Hacker News new | comments | show | ask | jobs | submit login
Candy Japan hit with credit card fraud (candyjapan.com)
293 points by bemmu on Sept 18, 2015 | hide | past | web | favorite | 204 comments



I commented this on yesterday's jsbin article, and I'll write it again.

Don't implement the payment processing code yourself. (And using Stripe is _still_ implementing it yourself - they supply only one part of the process.)

Writing this code will take time that you are not using to develop and market your product. (cf opportunity cost). Your code will be buggy. Your code will be weak. Your code will not support the various alternative payment options popular in, say, Holland. (Yes, this is a thing, and it is called iDEAL.) Your code will sooner or later be exposed to a campaign of fraudulent transactions.

Use FastSpring, or your alternative of choice. Yes, it costs more, if you don't put value on your weeks of time to create and support an alternative, and if are comfortable having a weak fraud detection, if any.

When your business becomes successful, when the fees to FastSpring start to dwarf the costs of implementing a payment system yourself, then - perhaps - consider re-doing it yourself.

There are indeed weaknesses in using FastSpring, which after seven years are becoming a pain for me. I'll be writing about that soon. But this is not an issue for a one-person endeavor getting started.


Living in Holland, where everyone does online transactions with iDeal, I find it hard to understand why the rest of the world is using credit card payments at all, for anything. It is massively insecure, it's expensive for the merchant, and theft is ignored (when millions of stored creditcard records are stolen, those cards are not invalidated and replaced?). This is all at the cost of customers and other merchants.

I'll keep trying to avoid using a creditcard as much as possible and use other payment methods when I can, both online and offline.

And yes, when implementing payments on a website, use a service that does all of the complex things for you, and never store sensitive data yourself.


There are many reasons to use credit cards, and some of what you said is just not accurate:

- The vast majority (probably 95%+) of cards have rewards built in. Everything from miles to redeem on travel and accommodations to the most common being cash back credited against your account. These can range anywhere from 1% to 5% outside of special promotions where you typically get even more.

- They offer increased consumer protection in the form of warranties on items you buy in addition to the manufacturer's warranty.

- They offer increased consumer protection in the handling of charge backs, fraud prevention and being able to easily dispute charges (typically online).

- Of course if a card is stolen the number is invalidated and the physical card replaced - I don't know where you got the idea that this doesn't happen.

- None of this is at direct cost to the customer - assuming you pay off your statement balance prior to the due date, you are not charged interest and unless you have a card with an annual fee (most do not and if you have even decent credit it's trivial to upgrade to a card without one) all these features are free.


> None of this is at direct cost to the customer

Then who do you think is paying for those rewards/cashbacks? Who is paying for the extra warranty? Who is paying for the costs of the chargebacks and the replacement of cards that get stolen by the millions?

The answer could be you, creditcard users who dont pay off in time, or people who use other payment methods. It certainly isn't the banks or the merchant who's paying all this.


It is the merchants. Credit card fees are paid by merchants. It comes out of profits.


...which leads to higher prices charged to consumers. Credit cards and their benefits exact a roughly 3% surcharge on ecommerce in the aggregate.


Those benefits don't come without a cost though, and not just from cardholders who do carry a balance and pay interest. The merchant fees, chargebacks and other costs get tacked on to their COG.


iDEAL is fine for transactions between a Dutch client and a Dutch merchant. Other countries also have similar, local payment solutions which bypass credit card processors (e.g. POLi in Australia and New Zealand)

But it does nothing for a business like Candy Japan which sells to a global audience. The advantage of credit cards is that they are one payment system that works pretty much everywhere, worldwide.

Also, you should realise that, as a customer, you typically don't have the same chargeback rights when using a banking service like iDEAL compared to what you get with a Credit card. This can be a big deal when, for example, a merchant goes bankrupt before delivering your purchase.


> global audience

That's the reason they recommended to use a payment gateway that implements all those local payment solutions. For example, in Germany you loose a lot of customers if you don't offer direct debit (ELV) as many don't own a credit card (and don't want to).

> you typically don't have the same chargeback rights when using a banking service like iDEAL

This heavily depends on the service. For example, the upcoming German Paydirekt will offer better chargeback service than most German credit cards (where you typically don't enjoy the US-style "anything is reversible" type of protection).


> That's the reason they recommended to use a payment gateway that implements all those local payment solutions. For example, in Germany you loose a lot of customers if you don't offer direct debit (ELV) as many don't own a credit card (and don't want to).

I can't imagine wanting to give out my bank details to allow direct debit of my account to every online retailer I do business with. Weird.


Not too different from giving out your credit card number. I can reverse any direct debit online with two clicks and a second-factor authentication. Disputing a credit card transaction here on the other hand requires filling out a form, signing it on paper, sending it via post, and waiting for the response.


Very different in the US.

US consumer protection laws treat credit and debit cards differently. They favor credit cards. The gap between the two is up to the goodwill of your bank.

I prefer to rely on law than goodwill. I have never had a problem with getting a refund on a credit card charge I claimed was fraud.

I have no idea why people choose to use a debit card over a credit card here.


The thread might be titled "People tend to use the safest (to them) form of payment available". If your credit card laws protect the consumer a lot (like in the US) then you use credit cards. If you have some in-country debit system with better protection you use that instead.

One reason it's so hard to unseat credit cards in the US is because most of the advantages of the alternatives are on the sellers side. The consumer doesn't seen any benefit from switching to Apple Pay or whatever. Most merchant agreements don't even let stores charge less for using non-credit card type payments (although some stores do anyway).

As a US citizen I use my credit cards constantly. It's an instant 1% discount on everything I buy (thanks to the cash back), and its fast and easy. I pay it off every month to avoid paying interest. There's basically no downside to me.

The story would be different if retailers were allowed to directly pass on the service fees however. I would definitely think twice if every time I used it I got surcharged $0.50.


Merchants in the US are now legally allowed to charge a surcharge for credit card transactions, regardless of their merchant agreement.


It doesn't seem like anybody besides gas stations is really doing this, though.


True, I was just pointing out that legally, they can.


Yeah but in the meantime I still have my actual cash.


After I make my two clicks for which you have several months time (only needed to do that once) the actual transaction is reversed immediatly. That means even if I notice it three weeks later, the bank pretends the direct debit never happened and is not included in any interest calculation etc.


Well, that was my experience with American Express. I noticed a fraudulent charge, called them up and was done 5 minutes later. Everything was refunded immediately after I hung up. That was the end of it.

OTOH, my Chase experience was not nearly as smooth.


That's the whole point of the thread: If you cater to a global audience you can't assume that what works for you will work for someone on the other side of the planet. Different markets tend to favor different solutions in customer adoption, law, and regulation.


It is identical to a credit card and cheque. That's exactly what you're doing in both cases.


Others have pointed out the consumer protection on the German system is pretty good. The distinction here is that, in the US context at least, it's somebody else's money that is temporarily inaccessible -- you can still withdraw your cash while a credit dispute is taking place.


Also I need recurring payments. Not sure if those would be possible with ELV / iDEAL.


