To prevent fraudsters from using you to authenticate their stolen credit cards, set it up so that every purchase automatically redirects to a 'order successful' page. After seeing that a few their credit card numbers all seem to work on your site, the fraudster will realize they can't use your site to test and move on. In the back-end, turn on manual approval of each purchase and let through the ones you deem legitimate.
Should a legitimate customer mistype their credit card info, send them a follow up email with a link to the order page briefly explaining to them the situation and asking them to enter their details again.
(If there's some issue with this method I haven't thought of, let me know.)
M = Full match
P = Partial match
C = Match, but account is closed
L = Match, but card is lost or stolen
E = Invalid card number
X = No record or security alert
N = No match
Scammer cards will pass the Luhn check, so it won't be helpful for them validating cards. But it will catch many customer typos, thus giving them immediate feedback.
Since the candy can't be dispatched instantly anyway, you could arrange it to not affect delivery times.
Though of course, delayed confirmation would also put off genuine customers. So you could faux-confirm it instantly, and follow-up later if there's a problem. i.e. same as parent, but fully automated.
He was doing things a little differently than my idea, so not sure what success he had in blocking them.
I know you wrote that it's just "out-running you, not the bear," but you probably won't be outrunning others for very long.
Edit: I have no problem with measures that could help protect against fraud even just a little, but this one also introduces friction for legitimate customers, so it needs to be sufficiently effective to be worth it.
And how would you differentiate between a legit customer who mistyped their info versus a fraudulent attempt?
There are many more factors to consider though.
this is a really big field - most large companies that have to process tons of transactions will implement a big data approach - put together as much demographic and behavioral info about customer as possible and analyze risk. this is really impossible for small vendors
Note that it was already very much indexed by Google: I was worried I was suffering from CC fraud on my Japanese tea subscription service , and so I was looking for the blog post that you published on the subject previously . Instead I found this new blog post, so I thought it was ready for publishing.
I wonder what other small startups are using to detect / prevent this kind of fraud?
Are there any good services in this space? and why won't recurly/stripe et al bundle this in? (or maybe they do, and I just don't know about it...?)
Granted, we are quite small and our volume of sales is not massive (Hey! Small startup with very little funding and mostly bootstrapped here), but still, I was expecting some kind of issue with this by now. Or at least people trying to get stuff for free.
For the record, we use Stripe and PayPal for payments, don't know if they do anything on their end.
One thing i've learned in my short time in the industry, fraudsters are great at finding weak merchants for card testing and triangulation schemes. What was 4 days worth of work for this fraudster, cost CJ thousands in fees, multiple days. How many late nights have been devoted to cleanups like this?
Also, a lot of payment processors are offering complex fraud solutions (ipGeo, proxyPiercing, device fingerprinting, etc) for pennies per Auth. definitely worth asking your processor and your processor's processor for more info. Beats being the lowest common denominator.
perhaps stripe/etc doesn't invest in this space for risk or compliance reasons - when chargebacks slip past their filter (and they will), the merchant could claim that responsibility falls with stripe. right now, merchants are (almost?) always responsible for the chargebacks, which is fine for square/etc.
We use an internal tool from our parent company but yeah, you don't really have a choice but to assume a good chunk of your customerbase will try to cheat you.
Similarly, as long as the checksum is valid you should "complete" the order and handle follow up with issues [e.g. Card declined] at a later date. This can just be automated via email, with a 24 hour delay.
Honest typos won't pass the checksum, fraudsters will and the delay in the "failed authorization" also helps a good deal in discouraging such activity.
I'm not sure which processor Candy Japan uses, but you can usually request to implement advanced fraud rules and strict settings that require Zip/postal code to match exactly.
We're also using shopify which has helped quite a bit with their built in fraud analysis (Not 100% but I think it's either signifyd or kount providing the data).
Alternatively, you could use Paypal Pro to negate the account requirement?
And then you still have a question of whether the parties agree to a mutually trusted escrow service to actually administer the signoff. I imagine that credit cards are somewhat partnered closer to the customer/card holder, but with bitcoin escrow it could be either the vendor or the customer?
Not meaning to criticise here, just a walking through unfamiliar territory.
Edit: Partially answered my own question (example 2 at link )
I guess 11 hours on the front-page of HN must work wonders for subscriptions (I just subscribed, too), wonder what the actual numbers are
I wonder if the techniques for promoting adoption can be used in reverse, to deter adoption?
While keeping it familiar and convenient so as not to deter customers.
Verified By Visa -> https://usa.visa.com/run-your-business/small-business-tools/...
MasterCard SecureCode -> https://www.mastercard.us/en-us/consumers/features-benefits/...
If you have your own merchant account and have implemented the code by hand or through a library, you pay all sorts of fees, sign up fee, fraud chargeback fees, percentage of charge, statement fee, monthly fee, etc. Both Strip and Square offer simple integrations, simpler than Pay-Pal IMHO, and I assume they have the capacity to deal with fraud better.
Regardless if they are blocking a lot or a little, they all let way too many fishy charges go through. They are just not incentivized to police fraud because in e-commerce its you who are on the hook for the charge back, not the bank or credit card company.
You cannot rely on your merchant bank (Stripe or anyone else) to do your fraud protection. You will get eaten alive.