Hacker News new | past | comments | ask | show | jobs | submit login
Candy Japan 2015 Year in Review (candyjapan.com)
183 points by Xixi on Dec 16, 2015 | hide | past | favorite | 66 comments

I think someone else mentioned this in another post about this. Thought it was a great idea so I'll repeat it here:

To prevent fraudsters from using you to authenticate their stolen credit cards, set it up so that every purchase automatically redirects to a 'order successful' page. After seeing that a few their credit card numbers all seem to work on your site, the fraudster will realize they can't use your site to test and move on. In the back-end, turn on manual approval of each purchase and let through the ones you deem legitimate.

Should a legitimate customer mistype their credit card info, send them a follow up email with a link to the order page briefly explaining to them the situation and asking them to enter their details again.

(If there's some issue with this method I haven't thought of, let me know.)

There are several stages of CC validation. EX: http://www.experian.com/decision-analytics/credit-card-verif...

  M = Full match
  P = Partial match
  C = Match, but account is closed
  L = Match, but card is lost or stolen
  E = Invalid card number
  X = No record or security alert
  N = No match
IMO, you can display an error page for some types of issues without helping scammers. However, for physical goods it's a good idea to wait 24+ hours to display C or L codes to users. That way it's not useful for CC scammers, and you have minimal impact on users. Partial matches or other stages that fail your security checks are up to you.

Additionally if a customer is a repeated customer you may want to "whitelist" them, assuming they ever need to update their info (card expiration). Just a small tweak so they get feedback right away if they keep coming back.

Actually, you can just do a Luhn check on the credit card and if it fails show an error message.

Scammer cards will pass the Luhn check, so it won't be helpful for them validating cards. But it will catch many customer typos, thus giving them immediate feedback.

Best reply, but... How often is a typo made (1:1000?), how much time for support staff is needed and how many lost orders due to a ~24 hour delay in some orders being placed. Also, easy to flood the system with bad orders that need to be manually sorted, like a fake order DDoS.

If a typo is made 1:1000 times Candy Japan would have had.. 2? At this small scale it's probably worth it - the loss of a customer isn't as big a problem as loss of physical goods.

Not to mention that you can verify the Luhn checksum on CC numbers and immediately catch ~90% of all typos (and 100% of single-digit typos). Don't even need a server call.

Honest people don't make typos that pass the checksum based on my experience at $DayJob.

Would a simple delay in confirmation be enough to dissuade them? e.g. 10 mins? an hour? There's probably some critical threshold where it's not worth it for the criminal/s.

Since the candy can't be dispatched instantly anyway, you could arrange it to not affect delivery times.

Though of course, delayed confirmation would also put off genuine customers. So you could faux-confirm it instantly, and follow-up later if there's a problem. i.e. same as parent, but fully automated.

I discussed this with Bemmu & wrote up the idea (in the context of Laravel coding, but the idea is the same) here: http://codebyjeff.com/blog/2015/10/cut-credit-card-thief-cha...

He was doing things a little differently than my idea, so not sure what success he had in blocking them.

That doesn't seem like a big enough hurdle. Card testing is already automated with bots, and this method can be easily defeated with a simple tweak (e.g. use a catch-all address and then automate the link clicking).

I know you wrote that it's just "out-running you, not the bear," but you probably won't be outrunning others for very long.

Edit: I have no problem with measures that could help protect against fraud even just a little, but this one also introduces friction for legitimate customers, so it needs to be sufficiently effective to be worth it.

How does one deem a purchase as legitimate or not?

And how would you differentiate between a legit customer who mistyped their info versus a fraudulent attempt?

Some low hanging fruit: orders where the billing address is an exact match and it also matches the shipping address are probably the most likely to be legit.

There are many more factors to consider though.

usually, sure - this case is interesting b/c the fraudsters don't care about receiving the actual product

this is a really big field - most large companies that have to process tons of transactions will implement a big data approach - put together as much demographic and behavioral info about customer as possible and analyze risk. this is really impossible for small vendors

AVS which checks the billing address only really works in US. It's pretty much useless in any other countries in the world (it's partially supported by some banks in Canada and UK but that's it)

The initial post was just a draft I had neglected to make private, and wasn't finished (but thank you xixi for posting). I didn't spend the whole year solely battling CC fraud. I now wrote about other things that happened in 2015 now, so go back and refresh to read that part.

FWIW, I initially found Candy Japan via the HN post discussing the fraudulent activities [1], and have been a happy subscriber for a few months now.

[1] https://news.ycombinator.com/item?id=10237697

Sorry for publishing it too quickly!

Note that it was already very much indexed by Google: I was worried I was suffering from CC fraud on my Japanese tea subscription service [1], and so I was looking for the blog post that you published on the subject previously [2]. Instead I found this new blog post, so I thought it was ready for publishing.

[1] https://tomotcha.com/

[2] http://www.candyjapan.com/candy-japan-hit-with-credit-card-f...

I was wondering what was causing me to get a lot of checks from my credit union on what they suspected was fradulent activity...I still am a happy subscriber, but it was a bit annoying that they kept thinking this was fraud despite me having subscribed for over a year (I think).