For ELV sure. That's the German implementation of SEPA direct debit (which should work almost everywhere in Europe). You can even charge different amount each time, provided you inform the customer before you attempt to charge. For example, I pay my electricity and phone bills by this system, just like my purchases on Amazon and almost everything else that is provided by German companies (just like most people).

Don't know about iDEAL, but I think that wouldn't work.

The thing: If you don't implement all of this yourself, you don't need to worry about the details. There are services that happily do this for you.


I have a SaaS app that has only US customers at the moment but I would love to be able to offer this type of support and begin acquiring European customers. Do you have any recommendations of services that handle this ELV/SEPA/iDEAL type of integration?


Having visited NL, my card was practically useless. Any other country no problem, but Netherlands? So I don't understand you really.

That being said, direct payment gateways are common, but they require cooperation with banks. There's probably hundreds of them and only make sense on local market where you can have on or two implemented to satisfy 80%+ of customers (and others will just use regular card).


That's the whole point, in the Netherlands we use debit cards (known as 'PIN cards' to the locals) instead of credit cards. Usually these are Maestro cards. I don't know the exact number, but as a Dutch resident I guess that >99% of all POS transactions are done using such card, not a credit card.

Cashiers in most common shops probably don't even know how to accept a payment by credit card, so the'll just refuse.

Meastro cards are usually protected by a PIN and require a POS system to be used. This was a problem for e-commerce, so the Dutch banks participated in iDEAL. It's basically a redirect from the merchants website to the bank site of the customer, where they use their own cardreader and debit card to validate the transaction before being redirected back to the site of the merchant.


In many countries (such as where I'm from, Sweden, or where I live now, Japan), debit cards and credit cards are interchangeable, and you can't even tell by looking at the card if it's debit or credit. They're both VISA or MasterCard branded, and what's backing it is only the business of the cardholder, not the merchant.

I remember Maestro cards in Sweden as being for under-18's, and then when you become an adult you get a VISA/MasterCard debit card instead, but I don't know if that's true anymore.


In Canada, a distinction is made because the fees on debit are much lower (comparable to cash handling costs) and the banks have put tremendous marketing efforts in pushing for debit cards and branding them "Interac."

That said, the cards themselves use exactly the same technology, look the same and debit cards are usually Maestro/Cirrus or Visa/Plus compatible so we can do debit transactions in europe.

The online version of debit however has yet to catch on.


Canadian here, and I find that most of my peers (30s) use their credit cards for almost everything and their debit cards collect dust. The reasons are several:

1) CCs offer rewards (travel, cash back), usually in the range of 2% of purchases

2) CCs offer insurance and extended warranties on some purchases.

3) CCs help you build a good credit rating, which is important for someone who intends to apply for a mortgage at some point.

4) CC offer superior protection to debit cards. Yes, CC fraud may be easy, but as the card holder you will almost never be on the hook.

I've had my CC compromised, the bank detected it immediately and issued me a new one. Never was there any question who would bear the cost of the 5-figures that the fraudster spent. My brother had his debit card compromised once and the story was completely different. The bank wanted him to prove that the fraudulent transactions were not his and he had to go to great lengths to do so.

My personal preferred order of payment is:

CC

Cash

Debit (last resort)


I do to for similar reasons. But I will use debit if the merchant extends me a discount, one of the gas station here for example gives me 2 cents off per liter which works out as more than the rewards.

However, I never do cash cause I never have cash on me. It's Credit for reward and then debit.

That said, I know a lot of people who don't do the rewards maximizing. Programmer/engineer crowd tends to self-select for people who are logical and number inclined.


On the other side of the fence, also Canadian, my debit card has been compromised many times. Bank always shuts it down immediately and lets me know, then returns the money. I have never been asked to prove anything. Usually they ask me to double check and see if any other charges than the ones they caught were fraudulent.

This has been as simple as someone using a copy of my card to buy candy and video games, something I could have done but didn't in this case.

Really impressed with the services of my banks when it's come to debit fraud.


To be fair, my brother's incident was quite a few years ago by now, so it's quite possible that the response has improved.


Yeah, I have a debit card that works as a Visa card if you choose to use it that way. I never use it though because if someone steals the number it is way harder to deal with fraud on a Debit card than on a Credit card. The consumer protection laws on Debit cards are much weaker than the ones for Credit cards.

We probably have old misbehaving banks to thank for our relatively consumer friendly credit card laws. In countries where the banks weren't quite so abusive the laws could be much weaker and give Debit cards an advantage.


Same is true for Belgium, though the Belgian infrastructure is a little more up to date (most terminals can accept credit cards, if the shop has payed for the quite expensive creditcard processing service with the company issuing the terminals): debit cards are the norm, credit cards are much less common.


Netherlands was also one of the few countries in the world that didn't take union pay (China's atm network), so my debit card was useless. If I didn't have my credit card I would have been totally screwed.


> my card was practically useless

That's because merchants pay 3% or more for a creditcard payment, and something like 0.8% for a local bank card payment (with the online equivalent iDeal). On top of that, there is much more risk accepting the creditcard with chargebacks, while the banks guarantee normal/iDeal payments. So most merchants here really dislike creditcard payments, it "costs them" much more.

Of course I understand that this is not a solution for accepting payments internationally. What I say is that the whole creditcard payment system, as it currently works, should be replaced by something saner, something that looks more like iDeal.


The EU is introducing a cap on credit card interchange fees of 0.3%, and 0.2% for debit cards. This is expected to lead to much lower fees for merchants that accept credit cards (and ultimately, consumers).

The new regulations apply from 09 December 2015:

https://www.gov.uk/government/news/credit-and-debit-card-fee...


What's with the EU and bringing in new financial regulations for Merchants around Christmas time??

Last year it was VATMOSS on 1 January (when lots of people are on leave and lots of purchases are made due to stores running sales, especially online).

ONS retail sales per week in the UK are £9B in December vs. £7B in April or June (last 12 months figures, http://www.ons.gov.uk/ons/rel/rsi/retail-sales/index.html).


You can ask your payment processor and they will say their prices will stay the same.

Check this response from paypal: PayPal told us that the “European Union’s regulation of Multilateral Interchange Fees (MIF) does not apply to PayPal as we are not an inter-bank card scheme and the fees PayPal charges businesses are not interchange fees”. http://tamebay.com/2015/03/new-eu-caps-on-credit-and-debit-c...


Source for the 0.8% for local bank card payment? Last I read it was a fixed 4-6 cents per payment. See [1], for example.

[1] https://www.abnamro.nl/nl/zakelijk/betalen/tarieven/sepa-bet...


Given that a huge number of transactions will be near 1-2 euros, the average cost in terms of percent could really be 0.8%. Not that I've seen the numbers mind you.


iDEAL covers nearly all the dutch banks (10 of them) so no 'per bank' payment systems. Creditcards are not accepted by brick and mortar stores except for some very tourist heavy areas, most people do not have a creditcard here.


Try Japan. Credit cards won't be accepted half the places you go and only a small percentage of ATMs will allow you to withdraw money from a foreign account at all.


Credit should be accepted in stores where you're expected to spend over 10,000JPY/$100, but anywhere small is cash-only. In Tokyo you might be able to NFC pay from your transit card balance, and the taxis take cards.

As for ATMs, go find a 7/11 or a Post Office and those will work.


Well, yes. I didn't want to get into all the minutiae to make a point.


You might find it pretty useless in japan, other than at 7/11 ATMs. They have some kind of weird specific payment system as well.


> Living in Holland, where everyone does online transactions with iDeal, I find it hard to understand why the rest of the world is using credit card payments at all, for anything.

We do have both ideal type payments and credit card payments in Finland (I assume ideal is a direct bank payment to merchants account?)

I still personally always use credit card if possible as it gives the customer extra layer of security. For example in cases where you purchase something quite expensive let's say a holiday package if the company does not deliver the holiday, goes bankrupt etc you will get the money back with CC but NOT if you have paid directly via web bank payment form.

Same thing with online fraud, if you pay to fraudulent website it's going to be extremely hard to get your money back if you have paid it directly to scammers bank account.


This is true but in this case he's not directly integrated (he's using Recurly). Better fraud tools is something we are actively working on.


Would it be possible to give us a better ETA on when something is likely to be implemented?

I was thinking of using recurly and this has put me off somewhat.


I'm an engineer so I can't really give you an ETA in public. You could certainly talk to one of our sales or product people about it.

The thing you need to remember is that you do have options. If you choose a gateway with good fraud tools, or a gateway that integrates with them, we upstream that information to you. Traditionally Recurly has left fraud up to the gateway because they are much better at dealing with it, but we are now seeing the need to offer some more professional fraud tools by default at the Recurly level.

Feel free to email me if you want to have a discussion about it: ben@recurly.com


FYI take a look at SiftScience and ThreatMetrix products. They wont process your transaction, but at least one of them offers a zero chargeback guaruntee, at $0.03 per transaction I believe.


Just for the record, as a Dutch person, Holland refers to the two provinces North and South Holland and there is more to the country than just that. The Netherlands would be more accurate.


Sorry about that. In future I'll be more careful to write The Netherlands.


Don't feel too bad. My sister's husband is Dutch and even he refers to The Netherlands as Holland now and then (as does his family and other Dutch people I have seen). It's not the end of the world.


How is FastSpring different from using Stripe.js or Checkout? Both claim "automatic fraud detection".


How is FastSpring different from Stripe? I can't tell from the website.


Totaly ignorant here:

Why would using FastSpring be safer than using Stripe?


Fastspring has a fraud protection system in place. Strip has not and does not prioritise it according to this quora comment by one of its co-founder. https://www.quora.com/How-will-Stripe-overcome-the-huge-loss...

Fraudulent chargebacks is bad, both economical and psychological. As an online seller it is part of life, but you want to keep it to a minimum, say < 1% of all transactions. I wholeheartedly support the sentiment of the OP, do not use Stripe nor do this in-house. Instead, use a payment provider with a proven fraud protection system, such as PayPal.


Do you have an RSS feed or a link to where that post may show up? Thanks, highly interested!


I'll most likely post it on blog.barbarysoftware.com


Thanks.


We ran an online store selling merchandise for a very large mobile-game vendor, so naturally we experienced these types of fraud attempts.

For us, there's one killer technique. Detect fraud however you want to / can (this can be a mix of heuristic data from your stats, third party, or whatever you want) - but when you detect it - don't decline the user.

Send them to a fake purchase confirmation page.

Suddenly they'll be getting 100% success from your site, and they'll drop you immediately.

On the backend, put the transaction to manual approval, so if it IS a legitimate client, when they email you, you can manually approve the order.

Over the years, as others have pointed out, detection methods change, but using the above technique invalidates their reasons test with your site. (very similar to Mailinator's technique for people scraping their site.. http://mailinator.blogspot.fr/2011/05/how-to-get-gmailcom-ba... )


I think Amazon does this. Regardless of whether the payment goes through or not, you'll always reach an 'order confirmed' page. Looks like they've adopted the same technique for curbing fraudulent purchases.


Interestingly enough I found this subthread from an HN Post earlier today to be very relevant: https://news.ycombinator.com/item?id=10234561

> Regarding his fraud issue, I found that my website was being used in the same way when I added a credit card payment form. I implemented a system that first does an "Auth". If that passes, then I pass details to MaxMind and get back a response with a "riskScore". If the score is too high, I void the auth and decline the transaction. This has saved me a lot of chargeback fees, though it's still not perfect. I prefer PayPal because a "not authorized" just reverses the transaction; there is no chargeback fee.

- Osiris (HN user)

IMO, there's more worth reading in that subthread. It's an interesting topic, at least to me. I feel sympathy for any merchant that has to go through this kind of pain.


This issue is so costly and prevalent that I feel its a huge disservice for companies that offer credit card services to merchants to not either 1) mention this issue and recommend a fraud check service, or 2) include fraud protection in their service.

I actually ran into an issue a little while ago in that I allowed my MaxMind account to run out of queries. Not realizing this, I saw a few days of higher than normal sales but just assumed it was a good day. When the first chargeback came through, I immediately noticed the problem, bought more credits, then began to go through each transaction one and a time and noticed a pattern in the email addresses (all two words followed by 3 numbers @hotmail.com) and individually refunded each and every one of them.

I still got chargebacks but I was able to dispute them by showing that the transaction had already been refunded.

My ideal credit card would be on where the physical card has e-paper on it with a 6-digit PIN that changes periodically, like 2-factor auth, and that PIN could be required for purchases to be authenticated. The new smart-chip cards don't help at all with online purchases, only point of sale.

On a side note, I found that nearly all of my fraudulent purchases came from Vietnam to the point that at one time I put in an IPTABLES rule to block the entire country.


> My ideal credit card would be on where the physical card has e-paper on it with a 6-digit PIN that changes periodically, like 2-factor auth, and that PIN could be required for purchases to be authenticated. The new smart-chip cards don't help at all with online purchases, only point of sale.

The banks and companies like Visa/MasterCard in Turkey use something called 3D Secure [1], in which you are directed to your bank's 3D secure page and enter a code that is sent to you via SMS and your CVC number so they have 2-factor auth. Most of the merchants I used in Turkey supported 3D Secure but I don't know the situation with other countries.

Banks in Turkey still support the processing system that is currently used worldwide however some banks have an option where you can cancel all non-3D-Secure online transactions.

Also the chip-and-PIN standard was conceived in 1990s AFAIK so the smart-chip cards are not new at all, they are just not adopted in some countries like US.

[1]: https://en.wikipedia.org/wiki/3-D_Secure


Nobody seem to know or mention : https://en.wikipedia.org/wiki/3-D_Secure

I have to use it with most online shops here in Switzerland.


3D Secure was mentioned in the other thread. Folks recommended avoiding 3D Secure / Verified By Visa because so many banks implement it insecurely, and the redirect model is easy for phishing scams to imitate:

https://news.ycombinator.com/item?id=10235328

That redirect will kill conversion rates too, being redirected to a site you didn't expect claiming to be your bank but not matching its URL... of course it will freak some people out. Consider that some banks make the Verified By Visa password the customer's birthday (ie something easily researched) and you quickly realize it's a horrible system.


