

Ask HN: Help I need advice on fraud - eam

I run a web site (side project) where users can use their credit card to send money to a friends checking account as a gift. It seems a user created multiple accounts with fake names then proceeded to send money from stolen credit cards. All the charges to the stolen credit cards where then sent to one final destination checking account which I have all the information on. I detected all this activity a bit too late (2 days late) so the money has been transferred from the credit cards to my marketplace to the destination checking account. Overall there were 5 different stolen credit cards used with over $2,000 in charges! As a side project this a big loss for me. I&#x27;m already starting to receive some chargebacks and it&#x27;s stressing me out. As a result I have permanently shut down my project because this is a major loss, more than I have ever made from the actual side project itself.<p>I have visited the local police department, but they said since I&#x27;m not the victim they can&#x27;t do anything about it (presumably the owners of the stolen credit cards are the victims here, so they have to file a report). They referred me to the FBI. So I filed a complaint with the IC3.gov. After submitting the form, it said that it may be a while before I hear anything since they have limited resources and they receive thousands of complaints each day.<p>What&#x27;s really frustrating is that I have the checking account details where the stolen money was sent to! So it seems it would be an easy case to break. The authorities would have to subpena the bank account since I have the bank account number and bank name, it&#x27;s not like they used bitcoins.<p>Can anyone with experience in this situation before chime in with some advice? What should I do? Please help, any information would be greatly appreciated.
======
callmeed
I have dealt with this exact scenario in our photography ecommerce product
([http://nextproof.com](http://nextproof.com)). Ours just happened to have an
extra 0 on the end. We almost lost our merchant account because of all the
chargebacks. (I'm thinking of writing an ebook on the topic)

Through some social engineering, I was even able to get the name and location
of the checking account owner and _get him on the phone_. I was actually quite
close to visiting and beating the crap out of him. Turns out he was just some
poor rube from Arkansas who answered a craigslist ad. In the end he was
actually more of a victim than me (basically had his identity stolen, credit
ruined).

Law enforcement at all levels were completely unhelpful (I dealt with CA
police, AR police, and feds). Once I located the bank and got them on the
phone, they at least were able to freeze the checking account (I believe they
are required by law to do this once fraud/cybercrime is reported). That's
really only a temporary fix though.

Any time you're doing payment aggregation or money transfers, _you have to do
as much verification as possible_. We learned that the fraudulent charges had
very predictable patterns (international cards, fake websites, very specific
range of charge amounts, etc.). At a small scale, you should just manually
verify all accounts, require phone/address verification, and more. I've seen
some bitcoin startups that even require you to submit a photograph of your
card + ID via WebRTC. This is what you should do right away. Once fraudsters
realize they have to do work, they will move on to the next target. Our
chargeback rate is now near zero and never fraud-related.

At scale, you can have in-house people write code to detect fraud patterns.
There are also startups like Sift Science with APIs.

Hope that helps.

~~~
jasontan
Hey there, I'm the CEO of Sift Science. Unfortunately, callmeed is spot on --
law enforcement typically won't get involved unless it's in the tens of
millions of dollars, at least. Even trickier if it's across international
borders.

This means that you're left to defend yourself. Typically, you'll start
implementing some basic verification and rules in your code base. For example,
"if num_credit_cards_per_destination > 5; flag_as_suspicious()". But, it's
tough to be accurate with this approach, so you'll want to manually review
activity flagged by rules, so that you don't insult your good customers. As
your business grows, it's more challenging to scale these fraud detection
rules and manual review operations. While adding more verification helps, it
does negatively impact the experience for innocent customers. It's a delicate
balance.

I wish I had better news. In some sense, seeing fraud means that you're on the
map. Unfortunately that means you'll only attract more and more attention as
your business grows. I'm happy to be a resource, even if we don't work
together - jason at siftscience dot com.

------
jmount
Down vote me on this, but here is my honest opinion (that may actually help
others) phrased as a question.

Why would you as a hobby run a payment site linking credit cards and checking
accounts when you appear to not have done any research in to how important
loss prevention is in such an activity? If you were not interested why did you
start? If you were interested how could you not know what steps to take?

~~~
wpietri
Hi, John. I'm not the poster, but the way I look at it, everybody has to learn
caution sometime. If this guy's lesson costs him just $2k and a little
headache, I'd say he got away cheap.

I can think of a number of important business lessons I learned that cost me
more time or money. E.g., "be careful picking business partners", "don't start
work without a signed contract", or "crazy clients don't get saner". All
things I should have known, or could have discovered reading. But had I waited
until I had read and appreciated all business lessons, I never would have
started anything.

And I appreciate him sharing the lesson with Hacker News. It reminds me of the
Despair, Inc poster on mistakes:

[http://www.despair.com/mistakes.html](http://www.despair.com/mistakes.html)

"It could be the purpose of your life is only to serve as a warning to
others."

So thanks, eam, for getting a bunch of young entrepreneurs to say, "Hey, maybe
I should double-check our fraud prevention."

~~~
jmount
Always good to hear good calm advice from somebody I know and respect, Will. I
admit I make tons of mistakes (and also would never start anything if I always
"thought it through"). But I still really don't like what the original poster
presented.

~~~
eam
Hi OP here, thank you for your opinions. I just wanted to say that I thought
that I had "thought it through" but apparently I didn't, it was more
complicated than I thought it was. This is not the first time in my life that
I thought I had thought something through, there have been numerous times
actually in all aspects of my life. A year or so ago, I watched a Malcolm
Gladwell talk on TED
([http://www.ted.com/talks/malcolm_gladwell_on_spaghetti_sauce](http://www.ted.com/talks/malcolm_gladwell_on_spaghetti_sauce))
where spaghetti sauce companies thought they had thought things through, but
really didn't it. Of course I could have spend lots of time reading books, but
even then I might have missed this. I just wanted to share my experience and
ask for any advice (not legal) just advice/tips in general from others who had
been in the same boat. So far the comments have been excellent and invaluable.
They have taught me many things I didn't think of before, but more importantly
it will help others who might be looking or are doing that same thing I was
doing already on my side project.

------
mey
I work in fraud management in the payment space for my day job. (Unfortunately
we not have a publically available option yet for someone at your scale).

    
    
      - You are most likely violating OFAC/KYC regulations in the US  (Assuming you are in the US with references to the FBI)
      - It is easy/cheap to buy on the black market complete combinations of credit cards/cvv/social security info
      - People who buy/have these stolen cards want a cash exit
      - Verification of both sides of the transaction are really needed for what is essentially a money transfer, to keep fraud down (steps beyond CCV to prove someone is in control of a CC)
      - You are lucky, that $2000 was probably an initial probe to see what checks you had in place.  Shutting down was the right thing to do.  If you had left it open, you could've added three zeros to the damages
      - CC's are not secure and the "merchant" is always the loser in fraud.  Visa/Mastercard will always make their cut.  Additionally ACH/echecks doesn't provide much in the way to claw back funds (any really).
    
    

Edit: Oh some other notes, the local PD are simply not equipped to handle
this, even though you _are_ the victim as you have been defrauded. Chargebacks
can continue to roll in down the line, typically 30-90 days after the
transaction. You may have violated your MCC code on your merchant account by
doing this, as getting an MCC code to do a balance transfer like this is not a
simple thing.

------
noonespecial
Run from this. You've been lucky.

1) You are almost certainly operating a money transmitting service (like
Western Union). If you are an intermediary between people giving each other
money, there are piles of regulations and compliances you _must_ deal with
just to stay out of jail!

2) Anything dealing with money and internet is HARD. This is like complaining
that you tried to be a veterinarian on the side and some animals died. There
is a minimum amount of knowledge you need just to start. You presently don't
know what you don't know in this space. Its dangerous.

Sorry for the downer, but pick a different side project.

------
dminor
You were basically providing a cash advance, which is against the credit card
companies' TOS, so chalk it up as a lesson learned and move on.

I can pretty much guarantee that no one in law enforcement will do anything
about your situation. I work for an online retailer and we've been down that
road. Everyone will mumble something about jurisdiction and hang up on you.

------
eli
If you're looking for legal advice, you absolutely must ask a lawyer. Most
good lawyers will give you an initial consultation for free.

If you're looking for business advice, I don't think there's any practical or
safe way to run a business that allows people to charge a credit card and
return cash to a bank account. If that's necessary for the functioning of your
site, you may need to rethink your site.

------
KhalPanda
What makes you think the bank account's details you have that the (presumably)
stolen funds were sent to are those of the actual criminal? It could very
easily (and extremely likely) be an account opened under a stolen identity.

I'm afraid it's likely you're going to have to put this one down to
experience... You haven't gone into specifics, but your side project sounds
like a money-launderer's dream.

~~~
pbhjpbhj
> _What makes you think the bank account 's details you have that the
> (presumably) stolen funds were sent to are those of the actual criminal?_ //

Did he say that? I thought he was just saying as he had the account number
then the bank could easily stop that money; the implication being that someone
trying to retrieve the money could be traced.

~~~
KhalPanda
Maybe you're right (that that is what he meant)... but all it takes is the
criminal to withdraw cash (or have someone do it for him) and that money is
long gone.

I was more getting at the fact that the money is probably not retrievable.

------
bluedino
>> 2000 was basically the year of fraud, where we were just losing more and
more money every month. At one point we were losing over $10 million per month
in fraud. It was crazy.

—Max Levchin, founder of PayPal

~~~
hcentelles
Where this quote came from?

~~~
maxmcd
[http://www.foundersatwork.com/](http://www.foundersatwork.com/)

~~~
wpietri
A book that any founder should read. It's a great set of interviews with
founders telling relatively unsanitized versions of their startup stories. It
serves as a great antidote to the business press's "all winners are perfect
geniuses" school of reporting.

------
blakerson
You were running a money transmitter, and once you learn the regulations and
liabilities that come attached to that you'll be glad you shut it down before
the gap widened any further.

------
beat
My spouse works as a BA/project manager for a large e-commerce player. The
efforts they go to in order to handle fraud are crazy. Fraud management is an
_entire department_ in any e-commerce organization. They're fighting not
simple scammers, but international organized crime syndicates.

My not-a-lawyer advice? Drop your "side project" as fast as you possibly can,
before it destroys you.

------
eam
I actually even called the destination bank fraud department which is where
the checking account resides. They seem to not care. I called them 2 days
after the transactions happened and asked if they can reverse the transactions
though the agent that I spoke with said he would work on it and call me back.
He never called me back, so I called him back and he said he's still has to
get to it and told me to have my payment processing company call him. My
payment processing company has tried to call the bank agent for 2 days with no
avail. I even tried to call him and many times I was sent to voicemail. It has
been 11 days and I haven't heard back.

~~~
mtamizi
> My payment processing company has tried to call the Ally Bank agent for 2
> days with no avail.

Ally isn't going to help you in this case. Ally doesn't know you, and you're
asking them to give you money from one of their customers.

Who is your payment processor? You can issue an ACH reversal. You would get
your money back __if __the money is still in the recipient 's bank account.
It's worth a try since they may not be expecting you to reverse the
transaction and will still have money in the account.

------
scarmig
Someone will say, "use bitcoin instead!" So follow the directions here to help
your situation:

1) Set up an exchange. 2) Wait for people to deposit >$2000 worth of bitcoin.
3) Run away.

Problem solved.

More seriously, I think you're more or less in a very unhappy place without
good options. Chalk it up to experience and consider yourself lucky that you
only lost $2k.

Though, a question for the legally-minded: if this project had been done in a
corporate structure, could the poster just walk away from it and be insulated
from the loss?

~~~
aioprisan
As long as you're incorporated, you're personally shielded from incurring
those loses yourself or anyone going after you for those losses, as long as
you didn't personally guarantee those accounts (i.e. AMEX business cards are
guaranteed with your personal SSN vs company EIN).

~~~
eli
No offense, but that sounds like terrible advice. Please consult a lawyer or
accountant with questions, but corporations do not magically and universally
shield your side business from incurring debts you have to pay. (And your
business credit cards would almost certainly be personally guaranteed -- who
would give a credit card to a business with no credit history?)

~~~
aioprisan
Again, I should have prefaced this with stating that I am not a lawyer and do
not provide legal advice. With a DUNS number, you can open business cards if
you have an established history of paying your suppliers and can show sales to
other companies.

> And your business credit cards would almost certainly be personally
> guaranteed -- who would give a credit card to a business with no credit
> history?

Not true. While it is easier to get a business credit card if you personally
guarantee it from day 1, you can get one using you business identification
information. You can get Citi business cards with a DUNS and EIN number.
[https://www.citicards.com/cards/wv/html/cm/business/know-
the...](https://www.citicards.com/cards/wv/html/cm/business/know-the-
rules/business-credit.html) You can also get corporate AMEX cards once your
business has $10M in revenue a year. Employee cards only require a SSN to
verify identity, not to guarantee them (the regular, business amex cads,
however, do).

------
dragonwriter
Credit Card companies basically tell merchants (in their merchant guides) not
to (1) deposit funds from CC transactions in any account but their own, or (2)
allow CC users to extract cash or the equivalent from CCs as by cash refunds,
and highlight that these things are wide open gates for fraud, money
laundering, and high chargeback rates. [1]

This sounds like a grossly irresponsible "side project".

[1] example: See "Laundering" on p. 11, "No Cash Refunds" on p. 13 of
[https://usa.visa.com/download/merchants/card-acceptance-
guid...](https://usa.visa.com/download/merchants/card-acceptance-guidelines-
for-visa-merchants.pdf)

------
genericresponse
You lost $2000 in stolen goods. Someone defrauded you by knowingly using fake
cards. Your police department should see you as a victim as well. If they
don't you might want to think about talking to a lawyer to get things moving.

Actually- just go talk to a lawyer about getting the wheels of justice moving
for you.

------
daseong
I am not a lawyer, this is no legal advice. You have to be careful. Depending
on your country's laws you might have been running a financial service. These
services usually require you to register, fulfill tons of requirements (at the
least hold enough reserves) etc. Offering a financial service without
registration might get you in a lot of trouble. The only course of action you
have is to try to reverse the transactions to the checking accounts. This will
largely depend on your provider.

Talk to a lawyer. Make sure you haven't been running a financial service.

------
kapnobatairza
I know this is not what you want to hear right now but this is where the
importance of KYC requirements for any company dealing with financial
transactions comes in. I imagine you made a trade-off between providing a
frictionless service and best practice, but that's a trade-off you need to pay
for eventually.

EDIT: I would also like to add that typically those who dabble in credit card
fraud are sophisticated enough NOT to link their own bank details to the
cards. What they will do is either buy some unknowing person's account for a
few hundred dollars or steal details of an otherwise inactive account. Then
all they have to do is use any ATM to withdraw the money, and it can be nearly
impossible to catch the culprit without committing significant police
resources.

------
pktgen
IMO, you would probably be best speaking to an attorney. They may also be able
to get more cooperativeness from the FBI.

~~~
tdicola
Unfortunately at a normal rate of $300/hr or so you're going to rack up well
over $2000 in attorney fees.

~~~
daseong
IMHO he should still talk to an attorney.

If he provided financial services without a proper license, he might be in a
world of hurt.

------
larrydag
Card-Not-Present online commerce draws fraud and that is a reality that you
need to address. There are methods to mitigate the losses from fraud. You
could collect webserver, internet traffic data and credit card data to filter
your signups to prevent this happening in the future. One such company that
could help is siftscience.com.

~~~
larrydag
I'm curious to those that downvote how they would address online fraud. It is
a real problem with online commerce.

~~~
aioprisan
You can request strict full address validation and request that charges fail
on CVC mismatch. On the cashout side, you can use a system like
[http://www.idology.com/](http://www.idology.com/) for identify verification,
which can be either as complete or as superficial as you want it to be (think
credit card application level verification, with questions about past
employers, loans and monthly payment amounts). If this person has all the
information to steal your customer's identity, then you can't really defend
yourself against that scenario and that customer likely has to deal with
larger identity theft issues.

------
LeBlanc
I would highly recommend that you contact the banks for whatever accounts the
money went to. If you are able to prove fraud, you may be able to work with
them to freeze the accounts and then recover enough funds to cover the
chargebacks. You can use the routing numbers to figure out which banks to talk
to.

When I was at WePay, we used this to help recover fraud losses. It's not 100%
effective (because often the account has already been drained/closed), but
it's better than nothing.

In the future, I would also recommend using a PSP like WePay, Stripe, or
PayPal that will handle KYC and fraud detection for you.
[https://www.wepay.com/api/payments-101/preventing-losses-
fig...](https://www.wepay.com/api/payments-101/preventing-losses-fighting-
fraud)

------
iddav
I've lost 2 merchant accounts in the past due to a high chargeback rate
involved with selling web hosting online.

Most chargebacks are a result of orders from people with stolen credit cards,
usually from international IPs. To mitigate this, I ended up using:

1\. A service called MaxMind, which includes automated phone verification
(e.g., ensuring the person owns a phone number in the a area code matching the
credit card zip code).

2\. Using payment providers like PayPal or 2CO since they have their own
built-in fraud prevention systems.

Of course, this does not prevent chargebacks for non-fraudulent reasons (e.g.,
unsatisfied customers). For large orders, you may need to get the customer's
signature on a credit card authorization form, to enable you to win the
chargebacks if they occur.

------
yardie
1\. Consider this a very expensive lesson for you. Loss prevention isn't easy.
It's why I stopped using Ebay and do local direct (CL, gumtree, leboncoin,
etc.) sale.

2\. FBI cybercrimes division will eventually want to hear from you but the
fraud was small potatoes compared to what they are up against. Your local PD
is right, this is out of there league. Most likely this is across county,
state, and international borders.

------
raverbashing
And that's why you _don 't_ consider money payed with CC an immediate part of
the balance.

Unless you can swallow the loss.

As an example, some airlines require that you present the Credit Card used in
the purchase upon check-in.

------
uptown
Just curious - who'd you take the transaction costs from? The sender?

~~~
eam
Both, from sender and receiver.