Thank you for your insights! Have you thought about a cheaper once-a-month option instead? Say $15 for 1 delivery per month? Might help to get some people on board who have a mental limit that's right below $25.

Interesting to read about those fraudsters. Really annoying when you're a small business. I remember reading something similar from Gittip[0], and also mentioned on the linked blog post, jsbin[1].

I wonder what other small startups are using to detect / prevent this kind of fraud?

Are there any good services in this space? and why won't recurly/stripe et al bundle this in? (or maybe they do, and I just don't know about it...?)

[0] http://blog.gittip.com/post/35057426257/stolen-money-on-gitt...

[1] https://remysharp.com/2015/09/17/jsbin-toxic-part-4

All I can talk is from my personal experience, but as the founder of a startup that sells physical goods online, we've had no issue with fraudsters. At all.

Granted, we are quite small and our volume of sales is not massive (Hey! Small startup with very little funding and mostly bootstrapped here), but still, I was expecting some kind of issue with this by now. Or at least people trying to get stuff for free.

For the record, we use Stripe and PayPal for payments, don't know if they do anything on their end.

FYI You're actually more at risk than CandyJapan if you're shipping physical goods based on successful Auth and/or offer a low pricepoint item. Even without catching the uptick in orders, CandyJapan likely would be able to see some chargebacks or fraud advice before the bulk ship date (2x a month I believe).

One thing i've learned in my short time in the industry, fraudsters are great at finding weak merchants for card testing and triangulation schemes. What was 4 days worth of work for this fraudster, cost CJ thousands in fees, multiple days. How many late nights have been devoted to cleanups like this?

Also, a lot of payment processors are offering complex fraud solutions (ipGeo, proxyPiercing, device fingerprinting, etc) for pennies per Auth. definitely worth asking your processor and your processor's processor for more info. Beats being the lowest common denominator.

sift science is in this space and i've heard good vibes, but no hard numbers

perhaps stripe/etc doesn't invest in this space for risk or compliance reasons - when chargebacks slip past their filter (and they will), the merchant could claim that responsibility falls with stripe. right now, merchants are (almost?) always responsible for the chargebacks, which is fine for square/etc.

FWIW, as someone who has the same problem with fraud folks at $DayJob you really do need to go with a service to deal with that sort of thing unfortunately.

We use an internal tool from our parent company but yeah, you don't really have a choice but to assume a good chunk of your customerbase will try to cheat you.

Similarly, as long as the checksum is valid you should "complete" the order and handle follow up with issues [e.g. Card declined] at a later date. This can just be automated via email, with a 24 hour delay.

Honest typos won't pass the checksum, fraudsters will and the delay in the "failed authorization" also helps a good deal in discouraging such activity.

See the recent article on [hoverboards @ Buzzfeed](http://www.buzzfeed.com/josephbernstein/steal-a-credit-card-...) and [responses here @ HN](https://news.ycombinator.com/item?id=10727371) - I believe they mention options to help with fraud detection but it's not clear how useful they are. Sorry.

I'm actually in the same space selling "hoverboards" and have been massively hit with fraudulent transactions. Luckily we realised fairly quickly and enforced draconian fraud checks, we're missing out on potential sales but the Buzzfeed is article is the alternative.

I'm not sure which processor Candy Japan uses, but you can usually request to implement advanced fraud rules and strict settings that require Zip/postal code to match exactly.

Thanks, next year I want to get back and try to fix the situation. I fell back to PayPal only and have been losing customers since.

I'm not sure how strict you should go, we have gone to the absolute maximum - and have to deal with customer service issues / abandoned checkouts daily. But even requiring the ZIP code to be correct made a big difference.

We're also using shopify which has helped quite a bit with their built in fraud analysis (Not 100% but I think it's either signifyd or kount providing the data).

Alternatively, you could use Paypal Pro to negate the account requirement?

I'm considering a bit going to some platform like Shopify, because I'm writing way more Python doing my own platform anyway. Integrating some solution would be just a few clicks if I were on some platform that they already support, instead of another API integration.

The company I work at uses Shopify with Sift and it seems to work well. You can have different levels of automation as far as autocharging high-legitimacy transactions, flagging suspicious customers, etc.

As someone who deals with several hundred thousand dollars a year in online credit card fraud, I would advise you to check out sift science or Kount. It's easy to integrate and is vastly superior to the checks you have and the other suggestions in this thread. We have killed numerous credit card rings with this. They typically go somewhere else that's an easier target now.

Before people suggest bitcoin--and I love bitcoin--it probably wouldn't solve this guy's fraud problem. Yes, it would stop the fraud, but there are simply too few people willing to pay in bitcoin.

For what it's worth, I'm a long time Candy Japan subscriber and I would be willing to pay in BTC. Hell, I'd pay more just to be supportive of businesses willing to accept BTC.

Wouldn't bitcoin give rise to the opposite problem - consumers paying bitcoin now shoulder all the risk of buying from a bad vendor.

I think there are bitcoin escrow payment systems.