Well, I used to be rather critical of 3D Secure until a few months ago. My wife's card (on our shared account) got compromised and a 300 euros or so payment was made with it. No 3D Secure enabled for her because she had not given her cell phone number to the bank.

Our bank refunded it alright, though it took about a month, but the next week I received an SMS with a 3D Secure confirmation number for a similar payment, in HKD, with my own card (by the way, the only place we used both cards for payments was Taobao). I was able to call my bank which blocked the card and quickly issued me a new one. At least in this case it both saved us, our bank and some unknown online shop, time and money.

Also, I think the smart way to do 3D Secure is what capitainetrain.com does, they use it only for the first payment of a customer (and explain what's going to happen during the payment process) and all subsequent purchases don't go through it (since the customer has already been verified as being legitimate). It only works when you expect customers to come back regularly, though.


These verification mechanisms don't freak people out once people are used to them. Pretty much anyone who uses credit cards to buy anything online in Europe will have encountered this system before and will be more suspicious if they don't see it!

Using customers birthdate is indeed a very poor authentication mechanism, but even that is going to defeat the majority of fraudsters who are simply trying to bulk-authenticate a list of CC numbers. Personally, I don't give my real birthdate to any website unless they have a very good reason for knowing it.

My bank asks for three random characters from my online banking password (the same mechanism used to log in to my online banking) which provides enough security without risk of revealing the full password to key-loggers, etc.

But since the actual authentication mechanism is left up to the card issuer, there's nothing to prevent them using more advanced systems - like 2-factor authentication, hardware tokens, etc.


> My bank asks for three random characters from my online banking password (the same mechanism used to log in to my online banking) which provides enough security without risk of revealing the full password to key-loggers, etc.

How can the bank know what any of the letters in your password are unless they are storing it insecurely?


They could be storing a hash for each trigram in the password (assuming he meant three consecutive characters starting from a random offset). Although it might still leak information that could improve a brute force, I suppose.

It's not a good solution anyway. A phishing page could easily claim the entered password was wrong and ask for another one (starting at another offset). Most passwords are probably <= 9 characters, so you'd have the full password after 3 attempts.


It's not consecutive characters, it's a random set of three. One time it might ask me for the 1st, 6th, and 8th characters. The next time for the 6th, 7th, and 9th. Passwords are required to be at least 8 characters and contain a mix of letters and numbers.

Fishing attacks are difficult because the attacker would have to be able to determine which bank a card was issued by, and present the correct 3D secure interface specific to that issuer. Many issuers also add a customer-personalised image or message to the interface to further reassure customers of authenticity.


This further suggests to me your bank is storing your password in plaintext or reversibly encrypted, which is not secure at all.

The only alternative I can think of is that they'd also create and store a hash of every possible three-letter combination based on your password which does not seem likely.


How do you use the collected birthdate to reduce fraud?


Nobody collects the birthdate. It would be validated by the card issuer against their account records. The merchant doesn't see anything that happens during the 3D-secure part of the transaction.


Here in Belgium 3D-Secure is also commonplace, and the experience provided by my bank has significantly improved throughout the years. I also don't think it hurts the conversion of webshops around here because everybody is used to performing these extra steps.

It works as follows:

- Merchant redirects me to his payment provider

- I enter my debit/credit card number into the payment provider screen

- I am redirected to my bank website, and am able to verify the URL (no iframes anymore!)

- My bank has two methods of verification: scanning a QR-code with the mobile banking app on my phone, or logging into the online banking website (with a Vasco DIGIPASS 836, which requires a debit card+pin to generate a OTP)

- I verify the amount and creditor in the mobile/online banking app, and sign the transaction with my mobile pin/digipass.

- I am redirected back to the merchant.

All in all, I think it costs me 30 seconds to complete the extra 3D-Secure steps when using my mobile banking app.


Re: Conversion rates, as a consumer I have got used to it and it does not affect conversion for me at all.

Everyone uses it now in the UK and you always get redirected to the exact same page. I expect it, it doesn't put me off buying.

So it's a bad objection to the system, because once everyone's using it, it becomes the norm. Yes, there will be a dip in conversions to begin with as consumers are scared by the new page, but it will recover. Some people's implementation sucks, but that's a different matter.


I loathe verified by visa. I'll still buy from that site, but only in unusual circumstances. Verified by visa means I'd rather buy from somewhere else.


I'm in the UK and I'm used to it - used to it being a crock of shit.

It's a complete flip of a coin whether the dodgy collection of forwards and cookies and iframes will go wrong somewhere, and such failures are always handled in the most user-hostile ways. I can completely understand why Amazon and so many other retailers just don't bother with it.


Unfortunately the link I'm sharing here is outdated, but Verified By Visa is absolutely a conversion hit, even in the UK. The conversion rate hit was anywhere from 6% to 60% initially.

https://econsultancy.com/blog/3887-verified-by-visa-a-conver...

Visa's own documents now recommend only using Verified By Visa on transactions that look suspicious after running risk analysis, and cite that using it on all transactions was resulting in a 3 - 5% Abandonment rate in the UK.

"Higher conversion rates – following the implementation, abandonment dropped from over 4% to under 1%"

http://www.visaeurope.com/media/images/44933_visa_vbv_case_s...


Some banks implementing 3D Secure/Verified By Visa/MasterCard do it by asking for a separate password.

Given how few sites actually implement it, it becomes a pain to use if you have to dig out the password or set it up on first use.


Sure, banks can do it really horribly (most of them), but some use it to force proper 2FA. For example, Nordea asks you to open their phone app and confirm the purchase (with a message that includes the total price) on there.


>all of my fraudulent purchases came from Vietnam to the point that at one time I put in an IPTABLES rule to block the entire country.

I can never work this out; it seems that scammers from different countries (or using hacked servers / proxies?) are attracted to different sites or types of ecommerce sites.

For example:

- One of my sites has huge fraud from Ukraine and Russia

- Another from Indonesia

- Another's problem country is Pakistan

I typically use https://siftscience.com to identify fraud, plus country-level blocks where it makes sense.

Damned shame that all the legitimate users from a given country get blocked thanks to the fraudsters!


Thanks for using us! If you need extra help feel free to email me - jason at siftscience dot com


All of mine seemed to come from Mexico. Either IP being in Mexico or the shipping address being there.

Still many orders originating from Mexico seemed like they might be genuine, as the customers had filled in the questionnaire with their favorite animes etc. valid looking answers, so I didn't want to block the entire country.

My theory is that there really was some kind of media mention there, which resulted in some real orders but also some fraudster happened to hear about the service that way as well. it seemed possible that I had been mentioned in some local


> My ideal credit card would be on where the physical card has e-paper on it with a 6-digit PIN that changes periodically, like 2-factor auth, and that PIN could be required for purchases to be authenticated. The new smart-chip cards don't help at all with online purchases, only point of sale.

You may be interested in the system I use with my bank in the Netherlands.

The old system worked like this: The bank gave me a device they called a "Random Reader". To make a payment, I had to insert my card into the device, enter my pin, enter a (random?) number that the payment site gave me, and enter the amount. It then gave me a number back that I had to give the website, which authenticated me.

These days I use a "Rabo Scanner", which works the same except instead of entering a code and the amount it has a camera on there that scans a kind of barcode on the screen that contains that information.

So it does use the smart-chip, and the (8-digit) pin changes every time you make a payment. You do have to take the device with you, but it isn't very big.


   Since pro accounts initially cost £6 for month, it turns 
   out that this is low enough that it won't send red flags 
   to stolen cards
That's interesting (scary). What is the minimum transaction that Visa actually gives a monkeys about? And why, if a card is stolen, does not any activity flag up?

Edit: more importantly I never even thought Inwoukd need to implement fraud detection - is there a primer on "things you never thought of when selling on line - from VATMOSS to Vampires"?


It's not normally a single transaction that triggers the fraud detection, but a small initial transaction (say <$20) then one that's much larger - the first transaction validates the card works, the second one is the money grab.

So if you sell something small, you'll be used to validate newly bought cards before they go off and buy $1000 of something else.


Let me say I vastly appreciate the honesty in your blog series having caught up just now. It's good to hear others have these worries and can learn - if painfully !

Good luck


I was using VeriSign for years. Then my site got hit with a "carding" [1] attack. VeriSign was simply not interested in helping with it, the merchant bank I had coupled it with was not interested either.

So I cancelled VeriSign and the merchant account, and use paypal and Amazon Payments instead.

I did make the rounds of a few banks, all were eager to set me up with a new merchant account. All gave me blank stares when I asked if they had any means of preventing carding attacks or other frauds.

[1] A carding attack is when there's an attempt to buy something for $0.00, just to see if it is rejected or not. I was getting one every minute or so. I got charged for every one of those, and so soon had racked up a grand in charges.


Osiris' info was useful. I really also need to put in some fraud detection like that. But there are so many companies providing that service, I'm not sure which one to go with. How involved is it to integrate these?

It's not my idea of fun to try look at these transactions manually, so until I get a motivation boost to go through with the integration it'll probably be PayPal-only.


>I'm not sure which one to go with. How involved is it to integrate these?

I really like https://siftscience.com.

The important thing is to not over-think things; it's rarely that case that you truly, honestly, really need real-time automated fraud detection.

Start with implementing the absolute bare minimum. You'll then receive emails from e.g. Sift when a bad user is identified, and you can manually refund the transaction, cancel the order, and block the user.


I'm thinking about integrating with siftscience. How trustworthy are they? It looks like you need to send them information about your users and give them script access on your page in order to help identify fraudulent transactions. (which is completely reasonable but still requires a lot of trust on our part)


Hi Ben, CEO of Sift Science here. Happy to share what we do to secure and protect your data - jason at siftscience dot com


Something like a simple proxy / VPN IP detection should be used because I assume most of the "carders" don't use their home IPs. There are decent free solutions online like W I T C H and GetIPIntel.


I also had something like this happen on a site I built for my wife's work's site, a Boys & Girls Club[0]. I had a donation button that let people make an open donation to the club. It's such a tiny site with little traffic, but apparently the SEO must be decent because somehow it got targeted by people appearing to come through Brazil and Poland.

Suddenly one day, hundreds of donation attempts. Checking the failed transactions, the script was trying $1, then $2, etc up to $22 then starting over, each time with a different number. About $200 in successful donations came through before I caught it.

So I just shut it all down for now. I'm not really sure how best to fix it. The club has no money and already complain about the transaction fees they get charged per swipe (and those are all pretty standard rates in the U.S.). Being a non-profit, they expect a lot of stuff for free, and unfortunately won't consider paying for an anti-fraud service. Even PayPal takes too big a cut.

Realizing that this wasn't a helpful comment, just a "me too." It sucks. Oh well.

[0]: https://salembgc.org


I think if you provide an interesting detailed and related anecdote like you did then it's not a "me too" post


Consider adding Bitcoin donations. The fees are very low and the Bitcoin community tends to be generous.


How can they not be willing to pay a transaction fee from even PayPal for donations? Seems their options right now is to take donations via a service like Paypal with a transaction fee, or just take no donation.


You would be surprised at how unreasonable people can be once you start talking about taking a percentage of money they get (be it donations or business revenue or something else).

It's the financial equivalent of having a tumor that will kill you and refusing the surgery because the doctor says you have a chance of dying on the table.


I don't want to speak for them or go into their financials, but in a literal sense, every dollar counts. When we were talking about taking donations and registrations online, they were frazzled about the transaction fees, and I suggested working them into the costs. (It was only, say a $3 increase in membership price.) The truth of the matter is that some people don't have that much to spare.

Of course, that conversation happened way before the site was used as a credit card validator. Trying to explain to them the bad side of charge backs and why this is a big deal is an on-going challenge. The last time I discussed it with them, they kept asking me if they were going to get stuck with all the transaction fees.

And, being a developer, my first gut instinct is stepping back and saying "you're wasting money here and here and here and here, cut down these inefficiencies and it'll all balance out." However, it's not as simple as that. Everyone needs to be on board, and the people in charge of these things are already overworked and not highly paid.

A catch-22, I suppose. I try to stay out of it as best I can. I made them the site for free in exchange for our two kids to use the club's stuff for free, and with those inefficiencies I hinted at, I can't afford to get caught in being the role of business consultant too.


They may actually not have a choice. My wife is a lawyer who does a lot of work with non-profits, and maintaining non-profit status can require jumping through a lot of legal hoops. A quick google suggests GBCA is a 501(c)3 non-profit, so it's very possible that adding a gateway in front of a donation that is tax deductible may create some legal risk (real or perceived), or be outright not allowed by current laws.


What the heck are you talking about? Fundraising expenses and overhead are totally ordinary and expected for non-profits. Obviously if it would be very high, it's problematic (as percentage of donations going to program expenses would low--think hiring a fundraiser, and giving them 50% of every dollar they bring in.), but a ~2% credit card processing is unexceptional.


Wait, why would someone fraudulently donate somewhere? I don't understand the motive.


From what I've read in research, the reason is four-fold-ish.

1: Using the site as a credit card validator. Only the real ones will get through.

2: By making donations to places with a stolen credit card little bits at a time, it establishes a wider pattern of use for that card. Fast forward a couple steps ahead, the purchases are getting a little weirder each time, and before you know it, you're at whatever level people use stolen cards to buy.

3: Tiny non-profits generally do not have a great deal of extra man-power to deal with such things, and there's a better chance that this sort of behavior goes unnoticed.

4: When people see weird charges on their card, some people are more likely to feel bad enough taking away money from a non-profit organization that they won't report the abuse, or they may not question it if the card is joint-used.

I'm sorry that I don't have sources on these, the research was from a couple of months ago. It's pretty frustrating and there seems to be little retribution for things. You have to just change your charge flow and move on. :/


Thanks for that, that's very interesting!


They aren't attempting to donate they are attempting to try credit card numbers to find ones that are valid.


We at Sift Science (http://siftscience.com) might be able to help. Feel free to email me at jason at siftscience dot com

Even if you don't use us, we published some articles to help merchants new to dealing with fraud: * https://siftscience.com/sift-edu/fraud-basics * https://siftscience.com/sift-edu/prevent-fraud


Sift Science is a great service, I would highly recommend testing it out.


