
Candy Japan 2015 Year in Review - Xixi
http://www.candyjapan.com/2015-year-in-review
======
natvod
I think someone else mentioned this in another post about this. Thought it was
a great idea so I'll repeat it here:

To prevent fraudsters from using you to authenticate their stolen credit
cards, set it up so that every purchase automatically redirects to a 'order
successful' page. After seeing that a few their credit card numbers all seem
to work on your site, the fraudster will realize they can't use your site to
test and move on. In the back-end, turn on manual approval of each purchase
and let through the ones you deem legitimate.

Should a legitimate customer mistype their credit card info, send them a
follow up email with a link to the order page briefly explaining to them the
situation and asking them to enter their details again.

(If there's some issue with this method I haven't thought of, let me know.)

~~~
kbenzle
Best reply, but... How often is a typo made (1:1000?), how much time for
support staff is needed and how many lost orders due to a ~24 hour delay in
some orders being placed. Also, easy to flood the system with bad orders that
need to be manually sorted, like a fake order DDoS.

~~~
sitharus
If a typo is made 1:1000 times Candy Japan would have had.. 2? At this small
scale it's probably worth it - the loss of a customer isn't as big a problem
as loss of physical goods.

~~~
dmit
Not to mention that you can verify the Luhn checksum on CC numbers and
immediately catch ~90% of all typos (and 100% of single-digit typos). Don't
even need a server call.

------
bemmu
The initial post was just a draft I had neglected to make private, and wasn't
finished (but thank you xixi for posting). I didn't spend the whole year
solely battling CC fraud. I now wrote about other things that happened in 2015
now, so go back and refresh to read that part.

~~~
stordoff
FWIW, I initially found Candy Japan via the HN post discussing the fraudulent
activities [1], and have been a happy subscriber for a few months now.

[1]
[https://news.ycombinator.com/item?id=10237697](https://news.ycombinator.com/item?id=10237697)

------
gingerlime
Interesting to read about those fraudsters. Really annoying when you're a
small business. I remember reading something similar from Gittip[0], and also
mentioned on the linked blog post, jsbin[1].

I wonder what other small startups are using to detect / prevent this kind of
fraud?

Are there any good services in this space? and why won't recurly/stripe et al
bundle this in? (or maybe they do, and I just don't know about it...?)

[0] [http://blog.gittip.com/post/35057426257/stolen-money-on-
gitt...](http://blog.gittip.com/post/35057426257/stolen-money-on-gittip-
part-1/)

[1] [https://remysharp.com/2015/09/17/jsbin-toxic-
part-4](https://remysharp.com/2015/09/17/jsbin-toxic-part-4)

~~~
loopbit
All I can talk is from my personal experience, but as the founder of a startup
that sells physical goods online, we've had no issue with fraudsters. At all.

Granted, we are quite small and our volume of sales is not massive (Hey! Small
startup with very little funding and mostly bootstrapped here), but still, I
was expecting some kind of issue with this by now. Or at least people trying
to get stuff for free.

For the record, we use Stripe and PayPal for payments, don't know if they do
anything on their end.

~~~
bRad389
FYI You're actually more at risk than CandyJapan if you're shipping physical
goods based on successful Auth and/or offer a low pricepoint item. Even
without catching the uptick in orders, CandyJapan likely would be able to see
some chargebacks or fraud advice before the bulk ship date (2x a month I
believe).

One thing i've learned in my short time in the industry, fraudsters are great
at finding weak merchants for card testing and triangulation schemes. What was
4 days worth of work for this fraudster, cost CJ thousands in fees, multiple
days. How many late nights have been devoted to cleanups like this?

Also, a lot of payment processors are offering complex fraud solutions (ipGeo,
proxyPiercing, device fingerprinting, etc) for pennies per Auth. definitely
worth asking your processor and your processor's processor for more info.
Beats being the lowest common denominator.

------
fweespeech
FWIW, as someone who has the same problem with fraud folks at $DayJob you
really do need to go with a service to deal with that sort of thing
unfortunately.

We use an internal tool from our parent company but yeah, you don't really
have a choice but to assume a good chunk of your customerbase will try to
cheat you.

Similarly, as long as the checksum is valid you should "complete" the order
and handle follow up with issues [e.g. Card declined] at a later date. This
can just be automated via email, with a 24 hour delay.

Honest typos won't pass the checksum, fraudsters will and the delay in the
"failed authorization" also helps a good deal in discouraging such activity.

------
technofiend
See the recent article on [hoverboards @
Buzzfeed]([http://www.buzzfeed.com/josephbernstein/steal-a-credit-
card-...](http://www.buzzfeed.com/josephbernstein/steal-a-credit-card-buy-a-
hoverboard#.cvExv7nxM)) and [responses here @
HN]([https://news.ycombinator.com/item?id=10727371](https://news.ycombinator.com/item?id=10727371))
- I believe they mention options to help with fraud detection but it's not
clear how useful they are. Sorry.

~~~
benlarcey
I'm actually in the same space selling "hoverboards" and have been massively
hit with fraudulent transactions. Luckily we realised fairly quickly and
enforced draconian fraud checks, we're missing out on potential sales but the
Buzzfeed is article is the alternative.

I'm not sure which processor Candy Japan uses, but you can usually request to
implement advanced fraud rules and strict settings that require Zip/postal
code to match exactly.

~~~
bemmu
Thanks, next year I want to get back and try to fix the situation. I fell back
to PayPal only and have been losing customers since.

~~~
benlarcey
I'm not sure how strict you should go, we have gone to the absolute maximum -
and have to deal with customer service issues / abandoned checkouts daily. But
even requiring the ZIP code to be correct made a big difference.

We're also using shopify which has helped quite a bit with their built in
fraud analysis (Not 100% but I think it's either signifyd or kount providing
the data).

Alternatively, you could use Paypal Pro to negate the account requirement?

~~~
bemmu
I'm considering a bit going to some platform like Shopify, because I'm writing
way more Python doing my own platform anyway. Integrating some solution would
be just a few clicks if I were on some platform that they already support,
instead of another API integration.

------
ripberge
As someone who deals with several hundred thousand dollars a year in online
credit card fraud, I would advise you to check out sift science or Kount. It's
easy to integrate and is vastly superior to the checks you have and the other
suggestions in this thread. We have killed numerous credit card rings with
this. They typically go somewhere else that's an easier target now.

------
gregwtmtno
Before people suggest bitcoin--and I love bitcoin--it probably wouldn't solve
this guy's fraud problem. Yes, it would stop the fraud, but there are simply
too few people willing to pay in bitcoin.

~~~
digikata
Wouldn't bitcoin give rise to the opposite problem - consumers paying bitcoin
now shoulder all the risk of buying from a bad vendor.

~~~
Zikes
I think there are bitcoin escrow payment systems.

~~~
eloisius
The Bitcoin protocol supports multisig transactions. You can use it to
implement escrow by including a third party public key and require 2 of 3
parties to sign the transaction.

~~~
digikata
So the mechanics are somewhat supported directly by bitcoin, but, how does the
bitcoin customer get their money back even if the escrow company agrees that
the terms of the sale weren't met? (added [1])

And then you still have a question of whether the parties agree to a mutually
trusted escrow service to actually administer the signoff. I imagine that
credit cards are somewhat partnered closer to the customer/card holder, but
with bitcoin escrow it could be either the vendor or the customer?

Not meaning to criticise here, just a walking through unfamiliar territory.

Edit: Partially answered my own question (example 2 at link [1])

[1]
[https://en.bitcoin.it/wiki/Contract#Theory](https://en.bitcoin.it/wiki/Contract#Theory)

------
a_bonobo
>Growth backtracked. We are now instead back to 750 subs and the trend still
hasn't reversed. Very far from the goal of 1500 I had set.

I guess 11 hours on the front-page of HN must work wonders for subscriptions
(I just subscribed, too), wonder what the actual numbers are

------
swang
Is this why Amazon waited a day before alerting me that my card was declined
(bad month/year)? Almost missed a shipping window because of it.

------
smegel
What happens with the fraud? Does the charge back affect the seller or the
bank? Sucks if the former. What do other people/companies do about this?
Surely all the CC frauds in the world haven't chosen to gang up on one tiny
seller of niche candy from Japan...

~~~
huac
beyond the cost of the actual purchase ($5 is pretty insignificant), card
processors charge high fees per chargeback, and too many chargebacks (IIRC >1%
of transactions) can get you kicked off and blacklisted from any reputable
card processor for life

------
pyrocat
Would Stripe be a way around this problem or do they not take on the risk of
fraudulent cards?

~~~
gambiting
They don't. Even if you use Stripe you are still responsible for spotting fake
transactions, and if you let too many through Stripe can actually ban you.

------
hyperpallium
Probably, one criminal found this site, then told others about it, who adopted
it.

I wonder if the techniques for promoting adoption can be used in reverse, to
deter adoption?

While keeping it familiar and convenient so as not to deter customers.

------
thallium205
You should enable these services for the credit cards:

Verified By Visa -> [https://usa.visa.com/run-your-business/small-business-
tools/...](https://usa.visa.com/run-your-business/small-business-
tools/payment-technology/verified-by-visa.html) MasterCard SecureCode ->
[https://www.mastercard.us/en-us/consumers/features-
benefits/...](https://www.mastercard.us/en-us/consumers/features-
benefits/securecode.html)

~~~
gambiting
Not everyone is from US.

------
biturd
I'm curious, why not use Stripe? I have heard nothing but good about them, and
since you are willing to use Pay-Pal, I am assuming you are willing to use
other 3rd party processors.

If you have your own merchant account and have implemented the code by hand or
through a library, you pay all sorts of fees, sign up fee, fraud chargeback
fees, percentage of charge, statement fee, monthly fee, etc. Both Strip and
Square offer simple integrations, simpler than Pay-Pal IMHO, and I assume they
have the capacity to deal with fraud better.

~~~
ripberge
Been using Stripe for years. There is no more fraud protection there than any
other merchant credit card account.

~~~
someone13
Serious question (I haven't used a merchant credit card account): do regular
accounts come with _any_ fraud protection? The reason I ask is, I was sent a
link to this a while ago, which seems to say that Stripe does do fraud
protection:

[https://stripe.com/docs/fraud](https://stripe.com/docs/fraud)

~~~
ripberge
It's hard to say, Stripe (or any other merchant account) may be blocking some
charges, but you really don't have visibility into why a charge was blocked.

Regardless if they are blocking a lot or a little, they all let way too many
fishy charges go through. They are just not incentivized to police fraud
because in e-commerce its _you_ who are on the hook for the charge back, not
the bank or credit card company.

You cannot rely on your merchant bank (Stripe or anyone else) to do your fraud
protection. You will get eaten alive.

------
AlexMuir
I think Facebook or Twitter logins would go s long way to solving credit card
issues. A credit card purchase backed by a 10+ friend FB account is unlikely
to be a scammer. Legit Facebook accounts probably sell for more than the cc
being tested.

~~~
bemmu
They would probably just start generating FB accounts, because a similar thing
happened when I started requiring valid email addresses: they just went ahead
and generated a bunch of gmail/hotmail accounts to use.

~~~
AlexMuir
Generating Facebook accounts in bulk is not easy. I'm not suggesting that it's
a panacea, but if you're looking for something to indicate a real purchase
this would be strong. If someone logs in with Facebook and has 10+ friends
then I'm going to say they are 99% legit. Plus you can look at their profile
manually if you're in doubt. Of course you also offer email but those orders
get more scrutiny. HN is an echo-chamber of hate for Facebook login but the
real world (and I suspect your target market) does not share this.

