to just pick up packages off the front steps. From
what I heard, the police ended up picking up some guy with a truck full of
iPods who was just going house to house picking up the deliveries.

------
inertial
The bad part of credit card fraud is that the card network, issuing bank &
gateways pass on the liability to the small merchant. There is always a
looming risk of losing your account & business due to excessive fraud,
something over which you have no control at times. If you become over
aggressive with fraud protection, you risk not only losing revenue but pissing
off genuine customers.

Your gateway would tell you that as a merchant, it's your job & responsibility
to accept a charge & related risk of fraud. Well, if big guys handling
billions of payments can't catch fraud, it's quite easy for a small guy to
miss it as well.

When you are selling a digital product, it's very difficult to win a
chargeback. Some low level bank employee hardly cares about your meticulous
documentation & proof that you delivered the product.

3D secure is one way to shift liability to issuing bank but it only works for
the first charge (not recurring subscription). There are lots of reasons for
getting hit by incorrect chargebacks e.g. mistake on part of a customer
because they didn't recognize, customer's card getting stolen midway during a
subscription, unhappy customer who wants a refund after using your service for
months etc.

I wish the industry would side with the merchant as well at times i.e. maybe a
rating system to see how easy is the merchant's cancellation / refund policy
etc.

------
mcherm
You know... there is one entity that is reasonably well funded, has incredibly
strong capabilities for card fraud detection, and is well motivated to
identify the fraud: the credit card companies.

(I work for one, which makes me especially interested in this topic. But I
don't work in that particular area, nor do I speak for my employer.)

It makes me wonder whether some sort of collaborative fraud detection might be
possible. As the merchant, you have access to additional information that the
credit card company lacks -- things like the customer's name and the delivery
address are (as this article explains) very helpful in detecting fraud, and
these are data that the credit card company does not have access to. And of
course the credit card company has access to information like the customer's
purchase history and their recent transactions, which are useful for
identifying fraud from a different direction. If both sources of data were
available, it might be possible to detect a higher percentage of fraudulent
purchases, and merchants who ship goods could be provided with the information
so they could delay or cancel the shipment.

Do you think merchants would be interested in such a program?

~~~
hackbinary
Would merchants be interested in my purchase history? Yes.

Would I want/trust merchants to have this information? No.

~~~
mcherm
Oh, I'm fairly certain that the information sharing would only go one
direction: the merchants would share the data to the credit card companies,
who would run fraud models on it and provide near-real-time feedback to the
merchants.

In terms of user privacy, this gives the credit card information more
information than they already have access to. It is reasonable to worry about
the privacy implications of that sharing. But to be honest, the credit card
company already knows a great deal just from processing the customer's
purchases. Adding in the delivery address (when it differs from the card's
billing address) is a leak of personal data, but not a huge one. Additionally,
we might be able to put in place contractual controls limiting the data to
certain uses. I can assure you (from my own experience), credit card companies
are well experienced at compartmentalizing data and limiting data sharing.

------
47
If you really care about your customer you should be worried about false
positive. I hope as a business you do not cancel customer orders because your
fraud detection system has flagged them.

Depending on your scale you may using 3rd parties like Sift science, Stripe
Radar or Roll your own fraud detection system.

Flagging orders as potential fraud is the easier part these days. The
difficult part is how to come up with a process to verify these flagged
orders. This process need to be simple and quick. Because essentially you are
saying to your customer we think you are a fraud and can you prove that your
not.

Banks merchant checks to verify flagged orders is extremely cumbersome. They
require you to call a special phone number (which is different for each bank)
provide customer Name, Billing Address, Billing Phone and Credit Information.
Then they can only give you a response whether it is a match or not. They
can't tell you whether it has been reported stolen or anything else for
privacy reason. At scale this is a very time consuming process. It becomes
even more cumbersome if you are security conscious business and do not store
customer credit card information. In that case you have to communicate with
the customer asking them to call you to provide your credit card information
again.

There are solutions like 3D Secure but they are not widely supported and adds
its own problems. It is high time credit card companies start providing
merchant with a 2nd factor check for transaction. For example maybe once a
transaction is placed with a merchant. They can trigger a 2nd factor check
where by the bank automatically send a code to their email/phone number on
file. If the customer is able to provide a correct code merchant can proceed
with the order.

Fraud detection will always remain a point of contention between customer and
businesses. I just hope business make sensible decision based on their
situation. For example I have seen legitimate customer with all the above
cases mentioned in the article.

~~~
dcbadacd
Reading all of these issues I'm really flabbergasted that you have such
issues. Like, my bank offers me temporary non-physical credit cards with small
limits for 1€/month/piece and that's what I use to do all my online purchases
with, do US banks really not have that option? Second thing that I often use
(where possible) wire transfer, it requires my ID-card and the payment is done
in seconds.

This thread has honestly made me really appreciate what I have available to me
compared to some countries.

~~~
dylz
Very few banks have that option, and the ones that do are bordering on user
hostile, and the temporary cards don't have usable/tolerable features for
this.

A wire costs $50-100 (or more for international) per transaction, no matter
what the amount.

A bank transfer (ACH) can take several weeks or more depending on how much
both banks trust each other and the type of account you have. Here's a fun
read: [https://engineering.gusto.com/how-ach-works-a-developer-
pers...](https://engineering.gusto.com/how-ach-works-a-developer-perspective-
part-1/)

------
trumped
Today my bank detected a fraudulent transaction on my CC. They blocked the
transaction right away and cancelled my card after confirming it with me... so
they probably can prevent a lot of these cases. Very interesting article
nonetheless...

------
rossdavidh
My wife had to learn just about every one of these lessons the hard way in the
first few years of running her own (small retail) business. In retrospect, we
should have posted the hard-learned lessons online. I'm glad this person did.

------
stronglikedan
> Later on when the post attempts to deliver it, they will at some point
> realize that the country is wrong and reroute it to the correct country

Will they? Or will they return it to sender with a bad address note? Would the
rates be different by country?

~~~
rocqua
I recall we once sent something from the Netherlands to Canada, but didn't
include the country. We later got a surprised email by the recipient that they
received the mail despite it not including the country.

I suppose the post office decided to do some digging and managed to deliver
correctly.

~~~
Scoundreller
I'm pretty sure my domestic package to Newfoundland ended up in your country,
and then back.

My buyer reports it isn't the first time that's happened to him.

------
mostlyjason
If fraud is such a problem for stores would it make sense to offer a discount
for payment methods like bitcoin that don’t allow chargebacks? This could
reduce the cost of doing business by gaurenteeing payment.

~~~
asclepi
This is an excellent idea to prevent revenue loss caused by false positives,
which are rampant IMHO.

It's beyond me why so many merchants opt for the revenue-losing and customer-
hostile choice to silently cancel flagged orders and let their competitors run
away with the money, while they could easily get a safe sale by making a non-
negotiable offer to use an irreversible payment method when a credit card gets
flagged.

This reverses the trust issue, it's then up to the customer to determine if he
trusts the merchant enough and is willing to give up the additional protection
that a purchase on a credit card may offer - some of which the merchant may
offer instead - to get the item he wants.

------
tzs
> Two bonus signs for the end. You can use a Geo IP database to check if the
> shipping address country differs from the IP address country. That's a weak
> sign (people do place orders while traveling, or to friends in other
> countries), but can break the tie if there is another suspicion.

You can add to that using the first few digits of the credit card to look up
the card issuer. If the card is from a bank that does not have a presence in
either the region the order is coming from or the region it is being shipped
to, that order probably merits a closer look.

~~~
anonnyj
I kept getting flagged for that kind of thing, had to start using a proxy to
make my actually legitimate purposes.

Though looking at it from the other side, using a proxy should probably count
against you a little.

------
dottrap
So if you see one of these warning signs, what should you do?

What if it is a legitimate order? You don't want to turn down a real customer?

I presume if you try contacting the person and asking them if it is a
fraudulent order, they will deny it. (I suppose if you can't reach them, that
is good enough indication to cancel the order as fraudulent.)

Can you call the credit card companies or payment processors and ask them to
do their own fraud checks to see if it is okay, or are they going to leave you
on the hook if it still goes bad? (I suspect the latter.)

------
djrogers
I cannot imagine running a bunsiness where I ship things ot people for money
without doing address verification. In the mid 90s one of my first database
related jobs was parsing the complete US address list we purchased from the
USPS and comparing it to our internal mailng list - the process has gotten
much simpler over the years.

This would have prevented 3 of the problems on this list, and would also
result in a much lower rate of failed deliveries (expensive)...

------
TekMol
When you accept credit cards, how long do you have to wait until you know the
payment went through? Could you simply wait that amount of time for every
order?

~~~
driverdan
Typically chargebacks can happen for 90 days. No one is going to wait that
long for you to ship.

~~~
lucb1e
I guess that's exactly why the period is so long: they force the merchant to
ship before and take that risk.

------
bjacobs
Run an e-commerce business that sells tires.

It seems that a common pattern that’s arising is for a bad actor to use a
foreclosed property or rental to ship to, within spitting distance of the
billing address, then have the carrier redirect to a pickup store, such as the
Fedex store.

They have absolutely no problem walking into the store and signing off, all on
camera. Troubling times.

------
pitahummus
I work with Signifyd. We are expanding and hiring more Data Scientists and
Fraud Analytics ninjas. Apply through the website. We do care about approving
good orders while stopping fraudulent ones. In case of a chargeback, we
guarantee it.

------
stef25
Doesn't Stripe cover some / most of this?

There are some settings, or at least an overview in the dashboard where you
can see if the address was verified and it matched the one on the card. Using
billing / shipping address in your order form is obviously for this reason.

------
rdl
I’m fine with fraud detection like this, but probably 90% of my ordering is a
credit card, through a VPN, or sometimes from a foreign country, shipped to a
freight forwarder, with a VOIP PSTN number. There have to be ways to get
around this for false positives.

~~~
digianarchist
There are. Mail you government ID to small business owner that will probably
leave it on some vulnerable windows xp machine.

------
inopinatus
The payment service I use (Pin Payments) can include a random value in the
payment card narrative, allowing you to hold delivery until the cardholder
authorises dispatch with the correct code.

------
petraeus
A velocity report is the only real way of pro-actively catching fraudsters.
something like ip address by alias or something similar.

------
sho
> One time when I tried googling for an address, I found that the person was
> also active on a forum for trading stolen credit card details. That was a
> bad sign

Ha. You don't say!

------
victor106
I have a genuine question that is kind of unrelated to this discussion:-

What is special about Japanese candy? Is it the packaging? The ingredients?

------
sytelus
naive question: Why should merchant be worried about this? Isn't it
responsibility of CC company to back up the promised credit? If someone
unauthorized used someone elses CC then shouldn't CC company swallow that
loss?

~~~
detaro
No. CC companies protect the customer from fraud, not the vendor, unless you
have really good proof the customer isn't right a chargeback means you loose
the money and often pay a fee on top. + if you are the source of to many
chargebacks, they'll drop you entirely.

------
TekMol
Another Problem that goes away with crypto currencies.

~~~
anitil
This seems like a variation on the Zawinski Quote -

Some people, when confronted with a problem, think "I know, I'll use crypto
currencies." Now they have two problems.

------
jdietrich
Don't roll your own crypto, don't roll your own fraud prevention.

Stripe include very sophisticated fraud prevention in their standard pricing
and charge pennies per transaction if you're on custom pricing. Numerous
third-party providers offer excellent fraud detection and prevention tools for
CNP transactions. Unless you're big enough to have a dedicated fraud
prevention team, just leave it to the professionals.

~~~
yani
Stripe fraud prevention is not sophistocated at all. I have been trying
different fraud prevention providers and all of them are lame. They check if
the ip of the buyer matches the billing location of the card and if not they
will not accept the order. So far, the best method I have diwcovered is to
verify the order by phone. The phone number provides me with extra knowledge
about my customer. I can match their buying ip address with it. I can talk to
the customer in their language to verify they are who they say they are. It is
not bulletproof but I have yet to see fraudster go to that extend.

When you learn enough about your customers, you should be able to roll out
your own fraud prevention solition because generic ones are broken. Here is a
recent report about what works and what does not in the generic fraud
prevention tools: [https://www.braintreepayments.com/resources/kounts-mobile-
pa...](https://www.braintreepayments.com/resources/kounts-mobile-payments-and-
fraud-2017-report)

~~~
bpicolo
Those graphs are entirely survey-based subjective, there's no metrics at all,
and it's also an advertisement for Braintree's fraud service

~~~
yani
Look at the original report that the graphs are based on. I think that's where
the useful data is.

Braintree's fraud prevention is poor and based on generic metrics. One of my
businesses had 32% chargebacks with their service.

~~~
pkaye
Curious what kind of products do you sell?

~~~
yani
Software for backing up sites.

------
notafraudster
A better approach to writing this article would be to gather a wide array of
customer features, fit a model using training data from actual fraudulent/non-
fraudulent orders, and then interpret the model to explain the features
actually connected to fraud.

My guess would be that given there's no reason to believe a particular
functional form or additivity of effects, a random forest would likely be the
most effective classifier, but ultimately I'd just go with whatever
empirically does best on the test set.

As-is the article is basically a pretty naive approach to feature engineering
a few features that may or may not ultimately be useful in the real data. It's
a cute anecdote, but hire a data scientist.

------
ehsankia
Slightly off-topic, but last time CandyJapan made it onto HN, I decided to
sign up and give it a try, and was very underwhelmed. I canceled after two
boxes. Hey each contained 3-4 candies, and over half of them were very basic
candies such as chocolate. In total I think only a single one was the "cool"
kind of candies you associate with Japan. Honestly in the ~8 candies I tried,
not a single one was even really edible or interesting.

Also, I'm not sure how much of this is their, but a lot of the candies had
also melted and re-solidified into a single chunk.