Thanks for the kind words.


One other tip: Block all TOR exit node IP's. You'll find mostly fraud and spam coming from them.

Deep down, I would love to support TOR in principle. I know there are people living in oppressive regimes that need access to information. I want to support that side of TOR. In reality it's still the transport tunnel of choice for scammers and criminals. The costs just don't outweigh the benefits. Considering the CDNs that block TOR (Akamai, Cloudflare, Incapsula, etc), you wouldn't be the only one blocking TOR. I'd also throw in EC2, GCE, Azure, and Rackspace IP's too.


Hopefully nobody is living in a regime so strict they can't order candy delivery without fearing for their life.


Never underestimate how far San Francisco will go to impose its will.


Currently we're integrating Sift Science to avoid this otherwise serious and annoying issue. I think it happens to everyone who's directly accepting credit cards online. Does anyone have experience with Sift Science or similar services? (I know MaxMind has one but that, to me, seems inferior to SS's.)


Came here to recommend a sift science type solution. I've previously integrated fraud systems like Cybersource (clunky interface, wouldn't recommend)


Thank you for the recommendation!


Hi Mark, CEO of Sift Science here. Thanks for giving us a shot. Please don't hesitate to ping me if you need any help or we're not delivering to your expectations. jason at siftscience dot com


Second article in one day mentioning how bad credit card fraud can be to handle, especially for smaller sites.

I wonder if there might be an opportunity there? Or if the solutions have to be so custom that it'd be impossible to work out.


There is a huge opportunity there for companies like Stripe to buy eg MaxMind and integrate a quality risk scoring system directly into their payment solution. It's an obvious product expansion for someone like Stripe. Kind of hard to believe they haven't already gone after this.


PayPal does to some extent. And then people complain about how expensive PayPal is. In a commodity, race to the bottom world of cc processing I am not sure it would be a good business practise to bundle fraud prevention and processing. Let people be bitten and then willing to pay to avoid it is probably a better practise than charging for it up front. But they do buy them. ACI bought ReD last year for instance http://www.aciworldwide.com/news-and-events/press-releases/a...


From the article, it sounds like they are working in using an existing fraud detection service, would be interesting to see what goes into that sort of service.


Presumably, it would at least involve implementing "Verified by Visa", which protects online transactions by requiring a password or PIN.

Mastercard and Amex have equivalent services, and these are all widely implemented by websites and card issuers in Europe and other countries.

I suppose they are not so widely deployed in the USA or Japan, but at the very least, you'd protect yourself against fraud involving cards issued in countries that do use it.

http://www.visaeurope.com/making-payments/verified-by-visa/


I'm obviously not an expert, but is there a way to require someone to enter the pin that they use when they buy something in person? (I also found the following FAQ from the link you gave amusing "Why do we need Verified by Visa? Hasn’t Visa been taking my security seriously before?")


One of my banks requires me to enter my card in a physical card reader (and unlock the chip with the PIN) and validate the transaction by signing a nonce https://farm4.staticflickr.com/3237/2486214902_8feafd8200_b....


> is there a way to require someone to enter the pin that they use when they buy something in person

A PIN can be required for "cardholder present" transactions in most of the world. Some combination of card issuer, transaction processor and merchant decide at what value transactions may proceed without a PIN — e.g. a train company's actual loss from a fraudulent ride is very small, so they might not want the delay of asking for a PIN on a ticket machine. Similarly for McDonalds. But if you're buying a TV, you will need to use a PIN.

It's almost 100% of transactions in much of Europe, over 80% in Africa and South America, lower in the old Soviet Union and Asia: https://www.emvco.com/about_emvco.aspx?id=202


That's very interesting, thank you. I've always wondered what the process is for deciding whether to ask for a pin. It's strange to me because I think of someone being there with the card as being more secure than accepting a payment online?


> It's almost 100% of transactions in much of Europe

Unless the customer is using contactless payment card?


There's a (relatively low) transaction limit for contactless payments without additional verification. So, to buy a TV, you still need to enter a PIN.

Newer payment terminals can support device-based customer verification for contactless transactions, called CDCVM. The transaction limit doesn't apply if CDCVM is used. This is the mechanism used by Apple Pay, where you verify your identity using your fingerprint via Touch ID.


The actual authentication mechanism is left up to the card issuer. But using the card's PIN would be considered insecure due to the risk of malware/key-loggers intercepting it.

My bank asks for three random characters from my online banking password (the same mechanism used to log in to my online banking) which provides enough security without risk of revealing the full password to key-loggers.


> My bank asks for three random characters from my online banking password...

That's terrifying, really. They shouldn't have any way of getting that data out of the hashed password.


Well, it's a bank. If a hacker can penetrate to the point that they can read passwords directly out of the bank's account database, then you have far greater things to worry about than just a compromised password.


Unhashed passwords means a SQL injection hole goes from "I can read some interesting transaction histories and balances" to "I can log in and make bank transfers in everyone's account". There's a reason bcrypt one-way hashing is the recommended standard for any web app.


Which may mean that either the bank is storing your password as plaintext (or is hashing every three character combination possible, which would also help a hacker figure out the plaintext).


3D Secure can use 2 factor authentication, using a dongle supplied by your bank. Unfortunately there are so many other problems with 3D Secure that I wouldn't trust it except on high profile websites or for very technically competent users who are able to check the originating site and certificate of the iFrame used (ie. very few people indeed).


I had something similar happen with one of my services. I have an "Update your Payment Details" page for paid subscribers that lets them enter new card details when their old card expires or they just want to switch the card they're using with us. It normally gets used a few times a month, and anywhere from zero to one time over the lifetime of a customer.

But then the bad guys found it. And individual users started updating their card details dozens of times each day.

This went on for several days before I noticed it in the logs. It was easy enough to fix: users now get one update per year, unless they email me and ask what's wrong with that card update page. The bad guys moved on to greener pastures and life went back to normal.


This sucks and can often be a crippling blow for a small business if it's not caught early.

I remember we used to deal with a lot of this at Twilio, except the carders would then also try to cash out the credit card into Twilio credit. The pattern was try to spend $10 on a card, then one minute later try to spend $1000 once the first charge went through.

But it's a lot less costly than toll fraud, which I learned the hard way working on our auth system at https://charge.co.


Did you considered to accept Bitcoin payments? This way you wouldn't have to worry about chargebacks.


Bitcoin is not the best thing for recurring payment. But it would be great to pay a year in advance with Bitcoin - and yes that solves chargebacks or fraud issues.


To avoid the credit card fraud, they'd have to only offer Bitcoin as a payment option. And that would be financial suicide.


Clearly, card companies are going to have to adjust their policies for failed transactions. It's not like it costs real money to decline a fraud attempt; stop punishing merchants.


My experience with card company fraud detection systems is that they were bafflingly useless. Maybe they've gotten better recently. But even Stripe seems to let through things that are obvious fraud, stuff that wouldn't pass a basic spam filter.

It's almost like they want to charge you those fees!