The Bitcoin protocol supports multisig transactions. You can use it to implement escrow by including a third party public key and require 2 of 3 parties to sign the transaction.

So the mechanics are somewhat supported directly by bitcoin, but, how does the bitcoin customer get their money back even if the escrow company agrees that the terms of the sale weren't met? (added [1])

And then you still have a question of whether the parties agree to a mutually trusted escrow service to actually administer the signoff. I imagine that credit cards are somewhat partnered closer to the customer/card holder, but with bitcoin escrow it could be either the vendor or the customer?

Not meaning to criticise here, just a walking through unfamiliar territory.

Edit: Partially answered my own question (example 2 at link [1])

[1] https://en.bitcoin.it/wiki/Contract#Theory

Yes, there are some ways to prevent that, but that basic technology leans towards that.

How is it even possible to have a subscription service with Bitcoin? I haven't seen such a thing.

Who the truck would suggest bitcoin? Most people would suggest the services he is already using like PayPal.

What about accept PayPal with a 10% discount for bitcoin?

>Growth backtracked. We are now instead back to 750 subs and the trend still hasn't reversed. Very far from the goal of 1500 I had set.

I guess 11 hours on the front-page of HN must work wonders for subscriptions (I just subscribed, too), wonder what the actual numbers are

Is this why Amazon waited a day before alerting me that my card was declined (bad month/year)? Almost missed a shipping window because of it.

What happens with the fraud? Does the charge back affect the seller or the bank? Sucks if the former. What do other people/companies do about this? Surely all the CC frauds in the world haven't chosen to gang up on one tiny seller of niche candy from Japan...

beyond the cost of the actual purchase ($5 is pretty insignificant), card processors charge high fees per chargeback, and too many chargebacks (IIRC >1% of transactions) can get you kicked off and blacklisted from any reputable card processor for life

They aren't doing it to take money from them, they are using Candy Japan to test their cards out before using them for more expensive items that can be liquidated.

I believe the seller, unless I just happen to have a particularly bad deal with my gateway.

Would Stripe be a way around this problem or do they not take on the risk of fraudulent cards?

They don't. Even if you use Stripe you are still responsible for spotting fake transactions, and if you let too many through Stripe can actually ban you.

Probably, one criminal found this site, then told others about it, who adopted it.

I wonder if the techniques for promoting adoption can be used in reverse, to deter adoption?

While keeping it familiar and convenient so as not to deter customers.

You should enable these services for the credit cards:

Verified By Visa -> https://usa.visa.com/run-your-business/small-business-tools/... MasterCard SecureCode -> https://www.mastercard.us/en-us/consumers/features-benefits/...

Not everyone is from US.

I'm curious, why not use Stripe? I have heard nothing but good about them, and since you are willing to use Pay-Pal, I am assuming you are willing to use other 3rd party processors.

If you have your own merchant account and have implemented the code by hand or through a library, you pay all sorts of fees, sign up fee, fraud chargeback fees, percentage of charge, statement fee, monthly fee, etc. Both Strip and Square offer simple integrations, simpler than Pay-Pal IMHO, and I assume they have the capacity to deal with fraud better.

Been using Stripe for years. There is no more fraud protection there than any other merchant credit card account.

Serious question (I haven't used a merchant credit card account): do regular accounts come with any fraud protection? The reason I ask is, I was sent a link to this a while ago, which seems to say that Stripe does do fraud protection:


It's hard to say, Stripe (or any other merchant account) may be blocking some charges, but you really don't have visibility into why a charge was blocked.

Regardless if they are blocking a lot or a little, they all let way too many fishy charges go through. They are just not incentivized to police fraud because in e-commerce its you who are on the hook for the charge back, not the bank or credit card company.

You cannot rely on your merchant bank (Stripe or anyone else) to do your fraud protection. You will get eaten alive.

It's PayPal, not Pay-Pal

It's technologist, not teknologist

I think Facebook or Twitter logins would go s long way to solving credit card issues. A credit card purchase backed by a 10+ friend FB account is unlikely to be a scammer. Legit Facebook accounts probably sell for more than the cc being tested.

Trustev was a startup that did this. Indeed trivial to spoof though unless you do complex behaviour analysis of the account which seems hard to handle in the edge cases of mainstream users who aren't active in social media.

They would probably just start generating FB accounts, because a similar thing happened when I started requiring valid email addresses: they just went ahead and generated a bunch of gmail/hotmail accounts to use.

Generating Facebook accounts in bulk is not easy. I'm not suggesting that it's a panacea, but if you're looking for something to indicate a real purchase this would be strong. If someone logs in with Facebook and has 10+ friends then I'm going to say they are 99% legit. Plus you can look at their profile manually if you're in doubt. Of course you also offer email but those orders get more scrutiny. HN is an echo-chamber of hate for Facebook login but the real world (and I suspect your target market) does not share this.

That would disenfranchise people without such accounts. It would also be trivial to game by scammers and thieves to the point of being useless.

A company demanding that I provide a Facebook or Twitter login to sell me goods or services would lose my business immediately and permanently.

How would you price 'legit' facebook accounts?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact