
Preventing online payment fraud - erangalp
http://binpress.com/blog/2012/07/31/fighting-online-fraud-pitfalls-and-solutions/
======
patio11
This article is _amazingly_ worth your time. Endorsement out of the way I have
one quibble and some elaboration:

I don't exactly love conflating buyer's remorse with payment fraud, since
buyer's remorse is a psychological phenomenon and happens independently of
fraudulent intent. Then again that's a bit hairsplitting.

So, you're a digital goods business. What can you do to reduce the odds that a
customer requests a transaction get reversed, given that the customer
initially did authorize the transaction?

1) _Do nothing._ Treat this as a cost of doing business. This works astounding
well for many client populations, which have naturally low refund rates. (I'll
give you a refund for any reason whatsoever, and I give out substantially less
than 2%. Not worth optimizing.)

But maybe you've made the decision to target poor customers, startups,
infovores (they buy more books/videos/etc on X than they can consume or make
effective use of, and have disproportionately high refund rates), or an
audience demographically dissimilar to American housewives. OK, we still have
options:

2) Add value to the one-time download by, e.g., providing a support channel
gated on having an account in good standing. Note that this also lets you do
fantastically lucrative things like e.g. the club model for digital goods
(recurring payment for one-time downloads), which e.g. put WooThemes on the
map.

3) For infovore-heavy niches, many people will suggest forcing delayed
gratification on the customer. For example, let's say you have just sold
someone 5 videos / ebooks / etc with expected consumption time of 2 hours
each. Rather than hitting them with 10 hours of video all at once, you drip
them out to the user at 2 hours per week for 5 weeks. This can be timed such
that they don't get the final video until after your money-back guarantee
expires. That's totally optional, though. The theory is that a) you avoid
overwhelming people and b) getting in their inbox 5 times with announcements
of _even more value they got from you_ helps to prevent a common problem of
"Oh, didn't actually have enough time to read/watch/act on that _because I
totally forgot to make that time_ , guess I should return it."

4) A lot of savvier folks in this space have customer communities where a) the
interaction between customers adds value on top of the product, b) desire to
maintain the interaction incentivizes people to not leave, and c) customers
will (for their own reasons) do significant amounts of boring work for free,
such that you don't have to add a not-so-lucrative "Infinite free support"
sideline to a lucrative digital goods business.

5) Too late for you now, but for the benefit of everyone else, a great way to
avoid getting emails by someone whining about getting a refund for the $8 they
spent on your ebook is to never ever ever ever ever do business with people at
the $8 price point. SearchHN [patio11 pathological customers] for more on
this.

~~~
jonnathanson
Fantastic and informative comment, as usual. That said:

 _"a great way to avoid getting emails by someone whining about getting a
refund for the $8 they spent on your ebook is to never ever ever ever ever do
business with people at the $8 price point."_

I have one of those "yes, if," or "no, but" reactions to this statement. If
you're doing business at the $8 price point, you should be doing it in the
volume business. The scale business. A gazillion tiny purchases at $8 apiece,
wherein the userbase is large and fairly undemanding. If the userbase is
demanding about anything in this space, you want it to be demanding about
price alone, and you want your $8 to be an insanely competitive price.

You should NOT do business at $8 per transaction if your good or service
involves a lot of transaction costs -- whether in post-sale servicing, a
salesforce of any kind, high-touch / personal presales, high return rates, or,
generally speaking, any sort of customization that can't be automated to
scale. In very simplistic terms, low prices should not be paired with high
costs -- be they high COGS in the traditional sense, or high intensity of time
and effort. In the case of most ebooks, I would agree with you here: a low
unit cost like $8 [1], positioned to a very demanding niche audience, is a
recipe for nightmares.

[1] Temporarily leaving aside, for the sake of everyone's collective sanity,
any tangential philosophical debate about whether $8 is a "low" price.

~~~
npsimons
_[1] Temporarily leaving aside, for the sake of everyone's collective sanity,
any tangential philosophical debate about whether $8 is a "low" price._

Here's a question: we all know about reducing the price point to garner more
sales, and therefore more profit; has anyone done similar studies on what
price point elicits the _least_ number of refunds (especially due to buyer's
remorse)? $8 seems "low" to me, but only for some items; I suspect that most
eBooks wouldn't meet this criteria (although I have payed an order of
magnitude more for eBooks and still have a minimal Safari subscription). An
eBook at $0.99 I wouldn't see the point in getting a refund, no matter how
easy it would be to get it. If it was a _really_ bad book, I might go after
the refund just to make a point, however.

~~~
adambenayoun
I have no idea how this is working with the app store but I know that on the
Android play store to request refund was not simple. Now you'll have to get
out of your comfort zone for let's say $0.99-3.99 - something you wouldn't
even consider (your time is more valuable). Disputing that charge is even much
more a time sink than asking for a refund as you would have to probably sign
on several forms and fax them back to your credit card company, then you
always have the possible cost of the chargeback being denied (I know my CC
impose a penalty of $10).

I would say anything beyond $10-20 would be worth figthing. Of course it
depends on where you are located (I would imagine someone in a poor country
more likely to fight for a $5 refund than in a rich country), and your
socioeconomic class (as I would imagine that a 18 unemployed year old would
more likely ask for a refund than a 45 year old professor at Standford).

Just my 2 cents.

------
brandonb
This article has great advice. I work on fraud detection, and a lot of
companies start off by building basic checks like AVS, CVV, proxies, IP-
billing location mismatch, etc. What usually happens afterward is that the
fraudsters get more clever. For example, we've seen sites implement SMS
verification, but then the fraudsters will set up Twilio phone numbers to fool
it. The sites block IPs, but then fraudsters go through an internet cafe or
proxy. Sites shut down one account, and the fraudsters rent a bot net and run
scripts to create a thousand more. It's a cat and mouse game.

Companies where payments are central (e.g., PayPal, Square) end up building
some combination of machine learning, investigation tools, a dedicated
operations team to review/verify suspicious transactions, and custom logic to
look at all sorts of signals correlated with fraud. Often they'll have dozens
or hundreds of people working on this.

For everybody else, I'd echo Eran's advice to just outsource this. There are
plenty of vendors out there. Here's one list:
<https://www.merchantriskcouncil.org/index.cfm?pageId=702>

If anybody out there is dealing with fraud or chargebacks, my company (Sift
Science) provides an API to do exactly the checks Eran's article suggests and
a lot more. Even if our technology doesn't apply, I'm happy to just give
advice and point people in the right direction. My e-mail is
brandon@siftscience.com.

------
jacques_chester
Given that my startup is heading towards an area with a historically high rate
of chargebacks and I was facing the nightmare of fraud detection, this
particular article is like a nugget of solid gold that has descended from the
clouds with a heavenly host providing choral music.

Thankyou.

------
Cherian_Abraham
Online fraud is expected to grow substantially in the near future, as
e-commerce and CNP (card not present) transactions are expected to grow
exponentially in relation to offline (or Card present).

With card issuers planning to issue Chip cards (to stay in compliance with
Visa's EMV Mandate), fraud will shift from retail to Online (where Chip offers
no additional protection), as it has already happened in Europe with the EMV
shift there.

------
jasonlotito
It's a good article. I'd like to add two other things you should consider when
handling credit cards.

The first is 3DSecure (or VbV). They are the most secure ways to accept credit
cards, though they aren't as easy for users to use. However, they do go a long
way to protecting the merchant. If your handling b2b transactions that are
high risk, you might consider enforcing this. Again, it's not a solution to
wield lightly, but it is a solution.

Also, you can require out-of-band authentication. Generally, this is in the
way of making a telephone call, and requiring the user to input a 4-digit pin.
This, combined with everything else, will help hinder potential fraud. More
importantly, it helps to protect against friendly fraud.

Of the two, telephone authentication is easiest to implement, but do not
discount 3DS for higher priced purchases.

~~~
AkThhhpppt
Counterpoint: the only businesses that force VbV etc. I will deal with are
airlines (because they all do), which meant the last time I flew transatlantic
I took 800 euro out of my bank account and _walked_ to Air France's bank
rather than use it. In _any_ other industry? They've just given my business to
a competitor.

It is not in my interest to use a service _designed_ to lessen my protection
from fraud.

(see [http://www.lightbluetouchpaper.org/2010/01/26/how-online-
car...](http://www.lightbluetouchpaper.org/2010/01/26/how-online-card-
security-fails/))

~~~
jasonlotito
I know it's been a few days, but, just wanted to add that this is a good
point, and a part of what I meant with not using VbV lightly. There are valid
reasons to use it, but frankly, it should be close to the last thing you
implement.

The only times I've used it where when offering a b2b product/service where
fraud was a real fraud.

------
bdwalter
Take a look at realtime device identification and shared reputation services.
This allows you to uniquely identify the end user devices accessing your site
and assess their reputation and fraud history across a shared network of
intelligence. Services like <http://www.iovation.com> are massively effective
at fighting fraud.

------
tommccabe
Good collection of advice- very help.

I use Cybersource for payment processing on an e-commerce site. I've been
really happy with their fraud screening service- automated rules, similar to
the list in this post, flag certain orders for manual review. These automated
rules have been able to catch orders that, otherwise, might have gone
unnoticed and saved a lot of time in the process.

------
teyc
Very relevant. I was listening on Mixergy about how BrandStack shut down
because of credit card fraud. For anyone contemplating building a marketplace,
for heaven's sake, outsource this.

For digital sites like BinPress, an automated capture of a photo via a web cam
might be sufficient to deter fraudsters. Anyone care to build something like
this?

------
adrianwaj
Well, I am thinking of selling goods in the future. It'll be bank transfers or
bitcoins. Simple.

add: if someone worries about if I have the goods or will ship, I'll offer to
take a photo of me holding them next to that day's newspaper and have some
testimonials up on the site. Simple.

~~~
jacques_chester
Some bank transfers can be reversed.

~~~
adrianwaj
Well, I think having proof of shipping to show bank, customer or police would
help too if one is notified of a dispute - that itself should be a deterrent
for pathological customers.