Yeah, I agree. I guess their argument is that it's difficult to catch every single fraud attempt, and in this case the behaviour was just not picked up by the processor's inbuilt fraud detection systems. Still, it should be the processor's responsibility.

GoCardless (Direct Debit, EU only at the moment) is one company that doesn't charge a fee for chargebacks. They take on all the risk themselves.


Alternatively, small companies started by developers should stop thinking they can implement the payment and order handling code themselves, and learn that instead they should use a service that does this for them.


Another interesting problem is that recent breaches have put so many cards in the carding market that clearing them seems to have become a bottleneck. If we could some how work with the banks to perhaps create honeypots for these people it might help us clean up the mess.


As I can see all solutions listed in this thread is to protect yourself better and let fraud happens for less protected merchants. The real solution is to fight back against fraud. All fraud attempts must be recorded in the public space, for example http://fraudrecord.com/ . The best solution is to have something like open blockchain Grossbuch for fraud. What are current best solution for FIGHTING BACK AGAINST FRAUD?


This is something we (www.smyte.com) can help out with -- send me an email at pete at smyte dot com if interested.

Also happy to answer any questions about general mitigation techniques.


I tried to go to your site but am getting a 500 error.

Edit: Interestingly enough, www.smyte.com is fine, but smyte.com yields the 500 error.


Yes, odd issue with our dns, link corrected.


Your site appears to be down right now, otherwise I'd hunt for info there :)

What's the difference between you and Sift, and what advantages do you offer over them?

Edit: your T&Cs and privacy policy pages referring to a different site entirely don't exactly fill me with confidence :-/


All the docs refer to the legal entity, not the brand, which may be causing some confusion. Happy to chat more about specific use cases over a medium that's better suited to it; mind shooting me an email? pete at smyte dot com


Thanks for the clarifications regarding documents. To be precise, my confusion was due to not finding the Smyte brand mentioned anywhere in there, although I did admittedly only skim-read them.

>Happy to chat more about specific use cases over a medium that's better suited to it; mind shooting me an email?

Well, I could do that; I'm just not sure why you'd invite questions on a public forum and then quickly switch to email :-)


The main reason is I'm going to sleep now and want to remember to get back to this thread tomorrow :)


We at Ravelin (https://www.ravelin.com) are building solutions to stop this. Still surprises me how many people think banks/schemes are responsible for CC fraud, when it's actually the merchant that gets punished. And yeah, fraudsters operate like locusts.


I don't understand why does the merchant have to pay the 15 fee. It sounds to me the entity that should handle the loss of fraud is the bank.


Blame the lack of competition in the international payments system I guess.


The one-time card numbers generated by the old AMEX Blue system were great for shopping on sites you didn't trust. Too bad that they dumped that and the card reader system around 2002-2003? I really liked it and felt much more confident using it. Seems like it would have cut down on fraud a lot more than many systems in use.

That said, I really don't know why anyone would want to try and write their own payment integration gateways nowadays. There are so many good alternatives out there. Why not use them? You should focus on what you love, not payment processing. If you're just selling simple goods, you can easily setup a store on Shopify, Weebly, WIX, etc. Let them handle the fraud stuff. Sure, you might be on the hook for a few bad charges here and there, but at least you didn't waste hours writing payment code.


I just started using Blur by Abine, which allows something similar. (Basically, you can fund prepaid cards to use on sites rather than giving out your real card) not an outright endorsement. I haven't used them for long enough to give a definitive answer on if they're good, but it costs $40/year plus $2 for each "masked card".

So far it's worked for me.

I definitely agree no Dev should write their own gateway. There are great ones out there who are developed by people who are paid to do nothing but that.


They still exist, Bank of America has it.

https://en.wikipedia.org/wiki/Controlled_payment_number


I wonder would that still be the case if Candy Japan was using something like Stripe or Balanced, what happens in that situation? Would you be still responsible for 15 EUR chargeback fee? What did Recurly do in this case?


With Stripe you are still responsible for the chargeback fee, but they do not charge you for transactions that don't go through. They also have some fraud protection, but it did pass some obvious fraud in our case.


This depends on the gateway you use. Recurly can't do much but refer you to the gateway in this case.


Shouldn't the credit card companies be the ones to handle the loss?


You would wish so:). But no. Merchants are on the hook for all costs, including penalties for incoveniencing the cc companies (either a set fee per fraudulent transaction, or high fees if exceeding thresholds of fraud if you are a larger guy).


Braintree offers "advanced fraud protection" if you pass device information along with the transaction request [1]. Has anyone tried using this, and if so, is it effective at stopping this problem?

[1] https://articles.braintreepayments.com/guides/fraud-tools/ov...


What about using the Twitter "buy" button now? Is it vulnerable to the same type of fraud? See this example https://twitter.com/mperham/status/643480319870369792


Damn shame to hear about this Bemmu -- would've felt like a massive punch to your guts!

Maybe you should set yourself up some email alerts when things seem 'off'. i.e. no referral, and the user/bot spends no time filling out the form and hitting submit. What's your glue code like?

I'm rootin' for ya. :-)


Hey veb,

This fraud would have been easy to detect if there had been any kind of detection system in place. But I had no fraud checking, captcha or 3-D secure, as I hadn't expected there to such a "fraud wave".

Those payments didn't feel like necessarily coming from a bot, as there were time delays and for many purchases they even filled in the questionnaire. It felt more like someone had a pile of numbers they were entering manually.

My form made that easy to do, as I had tried to eliminate any field which wasn't absolutely necessary.


>...they were entering manually

Definitely wouldn't discount that possibility. Unrelated to CC processing, but we used a service that gave us a device ID on signups to detect people signing up multiple times (a tipoff that fraud was likely to come).

We later found fraudsters were using Amazon's Mechanical Turk to get real people to register manually, thus getting around our device detection.


i simple solution to cut down on this is never allow more than 2 or 3 failed card attempt from a single ip address. You have to link it by ip because they will just make a new account if you do it by account. Carder will move on to another site if running cards is not simple and fast


I don't understand the search conversion statistic. If a guy is testing a bunch of cards, wouldn't he just find your site once and try them all sequentially?

If a bunch of people had bought these packs of stolen cards, wouldn't they be spreading out over a bunch of different sites?


The automated scripts that the criminals use will try to simulate a real customer signup and transaction, otherwise it's too trivial to filter them out.

This is also why fraud detection is a big industry, you basically need full time staff to analyze the current types of fraudulent transactions and update your filters as fast as the criminals update their systems.


Been working in e-commerce fraud for ten years...

The credit card security model is broken as designed with the exception of chip and pin and chip and signature.

Uptake for 3D Secure is uneven around the globe. Some places it is mandatory and others unheard of. For example not using it will negatively impact close rates in India but using it in the U.S. will negatively impact close rates.

With 3D Secure each issuing bank was responsible for how they implemented the process and it varies widely in both ease of use and security between issuing banks. Some banks may use simple passwords that can be fished while others may use one time pins sent by SMS to your mobile.

