
How Candy Japan got credit card fraud somewhat under control - NickSharp
https://www.candyjapan.com/how-i-got-credit-card-fraud-somewhat-under-control
======
stcredzero
_If you suspect an order is fraud, don 't go out and say to the criminal "hey,
I declined your super suspicious order!". Instead, play dead. Pretend they got
you. Tell them "thank you for your order", behaving exactly the same way as if
it really was a successful order._

The name of the game is to make things cost more for your enemies than they
cost for you. Removing instant feedback is key. Instant feedback is great.
Delayed feedback is costly.

This is in large part why most DRM and anti-cheat failures happened. Companies
and developers need to think about the economics of what's going on. It's not
the side with the trickiest mechanism that wins. It's the team with economics
on their side.

(Amateurs: tactics, pros: logistics)

~~~
lis
Blue Byte did something along the lines of your suggestion with the copyright
protection of Settlers III. When the game detected that the DRM was broken,
iron smelters would only produce pigs instead of iron.

[https://en.wikipedia.org/wiki/The_Settlers_III](https://en.wikipedia.org/wiki/The_Settlers_III)

~~~
stcredzero
Not bad, but even that reads like a bit of an FU from the devs. ("Pig Iron?")
The best thing to do is to make it definitely seem like it was a bug
introduced by the crack. (Maybe James Bond villains giving their secret
projects suggestive code names and telling their entire plan isn't
unrealistic?)

~~~
kderbe
It's important not to disguise any anti-piracy measures as bugs, because
pirates (or even reviewers playing pirated copies) will loudly proclaim that
the game is buggy, and discourage legitimate buyers. This may have contributed
to the closing of at least one development studio (Iron Lore, developer of
Titan Quest)[1].

[1] [http://www.quartertothree.com/game-
talk/showthread.php?42663...](http://www.quartertothree.com/game-
talk/showthread.php?42663-Venting-my-frustrations-with-PC-game-dev)

~~~
stcredzero
_It 's important not to disguise any anti-piracy measures as bugs, because
pirates (or even reviewers playing pirated copies) will loudly proclaim that
the game is buggy, and discourage legitimate buyers._

I'm wondering why there isn't a service that lets you search for people
encountering your crack-penalty. A really sneaky company would disguise itself
as a hacker group, then offer a copy of the game that doesn't have that "bug."
(But has another one.)

~~~
sleepychu
Green Heart Games did basically that.
[http://www.greenheartgames.com/2013/04/29/what-happens-
when-...](http://www.greenheartgames.com/2013/04/29/what-happens-when-pirates-
play-a-game-development-simulator-and-then-go-bankrupt-because-of-piracy/)

------
aandon
PM from a fraud detection company here. One thing I didn't see mentioned on
this thread is Device ID, which is very common on fraud detection platforms.
When a user comes to your website or mobile app, you have access to hundreds
of signals from their device. Some like IP address are easy to spoof. Others
like whether the user has changed their phone alarm from the default settings
are often ignored by fraudsters but surprisingly telling signals (fraudsters
don't bother to change from default settings). We wrote an article on some
interesting findings recently here: [https://simility.com/device-recon-
results/](https://simility.com/device-recon-results/). A good device ID
product can not only tell if the same fraudster is accessing your app
repeatedly while pretending to be different users, it can detect risky user
profiles when they land on your app. Before they even make a payment.

~~~
deusofnull
Just a thought: have you ever considered that by publishing such red flags for
fraud, fraudsters will adopt these "organic" behaviors in order to appear more
legitimate? I understand that the idea is to make illicit transactions more
difficult and that adopting these "organic" behaviors is more difficult, but
automated fraud tools (ie - what most 'script-kiddies' use) also become more
sophisticated over time. Regardless, I bet you don't publish ~all~ your fraud
detection vectors for that exact reason.

~~~
duncan_bayne
I'd be surprised if all of the published vectors are genuine, too, for the
same reason :)

------
mikejarema
So it appears that a combination of (1) removing instant feedback (not
alerting fraudsters as to the success/failure of their charge) and (2) giving
a grace period to review and cancel charges has given Candy Japan some
breathing room.

Though it does seem that this requires a manual step (2) before sending
charges through, does anyone have experience using a fraud detection API, like
Maxmind's minFraud [1] or any other, in an attempt to avoid having to review
each charge?

[1] [https://www.maxmind.com/en/minfraud-
services](https://www.maxmind.com/en/minfraud-services)

~~~
mrweasel
>does anyone have experience using a fraud detection API, like Maxmind's
minFraud

We tried MaxMind, for our use case it was pretty useless. The feature that
sort of worked which we considered using was the geo-location stuff. Our idea
was to see how close a customer was to where the goods where to be sent. Sadly
the countries we operate in are to small, and IP location is to inaccurate.

As a test we ran a couple of months worth of fraudulent order data through
MaxMind, with a success rate of 100%.

The best solutions we found is: \- Block cards not issued in the country where
you operate. This shield us from poor credit card security in countries like
the US. \- Enabled 3D Secure. This blocks all the amateurs \- Manually call
customers ordering for large amounts.

Generally speaking it's very difficult to tell the difference between a
fraudulent order and a first time customer.

~~~
77pt77
> Block cards not issued in the country where you operate

Please, don't do this. It's so annoying.

> Enabled 3D Secure

Yes, this is a really good idea.

------
cheeze
I'm guessing this has been asked before, but why not just use a credit card
processor that handles all of that stuff for you. Seems like they are in the
business of selling Japanese candy, not preventing CC fraud.

Am I being naive here?

~~~
dangrossman
Can you name a credit card processor that handles all of that stuff for you?
Neither the old-school gateways (Authorize.net/etc) nor the new SaaSy stuff
(Stripe/Braintree/etc) offer even risk scoring, let alone a comprehensive
solution to fraud mitigation.

~~~
unfunco
Stripe does offer fraud protection, based on machine learning algorithms using
data from their customers.

[https://stripe.com/docs/fraud](https://stripe.com/docs/fraud)

~~~
joshmn
Stripe's fraud protection is HILARIOUSLY bad. I'm convinced they don't care
about chargebacks; in fact, to get their fee for a chargeback, they need a
$500 order.

They don't eat the loss; the card network does.

------
Osiris
I have a website that processes a fairly small number of monthly credit card
transactions, 1-4 per day. However, it didn't take long for the website to be
used as a place for requests, mostly from Vietnam, to check the validity of CC
numbers. It cost me a lot of money in chargeback fees.

I ended up implementing a system using Braintree to do 1) Request an
AUTHORIZATION for the amount 2) If the AUTHORIZATION fails, return the error
(sounds like I need to change this part, but how to do it without hurting
legitimate users?) 3) Send information, including IP and email address, to
minFraud 4) If the minFraud riskScore is >= 20, request a VOID on the
authorization request 4b) If the riskScore is low, submit a REQUEST SETTLEMENT
on the AUTHORIZATION

This has worked extremely well, but a few still slip through the minFraud
check.

Even though Braintree offers it's own fraud checking, I still feel more
comfortable with minFraud. I really wish that processors like Braintree would
put more effort into fraud detection.

I NEVER have this issue with PayPal transactions. Even if it's fraud, they
just reverse the transaction and there's no chargeback fee.

~~~
TylerE
Why not just refuse to do business with Vietnam, Nigeria, Russia, and other
fraud havens entirely?

~~~
siberianbear
I am a native-born American citizen living in Russia.

The amount of grief that your solution causes me is significant. I'm a
legitimate customer who does nothing fraudulent. However, whole swaths of the
internet treat me as if I have leprosy just because my IP address is in
Russia.

~~~
jackvalentine
I don't know how to say this without coming off harsh, so I'll say it and ask
you to use the principle of charity when reading it.

If the Russian state refuses to stamp out crime that is causing negative
externalities, then people should rightly stop dealing with people inside
Russia as a logical response.

~~~
askldfhjkasfhd
Replace "Russian state" with "African American culture", and I think the
problem with this attitude becomes more obvious.

~~~
jackvalentine
Please point me to the representative "african american culture" government
apparatus and you'll have a point.

~~~
askldfhjkasfhd
Part of the role of a government apparatus is to enforce social norms. Culture
plays a similar role. They aren't the same thing, but they do have similar
attributes.

Please note that I am not criticizing any governments or culture; I merely
wonder why we're OK with nationalism like this, but not racism.

~~~
jackvalentine
> I merely wonder why we're OK with nationalism like this, but not racism.

I'm not appealing to nationalism? "Russia" could be a stand-in for any
controlled territory.

For example many businesses that trade online in the US attempt to exclude
people from the Eastern District of Texas in their terms and conditions. Why?
Because the courts there are very friendly to plaintiffs in patent cases and
they'd prefer not to get sued in that jurisdiction.

That district is causing a negative externality to people outside of it, so
they refuse to do business with it.

------
Bluestrike2
I remember building a subscription system back around 2009-10. Very few of the
tools available now existed back then, and things were much less efficient. Or
at least that what it seems like looking back. The service targeted
competitive gamers (teenagers, early 20s) and I've always suspected that we
had to deal with a higher incident of attempted fraud than would be the case
with other audiences.

If I never again have to deal with a situation where some kid 'borrowed' mommy
or daddy's credit card, I'll die happy. No amount of fraud detection can
prevent that situation.

------
j_lev
Thanks for the insights.

I've been fighting this fight for over 17 years now. The landscape has changed
a lot - mostly for the better IMHO. In particular, issuers are taking more
responsibility for checking the validity of the cards but some of them are
hopeless and there is still a way to go.

Criticise me all you like but I still have a blacklist of countries where I
will never send physical goods to (unless they direct deposit the money, for
one of my sites).

Not sure if it's relevant for "subscription" model businesses but Stripe and a
couple of other providers have an option to charge the card immediately or
just get authorisation for the amount. The authorisation is only held for
seven days, but I have found that this has often been enough for the owner of
the card to notice and cancel the authorisation before the charge happens. I
haven't checked but this could also solve the "instant feedback" problem for
providers that give it as "authorsied" is less conclusive than "charged" for
the scammer.

------
landryraccoon
When I worked on an e-commerce website shipping physical goods we would only
ship to the customer's billing address for credit card payments. Anyone
shipping to a different address needed to call their credit card company to
add the address (every credit card company I've dealt with would allow
customers to have multiple valid addresses on file), or use a different
payment method. We never had big issues with fraud and I don't recall a
customer ever complaining about it. I think in 3 years we had 2 chargebacks
due to fraud.

~~~
Giorgi
You do know that some cards allow any billing address right?

~~~
landryraccoon
If it's a source of fraud we never ran into it.

------
hackuser
Eliminating immediate feedback about failed transactions makes things harder
for everyone the fraud detection system identifies, both fraudsters and the
many false-positives. And the false-positive rates seem very high, IME; it
seems like I and everyone I know has encountered that problem multiple times.

Imagine that you place a legitimate order and they don't tell you it failed;
how do you find out? Days later when the order never arrives? That would
result in very angry customers.

~~~
erikpukinskis
There's nothing inherently bad about very angry customers. It's more about how
you handle them and whether you are continuously looking for ways to decrease
them in number.

In this case, the idea is these are people who tripped red flags for you, and
upon investigation didn't give you any reason to believe they were legitimate
orders.

If you're really worried, you can contact them and ask.

------
xiaoma
I really love how open Candy Japan has been with the business on HN, since the
beginning. Thanks!

------
nowarninglabel
We exclusively use PayPal as they kindly cover all of our transaction fees.
However, we still experience fraud which creates work for accounting and
Customer Service.

A rules-based approach has helped, but we've also been playing around with
SiftScience[1] and I've seen it do wonders for some sites, so we'll likely be
implementing it. The key problem is keeping the false positive rate down, as
we don't want to inadvertently block our legitimate users.

[1] [https://siftscience.com/](https://siftscience.com/)

------
Matt3o12_
In the article, PayPal it's often mentioned that PayPal is generally disliked.

As an international customer, I prefer PayPal over giving them my credit card
details. When entering my CC, there is a big risk that my data gets stolen (is
the data truly securely transmitted, stored, and processed?). I know I can
request a refund that any time with my bank but that is a big hassle. I have
to write them a physical letter, and wait for a couple of days. During that
period, my CC is blocked and I they will likely issue me a new credit card
(which costs 10€). When paying with PayPal, I can report a fraud online or
call them and they have been really quickly in responding (I have once not
gotten a product and they were very quick in issuing a refund). Also, I feel
way more comfortable using PayPal because I can see that the site I'm entering
my information to is actually PayPal, and I have two factor authentication.
Before I didn't have a CC, PayPal was the best solution because they would
just withdraw the money from my bank account and they merchant would get their
money immediately.

I can understand why PayPal is not a good choice for sellers (I've heard
stories where PayPal blocked merchant accounts for a few months without giving
them their money they had on PayPal, and refusing any new transactions). So,
can you explain to me why PayPal is a bad/unpopular choice as a customer.

~~~
eps
Keep in mind that PayPal leaks lots of your personal information to the
sellers, including full street address. Merchants don't even need to opt-in to
get it, it's all provided by default for all purchases, even when there are no
physical goods involved.

~~~
Matt3o12_
And yet 95% of all my purchases require a billing address, even if they we'll
never ever send me a letter. Even better, some even check if the billing
address is correct (they send it along with my CC# to my bank and my bank will
decide what to do).

~~~
adwf
In Europe it's the law that you need to record the billing address (for 10
years) otherwise you can't obey the VAT laws.

------
robertelder
My understanding is that Stripe is pretty much the de facto solution to get
started with credit card payments on your site, and if you're relatively low
volume you can review for fraud and manually reject it yourself.

I've set up stripe before, so I have a casual understanding of how it works,
but I'm curious what an attacker would be able to do (worst case) if a server
I have Stripe payments on gets rooted. Are they only able to charge legitimate
customers' cards for the period of time that a payment token is active? Or I
suppose they could re-direct the payment page to their own payment page. If
they steal the Stripe secret key is there a way they can steal money using it?
(other than just bulk testing if they can charge cards)

------
3dfan
Is there no service that does CC processing and fraud detection already?

I would think it does not make sense for every ecommerce merchant out there to
build their own solution.

Bemmu, you say you use PayPal - isn't PayPal also accepting Credit Cards?
Don't they do the fraud detection in this case? I would expect them to have a
huge advantage. You only see the IPs and other metadata from a few customers.
They see millions and should be able to do way better fraud protection.

~~~
bemmu
Yep, PayPal is awesome at this. I originally intended to go on a long tirade
about how PayPal had dealt with this, but cut it out as the post was starting
to get a bit long.

\---

Peter Thiel on PayPal: _" In mid-2000, we had survived the dot-com crash and
we were growing fast, but we faced one huge problem: we were losing upwards of
$10 million to credit card fraud every month. Since we were processing
hundreds or even thousands of transactions per minute, we couldn't possibly
review each one - no human quality control team could work that fast.

So we did what any group of engineers would do: we tried to automate a
solution. First, Max Levchin assembled an elite team of mathematicians to
study the fraudulent transfers in detail. Then we took what we learned and
wrote software to automatically identify and cancel bogus transactions in real
time. But it quickly became clear that this approach wouldn't work either:
after an hour or two, the thieves would catch on and change their tactics. We
were dealing with an adaptive enemy, and our software couldn't adapt in
response."_

They ended up going with a hybrid approach where their algorithm would flag
suspicious transactions, which would then be manually reviewed.

~~~
michaelbuckbee
I've heard Max Levchin describe Paypal as a "credit card fraud detection
system that also accepts payments".

~~~
jandrese
This is also where the majority of "PayPal sux!" type posts come from. People
who get caught up in the hyper vigilant fraud detection stuff and get their
account locked.

I have occasionally wondered how many of those foaming at the mouth tirades
come from people who were actually scamming people and are angry that their
take was locked away.

~~~
comex
As someone who went through PayPal hell a few years ago, I'd say there is a
_lot_ they could do/have done to improve their customer service without
impacting their fraud protection capability. I experienced issues like being
bounced between different phone representatives offering different
explanations for why my account was locked, a slow and duplicative process of
uploading scans of identification documents, etc.. Just saying.

------
thaeli
What's the best way to do "no immediate feedback" when you're selling
something that is instantly delivered? (Site paywalls, for instance.)

~~~
awesomerobot
Do paywalls face as much fraud? My understanding is that industries that
provide digital goods or services see a much lower rate of fraud because
there's little resale value involved (and the cost of stolen/returned goods is
much lower).

~~~
Guvante
It sounds like the biggest problem that OP is talking about is people using
his service to validate credit card numbers. They don't particularly care
about the candy, they just want to know if a number has been cancelled yet.

------
ivthreadp110
I wrote a similar system for an ecommerce site-

attached session data, "remora data", tracked IP's, (in fact trace routed all
IP's looking for suspicious proxy flags like going through Ghana), browser
meta data- etc etc. I'm proud of how robust it ended up being. Constantly
recursively crunching shipping addresses, CC numbers, IPs, all that jazz and
accounts- so if someone tried several different cards their account would be
flag, which would flag their IP which would then trickle down the system.

Of course never letting an attempted scammer know the system was on to them-
in fact encourage them to keep using more cards and try different combinations
so the flagging system would grow over time. Sure we got some false positives,
but drastically cut down on repeat scammers. :)

In which case we just encouraged a phone call and solid proof of information
for an account override.

It was war! Good article!

------
peterwwillis
Not sure if the author tried this, but there are many experts on carding
around the internet (the most famous being Brian Krebs) who might give advice
for free on credit card fraud countermeasures. The simplest way to find them
is to google for presentations at hacker conferences about carding, cyber
criminals, credit card theft, etc.

------
ape4
What if a real users mistypes their credit card number... your order was
successful.

~~~
devicenull
You check the card number via the Luhn algorithm, and tell them about it?
That's not giving any data to fraudsters.

~~~
mrweasel
If you at any point have access to the customers credit card number, then your
doing something horribly wrong. Unless you're the payment processor.

~~~
ThrustVectoring
Luhn algorithm can be done client-side - all it needs is the number.

~~~
mrweasel
Letting a customer enter a credit card and then parsing it on to the credit
card processor means that you would need to be some level PCI complainant. You
really really don't want to be close enough to the credit card numbers to do
something with them, especially client side.

Having the credit card field, where you can access it, means that you become a
target for people wanting to inject javascript into your site. Perhaps you're
safe, but what about all the third party javascript libraries or
tracking/remarketing/tracking script most sites have?

Sorry, it's a really bad idea. Let you credit card processor deal with the
that hassle.

------
danbolt
Hey bemmu, your presentation last year at Hacker News Kansai was really
interesting, and I learned a lot. Thanks for putting the time into following
up!

------
Giorgi
This article does not solve anything. Only thing I have found working is 3D
security request for VISA cards.

------
homero
I use chargebee so much better and cheaper than recurly

------
silliconeheart
the problem is credit cards. the should be depricated

------
seivan
[http://d.pr/i/x0JD+](http://d.pr/i/x0JD+) vs
[http://d.pr/i/16wJh+](http://d.pr/i/16wJh+)

Not sure what the rules are, but I thought it might help.