When a merchant uses 3D Secure fraud liability shifts to the issuing bank and the merchant gets a discount on the interchange. This is also true when the bank hasn't implemented 3D Secure or has done so poorly. Because of this when 3D Secure was launched some banks put out systems that were non-functional simply to avoid the liability shift (i.e. it would prompt for a password but there was no functionality to create one). Issuing banks have gotten their act together in the last decade but it's still uneven.

Even when a merchant implement 3D Secure the merchant still needs to manage fraud levels to card association rules even though the merchant does not have liability for the fraud. This is the "we have to assume the risk but we don't have to do business with you clause." Individual issuing banks may chose to decline all of a merchants transactions if loss rates are unacceptable and the merchant may still lose their merchant account if overall loss rates are too high. However because the charge back shifts to the banks the merchant may not even know which transactions are fraudulent.

Recently rules have been changed so that banks aren't required to prompt for authentication in all cases. This is called risk-based-3D secure. So even if Candy Japan had implemented it he still may have seen the attack because the banks may not prompt for that low of an amount. He wouldn't be out the money but still may be in trouble with the association if he didn't do something to stop the attack.

When looking at automation there are two fundamental risk that any solution needs to address. The first one is class separation which in the industry is known as scoring or out-sorting. In this area machine learning algorithms are well understood and there are a few companies on the market that will rent merchants a model such as Sift Science or MaxMind.

The second one is anomaly detection and in the industry this is know as velocity control. The problem is similar to detecting a hacker once they have penetrated the network, detecting a bio-terror attack based on hospitalization data or detecting insiders who have flipped. These types of things have generated a lot of military interest and a lot of DARPA funding but little of it has made it into the commercial market due to the high rate of false positives.

Card testing is one example of a 'high velocity' attack and are usually the work of professionals. High velocity fraud has been more common with digital goods but more recently we've seen more high velocity attacks where an attacker will upload a merchants products on a site like Amazon or eBay. When the attacker gets a sales they will use stolen credit cards to get the trageted merchant to fulfill the order. Since these are professionals they generally will have tested the merchants fraud systems to understand what is considered low risk by the merchants fraud models and unless the merchant has some monitoring losses can be very high by the time the charge backs start coming in.

Currently there is no automated, fool-proof method for managing these high velocity attacks that I'm aware of. Merchants initially started putting limits around the number of times that a single card could be used and the attackers responded with SQL injection attacks to get card in mass. Merchants responded with limits on email addresses or other data points and the attackers responded by mass registering emails on free email providers and registering their own domains. Merchants responded with limits on IP addresses and used of geo-ip location services and attackers responded with open proxies and VPNs. Merchants responded with limits on orders from co-location facilities and VPN providers and attackers responded by compromising end-user machines en-masse. Merchants responded with proxy detection and device fingerprinting and attackers responded with using RDP to end-user machines to launch attacks. And it continues.


Unjustified credit card fees and the financial/psychological burden of chargebacks (resulting from uncontrollable credit card fraud) are the main reasons why I want the Bitcoin experiment to succeed. Lets give Bitcoin some love where it deserves.


But why? Ordering periodic shipments of candy from Japan? Most credit card fraud involves something that can be resold. This service gets you a small envelope of candy. It's not like getting cases of Pocky.


" The stolen cards originate from credit card security breaches, resulting in a big list of card numbers. These are later sold online in packs filtered to working card numbers only, which can be purchased for about $10 per valid card.

To be able to compile and sell these packs, the carders need to know which ones are valid. To do this, they will use an online store or service to place an order for the sole purpose of seeing if the charge goes through or not.


Test on one site, buy something substantial on another?


TIL Stripe does not come up with built in fraud protection.


I just added in an anecdote that I forgot to mention at first. Encounter with a police officer. Starts from "After starting to deal with this..."


1. How many sales would you lose if you required everyone to use PayPal everytime? 2. (What about Google cash? or Square cash?)


It's difficult to test, because by not having credit cards a lot of fake orders are now excluded, lowering the conversion ratio that way.

So if I did a test of showing only PayPal to half of customers and PayPal + credit cards to half, the one with CC could win just because of the fake sales.


I guess what I mean is, "do people really need the credit card option? If you just demand they use PayPal and they want your unique service, then they'll find a way to pay".


Couldn't you do a preauth on the cards and then completion when you are ready to ship?

At least then you don't get hit with chargebacks.


Last time I talked with a credit card company, they wouldn't even let me file a chargeback until 30 days after the transaction. How would this stop chargebacks?


A preauth on a card reserves the credit without actually completing the transaction. The credit is still there but not available for use.

You can complete the transaction by sending a 'completion' request, at which point the credit is gone.

The preauth also has an expiry. If the preauth expires, the funds are released with no transaction taking place.

So when a user signs up, take a preauth. If you have any reporting on your sales, like this guy, you can check for any anomalies before fulfilling orders. Anything that looks odd, don't complete the order.


From my experience running eCommerce sites, the author is right, beside fraud 'noise', fraud happens in waves.


That was my mistake, assuming that since I was OK with the noise, everything is fine. Didn't know about the fraud tsunamis.


Was stunned two when hit the first time by such a tsunami. Your blog post is great, don't think this is common knowledge.


Even PayPal or Google faced up to fraud. You can try Maxmind or manual check every order. Contact me to more solutions.


What about services like maxmind-fraud and the like that authenticate buyers?

Are they too expensive per purchase?


Unless there's some bug in your transaction processing system causing it to leak excessive amounts of data on why the transaction was denied it makes no sense for checkers to use it over their own merchant accounts.

(And typical checker traffic is more like thousands of transactions rather than tens)

It seems much much more likely that someone was just trying to card some candy.


Would verifying zip codes mitigate this issue, or do the carders have access to that too?


Sometimes they do also have address information, sometimes they don't. As with everything, it will reduce the amount a fraud a bit but not eliminate it.


ZIP codes seem to be a US-specific thing.


ZIP codes are just a funny name for post codes, and most places have postcodes.


While many places have postcodes, most don't have postcode validation for credit card transactions. And it wouldn't really help to combat fraud anyway.


Damn you Ireland and your "no postcodes" hell.


We have postcodes now! Or well, eircodes. Which are totally not postcodes, but rather unique house identifiers that happen to look as postcodes. And that noone will use.

http://www.eircode.ie/


Sorry that you have to deal with fraud and loose money!

Could you start shipping biscuits or chocolate candy again, I am a bit disappointed with the stuff you currently include in your packages :-(


Thanks for the feedback. Chocolates are not so good to send in this weather (melt risk), will start including those again during colder months.


That's why the whole credit card system is insane.

1) It's a pull instead of a push. Anybody with your CC details can attempt to charge it. Bitcoin model is much more sane.

2) There's not even a "approve the charge" option.

3) The cartels controlling the credit card systems charge insane amounts of money for transactions, attempted or real.

I really want Bitcoin or some other alternative to succeed.


Exactly. I hope we will see a world soon, where Bitcoin (or another cryptocurrency) is as ubiquitous as credit cards now.

Transaction fees for a failed credit card payment? Its more than insane.


One thing you can do is make the account creation process more difficult, maybe require phone verification, or social auth. It would tie a fixed value to each bad attempt for the fraudster.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: