Hacker News new | comments | ask | show | jobs | submit login
Credit card fraud warning signs (candyjapan.com)
302 points by hamstercat 9 months ago | hide | past | web | favorite | 230 comments



CC fraud is such a big problem, it must be a huge advantage for Amazon. Most of their purchases come from repeat customers that they can be confident exist. Smaller shops have to figure that out nearly every purchase.

I never thought of that before. Maybe there should be a central shared central repository of who are known good customers/address/cc combinations, or maybe that is what stripe etc do already.


There are services that do this. Several retail stores I consult for have transaction filtering through an independent fraud detection service which has its oen blacklists of hashed CC numbers, emails, and street addresses. They also evaluate the ip address, distance fom billing and shipping addresses and a slew of other factors.


Criminals have many tools that can circumvent these systems though and many are very hard to defeat while still providing a smooth customer experience. There are entire web browsers developed by Russian groups that exist solely to clone the entire fingerprint of the victim, complete with session cookies. A lot of bank fraud happens this way...a hidden RDP service is installed on victims machines and then sold online so you can just remote into their computer, login to their bank and nobody is the wiser. There are services to conduct COBs (change of billing) so you can get new credit cards shipped to fake addresses under the attacker's control. And nearly all online bank account/CC sellers usually include cookies with the stolen cards now. Criminals have quickly figured out that a VPN in the general location of the victim is no longer good enough and they've adapted much faster than security systems can keep up with. There's also still a very big and unfounded trust system between certain merchants and certain banks. For example, AMEX cards sell for much more on the markets because many merchants (including Amazon) will usually assume trust in those cards even if other factors seem a bit off and will often ship products before fully confirming the transaction, so even if the card is flagged, it's likely a criminal could still steal a product or two. This is nonsense and despite being well known information to anyone that's spent even a little time researching fraud networks, it remains an exploitable loophole.


I don't doubt that your statements are true. However, services like this do stop a lot of fraud. If you do not have some basic filtering in place, it is that much easier for the less sophisticated fraudster. The particulars of your business will definitely affect the ability to stop some types of fraud. However if you are shipping a product to your customer you can make fraud pretty hard. It will depend largely on the product you are selling. You have to increase the effort required to successfully get a product shipped so that it exceeds the profit that can be made from it.

In our case we often do something similar to this:

---

No order is rejected outright - but various combinations of criteria cause a manual review of the order. This prevents customers getting error messages and also avoids having fraudsters receive quick feedback.

Shipping addresses known to be forwarding mail centers or mailboxes are flagged.

If the billing address does not match the shipping address, and the IP is flagged as proxy/vpn/datacenter, etc. or is too far from the billing/shipping address, it is flagged. This allows most people to ship to their office even though the credit card is at their home address, etc.

If the billing address is to far from the shipping address it is flagged. Fraudster are limited to using cards that have billing addresses in a close range to where they can receive goods.

The machine learning system gives a score and various thresholds of that score are used to trigger in combination with other factors.

Flagged items are manually reviewed. Sometimes customers are called to do human verification.

---

Some still get through, but I just implemented one a few weeks ago and saw 99% reduction in fraud orders, and a 90% reduction in man-hours for reviewing orders. In most cases, the fraudsters will just see that it is no longer worth their time and move on to easier targets. Obviously this particular store had a serious problem due to a high level of automation and an easily resalable product. The margin of the product and relatively low shipping costs allowed the fraud to get to pretty high levels before they really focused on it.


Wow, so I guess you could say that you don't have to be 100% effective, just better than the other potential victims.


Its not just that there are other victims. Let's say you are selling a widget for $50. The fraudster can order some of these and put them up on Amazon for $45. They have costs associated with this, including the cost of acquiring usable CC numbers, the cost of running their store, the cost of placing the fraudulent orders. I can increase the cost of the first and third in that by filtering a large number of their orders. Many of their CCs aren't going to pass the filter and many of the time they spend making the orders is wasted. Even if they have bots making the orders, there is a cost associated with it. Increase it enough and they don't really make enough for it to be worth their while.


Makes sense though. If your herd is being attacked by a pack of wolves, as long as there is someone slower/weaker/dumber than you, they’ll become the target and your likelihood of staying alive goes up.

TLDR: don’t be last, second to last is still OK. I guess.


Which do you recommend? I work with custom solutions for banks which a lot of times include fraud prevention services from third parties, so I'm consistently benchmarking for better alternatives.


What services do this & are they expensive to implement? Are you just unloading CC data & other hashed values for matches like Maxmind?


Yes - you send a hashed cc number along with client ip and most of the order/payment info. I wrote another response to a sibling post with it but I must have never submitted it because I don't see it there. FraudLabsPro and Subuno are entry/mid level products. Others like Sift Science, Riskified and Simility only have very high volume options or don't advertise any entry-level pricing.


I once bought a 2k item online from a well known camera store in the US. I called and asked for a competitor price adjustment. I did end up purchasing it over the phone. A day later I noticed that a fraud specialist from that company looked at my LinkedIn profile. So, yeah I guess that they do have to figure it out on almost every transaction/customer


The camera stores have it down pretty well. I remember trying to ship a camera lens to my fathers place (He's retired and can sign for it) as opposed to my usual address. Long story short (and a phone call), I did get it sorted. But part of that was I was a customer for a few years and was able to prove that it was ok. I was glad they were vigilant.

They have databases of "known addresses" so if your order doesn't match, it can be hard.

(They keep the old addresses too, as an attempt to get UPS automated phone center to hold for pickup one time ended up with them shipping the clothes to an 8 year address of mine in a adjacent state. )


I just bought an expensive bed yesterday and got a fraud alert text within 5 seconds of the transaction going out and my card was shut off today temporarily until I confirmed the purchase again. Some banks are fairly on the ball when it comes to detecting irregular purchase patterns.


Services such as Stripe and PayPal indeed serve as central repositories for fraud intelligence. I imagine that other payment gateways also provide a similar function, though those two are the ones I'm personally familiar with. We've operated a small ecommerce business for almost 8 years and although PayPal fees are probably on the high side, fraud has been a non-issue for us.


> PayPal fees are probably on the high side, fraud has been a non-issue for us.

It should he an issue for you. That is because PayPal is stopping a lot of payments with false positives. I live outside US and using PayPal is generally a pain in the ass.


I also live outside US and every legit transfer larger than 100 USD or EUR from my account got blocked. Every time it happened, I had to send photocopied ID, bills, and other requested documents. I got a verified business account with lifted limits and still the same pattern continued. And every time I had to call support, otherwise it took about a month for them to review the documents and unlock the account. At the end I was able to get the money out by small transfers. Now I just require a SWIFT transfer from all my US customers.


Hmmm... that does sound interesting. Might you have any hard data to back this up?

If it's true I'd expect that we'd get alot more complaints from customers that their cards are being rejected.


Would a customer complain to you because of a paypal doesn’t cater to them ?

In particular, credit card setings are multi-step and all done on the paypal site, I wouldn’t imagine going back to some merchant site to complain about that process.


I would imagine that at least some would, given that they're interested enough in the product to initiate the checkout process.

In the absence of any hard data on this, I'm writing it off as nectodal.


> In the absence of any hard data on this, I'm writing it off as nectodal.

The Internet is full of this stories from people with good karma. Just look for it on Internet. Probably you are from one of the few countries where the experience is different.


Internet is full of facts about PayPal issues.


We had massive fraud issues with PayPal. Got blasted with stolen credit cards with completely fake addresses (123 Main street Zip code 12345) from Chinese IPs. It seemed like they weren't even doing address verification...


They should, but as far as I can tell, they don't.

Obvious freight forwarder + foreign IP + local US credit card with the wrong billing address...doesn't raise any suspicions from them.


Companies like Accertify are more typical for stores that want a more standard non-Paypal type interface, the purchases go through them following the transaction


On this note, does anyone know how does Stripe Radar stack against fraud protection.


Yep, Stripe handles that via "Radar": https://stripe.com/us/radar


Whenever I travel, I learned the hard way to put a "travel alert" on the credit cards. Otherwise, they may shut them off if suddenly charges start appearing from a foreign country!


Even that isn't a guarantee- I'm traveling in Japan right now and everyone I'm traveling with except myself have had issues, despite filing travel notices well in advance.


What kind of issues? It could be some sort of communication problems, rather than rejections by your bank. Or, maybe, a local bank rejecting your card for their own reasons (I don't really know how this works).

I was visiting Philippines recently, and wasn't able to withdraw cash - the ATMs (I've tried different banks' ones) were rejecting me with a generic error message. So I've contacted my bank to check what's wrong and if they're blocking me for any reason. Turned out that they haven't seen any transaction attempts at all - like something along the path wasn't working (no clue, really). The suggested method of trying an ATM in a different part of the city worked.

I've also had issues with some payments via PoS terminals. Normally, when payment fails I get a push notification about the failure - but none happened at those times. So, I guess, this could be similar.


Nope, actual rejections that had to be called in and confirmed.


I've never had problems not posting notice on my trips to Canada but I didn't feel brave enough to try transacting in Japan without notifying first... Still, I wonder with the prevalence of chip readers, isn't the "card is present" signal much stronger? So unless they think I've had my card stolen and haven't bothered to report it yet they probably shouldn't stop any card-present transactions.


(Having had an EMV chip card for about 15 years.)

The banks still advise customers to inform them when travelling, but I've not found that to be necessary when in countries with chip and PIN. (If I'm going outside Europe I will inform the bank of my main card, but in South America, Asia, Africa there will be some point where it isn't accepted, and I use a backup card -- that bank doesn't know I'm travelling.)

The USA used to be the problem -- about once a year, someone in the office would get a robot phone call from the bank saying their card had just been blocked due to suspect activity in the USA. That should be becoming a lot less common.


Chip transactions are indeed a huge signal - a chip transaction can’t be faked due to strong cryptography. Granted, the card can still be stolen, but it’s rare enough that most banks let it though.


I feel like if my card gets stolen and I don't notice before it gets to Japan and starts spending money, I have bigger issues.


Magstrip cards can be cloned very easily. You might still have your card, but maybe someone copied the data off it last week. The chip is a different story.


> a chip transaction can’t be faked due to strong cryptography.

There is always a defcon pwn

https://www.youtube.com/watch?v=JABJlvrZWbY



I don't know why but I kind of expected with all the hubbub from Europeans about how chips rule they would have some sort of anti-tampering / tamper-evident features to them... Next thing you're going to tell me you can extract the private key from one without much effort...?


Of course you can but i wasnt writing about that.

The ide behind chip is that transaction result is written back to your card, something mag stripe cannot do. I had a family related fraud where my son used my card in store to buy few video games. Over the phone amex told me to go to the bank which was able to show me this card has been swiped physically in the store because confirmation hashes were written on the chip of my card.

I was explained up to 16777264 transaction hashes can be written on one chip before overwrite process starts.

So at this point you wont get your loeny back if you have your card present but claim someone made copy because they will simply pull data off the card.

Side issue Europe switched to touch credit cards some 3 years ago. Its insane fast yoy dont even touch reader you just wand your card transaction approved. You will need another 5-8 years to wait for that in usa tho.


Yes. There are significant beneficial network effects in payment processing.

Back in the day, eBay had ludicrously good fraud rates (and hundreds of engineers working on models, from what I heard). We hired a few people from them and were quite proud to achieve rates in the same ballpark with orders of magnitude less traffic.


eBay also had and still has a reputation for outright letting fraudsters operate easily as buyers. I would never trust eBay to sell anything there anymore.


Same for sellers. Its really sucky to get a bunch of broken laptop keyboards from a seller, then get replacements that are also liquid damaged or physically damaged.


Buyers automatically win all disputes though. And every though PayPal thankfully split from eBay the buyer wins there too.


Living abroad and using a forwarder ... I buy almost exclusively from Amazon just because I know it'll be easy. Pretty much anywhere else, it seems to be a 50/50 chance that they'll just cancel the order, half the time without so much as a notification.


Equifax. But we know how that worked out.

Could a Blockchain/DHT solution work for this? Normalize and hash the data and send it to the network to check its karma. If there's no karma then it's a new customer, otherwise the karma tells if it's a good/bad customer. Then after they buy you add or reduce a karma point.

Would there be a way for someone to reverse/bruteforce the hashes to figure out people information?


MD5 Hash of concatenated CC# & street address for all orders. Post to a database 90 days after the order shows no signs of fraud.

Use existence in the DB (weighted by number of instances) as a probability of not-fraud.

My guess is Shopify, Stripe, etc are doing something like that when they send "this might be fraud, you should review" alerts.


I periodically deal with recurring fraud from what seems to be a pretty organized network.

- Orders are placed with stolen credentials with correct billing info that matches AVS.

- Shipto address are located near billing info, typically in the same state/metro area.

- They are often rural addresses, trailer parks, what appear to be rent houses that may be empty.

- Phone number provided has correct area code and rings a call center that has stolen billing info available and will confirm billing address order details verbally.

- Ip is geolocated at/near the billing info area via a proxy.

- Email addresses are often setup on custom domains.

We catch them, but only because they don't vary the pattern much and we know what to look for. I don't know how fraud tools would be able to effectively filter in these cases without a lot of false positives.


As someone who uses a custom domain email address, this makes me sad


I didn't mean that a custom domain is an indicator. Just that they go to the trouble to register throwaways for this use and it isn't limited to just free email services.


>I didn't mean that a custom domain is an indicator. Just that they go to the trouble to register throwaways for this use and it isn't limited to just free email services.

Yeah, I'd assume someone with a firstname@lastname.com email and a web presence is probably an indicator it's legit rather than fraud :)


Nothing says you can't have more than one email address. Set up another one on a non-custom domain, and use that for the CC.


Another easy & free thing you can use is proxy detection, sites like https://getipintel.net would beneficial in preventing fraud.


FWIW this website is 82% certain that my IP (university) is a VPN/Proxy/Bad IP.


The website says to only look at really high values ( more than 0.99 ) and everything below 0.90 is "low risk".


It's 94% certain the VPN endpoint IP my work VPN (only 25 people, university IP) is a VPN/proxy/bad.

That's correct, but not at all correlated with us being likely to commit fraud.

It's 79% certain the office LAN NAT gateway IP is a VPN/proxy/bad.

My work desktop's static IP gets 23%, so that's something.

My home IP gets 60%.

(Is this thing just connected to a random number generator?)


A lot of students have buyer remorse when they realize the money they just spent online could have been used more wisely. Unfortunately, when a network has a small percent of bad actors, the network as a whole is punished.


I'm guessing it's more so that there's a lot of traffic coming from that IP that it was flagged as a proxy.


I wonder what you have to do to become a target for such a network? I have not seen such behaviour online myself, in fact scam problems have been minimal and only once have I seen a gross picture in the customer service tickets. This was probably deserved though...

At order time I create a Google Map of the delivery address and this shows on checkout success. It also shows in the admin side with a live Google Map. If Google can get the address right then the postman probably can is the thinking.

This reduces delivery problems immensely as anything that cannot be shown on a map goes on automatic hold.

Money wasted on delivering the wrong products to people, e.g. after they have managed to cancel their order, plus the costs of back room accounting/customer service is a far bigger cost than fraud.

In your experience did you have savings to be made in your operation in shipping/customer service, to optimise that before tightening up on fraud prevention?

Or do you sell expensive items in a low-ish volume where a single fraud wipes out all of your profits rather than just cost $20 or so?


The credit card payment gateway we use has an AVS that proved to miss a sizable amount of fraud, and also identify some legitimate transactions as fraudulent.

We ended up disabling the AVS system and implementing our own internal system which has been nearly perfect - but we still lose a number of legitimate customers who are unable to pass the automated verification.


Avs was never meant to be an end all be all for fraud. Also, if you don't send address data you're getting worse rates.


Do you report these to the police? It seems as if the "rent houses" could provide a pretty easy connection back to the criminals.


You could use https://ip-api.io to detect proxies/tor/etc


You could use a service that detects if a phone number is prepaid or voip.


I've been bitten by this before as a customer. I tried signing up for FastMail and was unable to create an account because their signup page required I supply a non-voip phone number. My phone carrier - Republic Wireless - is a voip-only carrier. Google Voice is also voip-only. At least, that's how their phone number check reported my phone numbers.


Unfortunately those carriers are also heavily used by fraudsters.


Which is hilarious because fraudsters can trivially acquire many "legitimate" mobile phone numbers by acquiring prepaid phones and there are entire forums (two on Reddit I know of off the top of my head) where people make a few pennies receiving and then sending the verification codes back to the scammer. I actually do a variant of this and keep a couple of crappy Android phones activated on two Sprint MVNOs that I can use as "throwaway" numbers for a service that demands a "real" mobile number for SMS. I have zero desire to give my actual mobile phone number to anyone except friends and family.

Meanwhile, people who are simply trying to get flexible--or, in the case of someone using a Google Voice number on a Google account with 2FA and a strong password, a more secure phone number than T-Mobile could provide--communications are needlessly punished.


Google Fi is not heavily used by fraudsters, but can't be differentiated against GV.


Only in combination with other negative signals. Plenty of honest people use those. For example, I have use a prepaid phone and a VOIP number. I have no other phone numbers.


Fraud prevention can also be extremely annoying to customers when not done correctly. I've yet to be able to buy something from newegg without them cancelling the order saying its fraudulent. I'm not sure why they still continue to flag my orders considering I've contacted them every time and they've ended up authorizing it. At least now they don't immediately blame my credit card...

If it was a smaller company and more of an impulse buy I could see a bad system definitely hurting sales. I'd probably not order from newegg again if they weren't one of the few places that ship harddrives correctly and have reasonable prices.


Years ago I used up my free digital ocean credits, wanted to start paying. They asked for more details which I provided, then asked for my facebook profile. A pretty unusual request, but I complied. They told me the names don't match up and just won't deal with me anymore. Literally gave me no obvious way to proceed. Felt pretty violating to give up personal info just to get brushed off.

Happily used AWS ever since.


Why didn't your names match?


Had it in the diminutive form. As in Deb instead of Deborah, pretty common in my home language.

Wish I could remember what the first step was, think it was pretty informal too, but can't be sure. Just remember feeling dumbfounded they wouldn't simply come back with another option.


Why should they?


I've had issues mainly with manufacturers web stores.

Fender apologized and gave me the part number for the exact model I wanted and suggested I try third party stores.

EVGA was annoying. They called me at 10 am to confirm details, put me on a three way call with my bank and I thought that was it. For whatever reason they tried to call me again the following day but I couldn't answer, when I called them back they told me they cancelled my order. They said my billing details didn't match (simply not true, I've used that address countless time and checked my order confirmation), and that my phone area code didn't match where I lived (no shit, people move...). I decided to just never buy from them again, since there are plenty of other GPU manufacturers.


At least EVGA tried to resolve it.

I tried to order from an computer component retailer here in Canada. They specifically called out that my information needed to match, so I went and logged into my credit card's online portal and copy and pasted my information directly.

However what I didn't think to copy and paste was my own fucking name.

After charging my card and taking my money automatically, they then seemingly manually went to review the transaction and found that something didn't match, though were apparently unsure as to what that might be. When I sent them a screenshot of my online banking portal showing all my information with a "Wtf?" their response was "Oh, it's probably your missing middle initial. Also we've already refunded your order so there's nothing we can do. You should have your money back in a week."

When I asked them why the hell on top of a completely user-hostile validation process they then make it worse by cancelling and processing the refund before even calling me or emailing to give me a chance to correct the information, their response was basically that that's how they have to do it and it's outside their control and shrug.

Needless to say when I finally got my money back a week later I spent it elsewhere.


They didn't actually try to resolve it after they said it was cancelled. They said they couldn't do anything about it and to get back in the waiting list (it was a GTX 1080 right after release), and maybe it'd work.

Nowadays I go out of my way to buy from big stores like Amazon that already have this figured out, rather than buying directly from the manufacturer.


Yep I've spent a lot of money at NewEgg and the tricks I have to employ to get a legitimate order through are constantly changing. It let me use a PayPal account for a while (then said it was fraudulent), then a CC with a US address (then that was fraudulent because it was a Canadian card), then Bitcoin only. I'm guess the last one should work for a while.


I have the same problem with IKEA, except their customer service reps lie and tell me it's my bank that blocked the transaction.

This ended up costing me a lot of time as I called my bank, tried the order again, called the bank again, tried different credit cards... eventually I figured out the IKEA reps were just lying, and they had flagged all orders under my name and address without telling me. Infuriating.


I bought a laptop from HP about a year ago, and they canceled my order after shipping it, having FedEx return it to them. I'm still mad about it.


In Germany we have a system called 'giropay', which is basically instant wire transfer via your online banking. With this system the merchant gets a guarantee from the consumer's bank (as it seems, but I am not sure who in the pipeline eats the cost, as the contracts are ask-only), so that even if there was fraud, he will not loose the money. This does limit it to 10k EUR per transaction, which should be enough. The merchant receives the money within 2 bank days in his account, and the max fees for the merchant are 0.89% with a minimum of 33ct, but volume discounts seem likely.

What I don't understand, is why the US was not able to set such a system up, but I assume it's related to the general distaste for chip+pin, as well as any sensible security mechanisms for online banking. Yes, pushTan and mobileTan are usable, but they only work if you have a phone you trust with the deductible applicable in case of pishing, or, if you have actual reason to not trust it, the daily online banking limit.


Banks and credit card companies in the US have a vested interest in ensuring that credit cards are used to purchase goods and services on credit. In 2017 total credit card debt in the US was ~$941 billion.[1] At an average rate of 15%[2] that's $141 billion per year that banks make on credit card debt interest (not counting interest on interest and fees).

[1] https://www.nerdwallet.com/blog/average-credit-card-debt-hou...

[2] https://www.creditcards.com/credit-card-news/interest-rate-r...


How much of the credit card debt has been paid off within a month?


How much of the credit card debt is eventually written off as bad debt?


> In Germany we have a system called 'giropay', which is basically instant wire transfer via your online banking

I never saw a shop accept these. Most of the times it is a regular wire transfer, sometimes PayPal with fees or via invoice. Nowadays many shops also do credit card.


I know steam accepts it.

If you scroll down here (https://www.giropay.de/haendler/) you can see that several more big shops (albeit not many) accept giropay.


I love the artwork behind the article: https://www.candyjapan.com/static/credit-card-fraud_s.png


I like how the author doesn't immediately reject orders if they have just one sign (IP address country different from shipping country, shipping to a reshipping center, etc.) but looks at all the indicators as a whole to make a decision.

Edit: isn't this how Stripe Radar[1] works?

[1]: https://stripe.com/us/radar


From my experience, nothing drives users away faster than a false positive on a fraud check. You immediately lose all trust in the eyes of the users.


Yeah, but that's something you have to accept for the positive benefits. In a lot of online businesses, credit card fraud is just insanely rampant. You lose a lot more money by not doing checks with the occasional false positive than you do by not having it.

The cost of fraud is chargeback fee (usually ~15 bucks) + merchandise. It gets expensive fast. Every modern e-commerce business has to be fighting it now to stay alive. For certain SaaS / Software products the cost of failing to fight it is a tad lower, but for physical products it's killer.


>The cost of fraud is chargeback fee (usually ~15 bucks) + merchandise.

that's the least of the cost. the real cost of chargebacks is in the processing rate increases.


Sure, you can't ignore fraud.

We have a lot of those each months.

What is more important is to have a smart way to detect the frauds. Most clients that had received false positives never came back even with discount codes and apologies. Nobody likes getting stuck on a checkout page with an error message telling them they are in the wrong.


One way to optimize is to maximize expected revenue - expected cost of false positives or fraud.

A savvy business will know (or can estimate): customer lifetime value, false/true positive/negative rates of their fraud detection system, rate of charge-backs, expected rate of fraudulent purchases, revenue from given suspected transaction.

If average discounted customer lifetime value is $10k, charge-back rate is 2%, your fraud detection false positive rate is 0.1% and true negative rate is 99.9%, fraud detection true positive rate is 95% and false negative is 5%, customer is purchasing a $20 item. Then

* expected revenue if purchase is fraudulent: $0 * (true positive rate) - $20 * (false negative rate) = -$1

* expected revenue if purchase is non-fraudulent: $20 * (true negative rate) - $10k * (false positive rate) = $9.98

* total expected revenue value (with fraud detection enabled): (expected revenue if purchase is fraudulent) * (rate of fraudulent purchases) + (expected revenue if purchase is non-fraudulent) * (1 - rate of fraudulent purchases) = $9.7604

Without fraud detection, your expected revenue is: $20 * 0.98 = $19.6

Simplifying assumptions: false positive results in complete loss of customer value (realistically, replace this with big drop in customer lifetime value). Fraud rate is constant (realistically, should be modeled). Fraud rate is charge-back rate.

In this case, it's easy to see that seemingly low 0.1% false positive rate is still too high for this small of a purchase and these customer lifetime values. The 'smart' decision would be to ignore fraudulent purchases of this size in this case. (for this scenario, you need FPR below 0.004% with all else same)

Better model still would be a fraud detector that outputs a confidence score rather than "yes/no", and use the formula above to determine if the predicted false-positive-rate at this confidence level is sufficiently high to expect a revenue uplift from enabling the detector.


Or even better, one retailer I dealt with that did all their fraud checking manually after charging you.

So they took my money, decided they wouldn't sell to me, then I had to wait a week to get my money back.

At no point did they so much as call or email me to try and see if we could correct any issues with the information before initiating the refund.

I've spent more on identical products from other retailers just to avoid them.


I see it differently. A merchant who takes fraud seriously is someone I would trust more.


I had NewEgg flag a transaction of mine as fraudulent in 2009, they just silently cancelled it then gave me strange errors on the order status page. When contacted they said the transaction was flagged and there was nothing they could do.

I didn't use NewEgg again until 2017 as a direct result. That one bounced transaction (and frankly how they handled it) cost them six years worth of business that Amazon got (talking easily $3K+).

I think you're the edge case. Most customers will be somewhere between put out and outright angry.


The problem I see is NewEgg handled it poorly, it doesn't sound right that there wasn't anything they could do. That's NewEgg's problem and nothing wrong with actually flagging a transaction that requires a manual investigation.


Not even angry or slighted. People will just assume that Merchant X doesn’t ship to their area and they never go back because they never receive any information to the contrary.

I’ve only been flagged once, and that was when I was a new B&H customer. A quick phone call fixed the problem and in spite of changing addresses at least ten times since then, haven’t had a problem since.

However, it is occasionally a problem that B&H won’t ship to hotels.


NewEgg’s operating margin is probably between 3 and 10%, so that bounced transaction cost them ~$250 in profit. Would they have lost more than that by fulfilling your order size in 2009 if it had been fraud?


On the other hand I've shopped with NewEgg since 2005. I've had orders flagged as fraud once in a while both from NewEgg and also (more often, actually) from the bank when they receive the charge from NewEgg. While quite annoying, it is one of the many reasons I continue to order from them.


The more false positives they have, the more false negatives they're going to have and that's where it becomes an issue.


Fully agree. It multiplies the anxienty for a novice online shopper.


Yes, Stripe Radar will automate most of these checks. They also have the benefit of being able to see other merchants' transactions within their network, which helps when someone tries test transactions across a bunch of different merchants all at the same time from the same IP.


It seems to me like the author doesn't actually do anything programmatically, and instead has few enough orders that they eyeball it and do additional human steps. A good start but not scalable.


My old employer, a phone retailer, would check how long the user had been browsing the site and what they looked at.

We noticed that legit customers tended to take their time on our site. They would look at several pages and not immediately add something to the basket and checkout.

Of course, some legit customers would demonstrate the same pattern particularly when a new phone was launched - but that wasn't too common.

So if the user spent less than five mins on the site before checking out, or if they only looked at one product page then that order would automatically be flagged for manual review. 60% percent of those orders were rejected.


Overagressive fraud protection can lose customers as well.

I placed an order to be shipped to my new address from a merchant I'd ordered a dozen times before for home and work. 2 days after the day the order was supposed to ship, they suddenly canceled it due to "security reasons".

I've stopped using that merchant.


Reminds me a lot of massive email validation regex: http://www.ex-parrot.com/~pdw/Mail-RFC822-Address.html


Can you explain the relationship?

Also, the regex is longer than the (reasonably clear) code[0] which generates it…

0: https://metacpan.org/source/PDWARREN/Mail-RFC822-Address-0.3...


Reshipping centers, I don't want to sound weird, are basically hives of scum and villainy in my opinion.

I was selling something Ebay (a phone) and I got a really weird address, it was a shipping center.

I googled around because I got a strange vibe, apparently, this shipping center had this issue all the time and didn't really care to stop it. I got a horrendous review from the person because I canceled the order and refused to ship it.

I am wondering if fraud is honestly the business model of shipping centers. I can't really think of a good use for them nowadays, especially in a consumer context.


I use reshipping centers a lot, even if the store ships internationally. There are two main reasons:

1 - I may buy a lot of things from Amazon. It's cheaper to pay US shipping for X times (sometimes they are free) and only one international shipping to my country.

2 - Customs taxes, etc. The company I use for reshipping takes care of everything. I pay them and they deliver the items to my house at the time I ask them to do it. If not, due to the policies of my country customs, I would have to attend a custom office for every item I purchased, which is a pain in the ass.

Don't discriminate us, please.


Do the reshippers actually pay the duties to the countries or do they just pretend like you don't need to?


They pay but it is included in the price I pay to them.


Full time RVers and digital nomads in general use reshipping centers too. In like South Dakota, Nevada, Florida, Texas - they let you use mail forwarders (not a PO Box) on your driver licenses and registration.

So say you order something and not sure when it will ship out, they'll ship it to their mail forwarder and then overnight ship all their packages and box of mail to them when they know they'll be in a area they'll use general delivery to a post office or campground if they allow receiving mail on your behalf there.

If you stayed in a area for a week or two you can have everything sent there, or if you know you'll be passing through X town in a week. You can go ahead and 2 or 3 day ship something there to be ready to pick up once they get into town. Basically they hold everything until you tell them to send it to you.

Some even also will list your envelopes and if you want to request for them to open it and scan it. So if you get a important letter and you are RVing in Utah or all the way in London you can still read your mail.


Reshipping centers are used heavily by people outside the US to get access to goods sold online. Tons of stores (especially on Amazon) don't ship outside a few select countries, so customers pay a small fee to these reshipping centers to have packages forwarded to them.


Do they do the opposite too? I feel like there have been frequent times I've bought Chinese components (like bulk LEDs or something) on eBay from a seller that has an address in the US but it still took a long time (about on par with shipping from China) to get to me. Could that have been a person living in China selling stuff on ebay and having an address listed in the US to trick me?


the other reply says it's a "dropshipper" without explaining it. for anybody who doesn't know, drop shipping is the practice of ordering a product from your supplier to be directly shipped to your customer's address.

In the case of ebay sellers with american addresses, it's not a chinese seller pretending to be american, it's an american seller pretending to have stock. they just place the order on a chinese site with your address as the shipping address. You're still doing business with an american, which is presumably what you wanted when you chose a seller with a US address.


It's actually the shipping time I'm looking for. If a Chinese seller could get me an item in 2-3 days I'd buy from them no problem. It's the fact that it can take 2-4+ weeks to receive something that makes it a problem. I hate that they started doing this though. Why can't interactions just be reasonable and honest? Why does everyone have to try to trick you in to things?


I would guess the main reason have a preference for US-based would be due to shipping time.


Both Amazon and eBay display the estimated shipping time much more prominently than the seller's address.


I don't do a lot of shopping on eBay anymore but this was a bigger problem back when I did for sure. I haven't been around since they started doing this accurately but it used to just be "Ships from US" so then you'd just "Oh ok so it shouldn't be more than a week"


Those are dropshippers, many of those items you can order from Alibaba / Aliexpress and skip a layer of reseller.


definitely check the "ships from" to make sure it's not a dropshipper.


On the flip side, some countries really need these places - Australia being a key example.

The Australian Postal Service even runs their own in the US, in order to allow australians to order from the likes of amazon:

https://shopmate.auspost.com.au/


New Zealand Post runs one as well: https://www.nzpost.co.nz/tools/youshop


I want to buy something that doesn't ship to my country, I use a shipping center.


Relevant Reply-All story about a reshipping center used for fraud: https://www.gimletmedia.com/reply-all/99-black-hole-new-jers...


> Using an inconsistent and unlikely email address [...] By "unlikely" I mean one that no reasonable person would want to have, usually containing a big batch of numbers in it.

This is awful.

I create random e-mail addresses for every online merchant I have to interact with. It's by far the best way to avoid both real spam and "promotional message" spam.

I don't even use my "real" domains, because anybody who knows my name and the domains I use can construct my personal e-mail addresses. I have special domains dedicated to online commerce, and they look pretty random.


If you go out of your way to appear fraudulent, you can't be angry when you get flagged as fraudulent.

What do you want merchants to do? It appears you have gone out of your way to make sure all your information is completely unconnected to you, which is exactly the case for someone committing fraud.


"All of your information" is a bit over the top don't you think? It's just an e-mail address. It's not relevant to anything. The important info is address and name.

I have the same system. It achieves 100% reliable spam protection with zero false positives and zero false negatives. It's a perfect system, if I follow some basic rules. It also eliminates phishing, except in case of unannounced data leaks. I mark e-mails received from random e-mail addresses I generated in the past with green color, so it's immediately obvious what is legitimate and what is not.

It'd be a bit ironic if someone would think that I'm a fraud, because of this system that is designed to protect me from fraud. :D

Never had an issue with businesses accepting my addresses, except one person looking at me strangely, when I was opening a bank account with a random email address, when I told him that no, I'll not repeat the address to him. :)

All the person on the receiving end has to do, is open the email address domain in the browser, and there's an explanation what's up right there.

If I were a fraudster I'd make an address that looks perfectly ordinary. It's so weird for someone to assume that weird looking address indicates fraud.


> It's so weird for someone to assume that weird looking address indicates fraud.

I mean, they aren't assuming that... they are basing it on data. They have lots of data on fraudulent purchases, and apparently that is one of the indicators.


I usually add the company name in front and have gotten confused and pointed questions from staff repeatedly about how I have an email address with their company. I have given up trying to explain and have resorted to more obscure initials.

People don't understand email, apparently.


> What do you want merchants to do?

Become modern? Make wire transfers fast enough to be usable for purchases online. Securing the bank account could be done then with 2FA (smartcard, phone whatever).


Those suggestions have nothing to do with merchants. Those would be changes to banks and the financial system.


What my suggestion pretty much means is that the identification part is offloaded to the bank, as it should be.


These are changes neither to the banks or the financial system. It's just a change on how a bank verifies your identity.


> What do you want merchants to do?

Accept a certain amount of loss in exchange for fair customer treatment. Obviously this isn't binary, but for something like an email address, it can be considered a factor, but should not be a determining one.


>Accept a certain amount of loss in exchange for fair customer treatment.

"accepting loss" gets priced accordingly. personally, i'd rather give merchants my real email address and not pay an extra fee simply to give you the privilege of keeping your email address secret.

If you want to make yourself indistinguishible from a fraudster, please find a way to do it without affecting the price everybody else pays.


Lots of things that help other customers besides you are priced into the product you pay for. In some cases (like if a company auto-rejected strange email addresses), I don't think it's fair to expect other customers or the company to cater only to how you purchase.

Of course, just being "flagged" as is the case here instead of rejected is fine. It's larger companies that use these heuristics as their final answer that are the problem, and we shouldn't blame/punish legitimate customers.


>I don't think it's fair to expect other customers or the company to cater only to how you purchase.

but you do think it's fair to expect a company to cater to the relatively unique way you use email?


>something like an email address, it can be considered a factor, but should not be a determining one.

The article specifically states that no one indicator will result in a payment being denied. There aren't any determining factors in this system


True. I mean in the general case.


Some companies today offer a fraud prevention solution which is covered, meaning they will pay the merchant for whatever fraud transaction that slipps through their systems. These companies employ pretty sophisticated methods as this is their core buisiness. I work at one such company, Forter. We take pride at the fact that we approve more than the others would, and we take complete financial responsibility for our mistakes so merchants just don't have to deal with it...


Paying for fraud that slips through should be the easier part.

Do they compensate for lost business because of false positives? The problem is that even the wannabe seller cannot quantify it.

At several occasions I have not been able to order something online, because they would not accept my card.


Now that everyone has smartphones, I wonder if you could do something with the camera... like require a photo or video of the physical card in front of some visual token on the screen for orders that don't ship to the billing address on file...


You would think with the amount of value / fraud at stake, Visa/MC/AMEX themselves would invest in fraud detection technology and offer that as a service to their participating banks and merchants.

They have so much more volume and cost absorption capability that they could spin up a much more talented / sophisticated detection group than any individual bank or merchant could, you would think? And charge for it accordingly?


Visa/MC/AMEX make a MASSIVE amount of money on Fraud - it's in their interest to perpetuate it. I've experienced this myself with > 6 figures in CC fraud in a month. Here is the financial break down:

Every time a customer gets a charge due to Fraud, they file a chargeback. If we are able to contest it, all is well, other wise they hit you with a $25-$35 fee PLUS the charge is reversed so depending on margins you are out you're costs on the transaction as well.

If the # of fraud transactions gets bad enough (even if you are working with them diligently to get things under control) and not able to stop it, they will charge you a chargeback penalty fee.

This essentially says you are high risk and so now give us 50,000 or 100,000 dollars or you can't accept credit cards AND you have X days to resolve this and get you're charge back rate to a reasonable level or we will hit you with another charge bigger charge in 30/60/90 days or whatever the risk management department wants.

They may also come back and say now we've told your processor (stripe, braintree, etc) that THEY need to charge you more because we are charging them more to deal with you. So instead of 2.5% of each transaction they are getting 3% for example.

It all adds up to billions across the world economy, it costs them only to deal with it administratively and they are collecting many many times that in fees from the merchants. It is very much a scam and the average customer doesn't realize the massive hit companies can take for the convenience of Credit Cards.


as far as I know, chargeback is always at least $35, even if merchant wins. Big retailers might be able to negotiate this.


They normally don't shoulder the financial burden of fraud.


Sure, but who wouldn't like to make a buck from it? Well, I guess they kind of do with every chargeback, so they have conflicting incentives.


I've had a case of someone walking into a Verizon store and buy 4 new iphones and charge it to my account. The amazing thing is that between phones, tablets and hot spots, my family has 7 mobile devices. The perpetrator did not upgrade any of the existing phones, but created 4 new phone numbers. This should have been a huge warning sign. I'm 100% convinced that the person at Verizon was in on this. In addition, over the next few days, they've made thousands of dollars in international calls. To Verizon's credit, they were great at resolving the mess for me as an individual customer, but in the end they ate the cost, which means that it got diluted to all the customers.


I find it strange that the de-facto thing to do for fraud is to simply not accept the order. Why not report the fraud to authorities instead?


Fraud falls into a weird category of crime where:

- happens globally (far outside of local police jurisdiction)

- per event small monetary value

- widespread but difficult to tell how connected (is it tens of thousand of fraudulent events from a single actor or tens of thousands of different actors?)

All of which adds up to there not being a clear cut law enforcement agency to handle these types of things (aka you can't reasonably ask the local police to help you track down a scammer in singapore).


Yeah, essentially no local law enforcement is going to care about some guy successfully scamming you for a $100 chargeback. We were basically told not to bother for anything under $25k from a single actor, and even for amounts over that I think we only managed to get law enforcement action through personal contacts.

I think the one case that law enforcement did act on was a group that was using a newly built neighborhood as a drop point for stolen goods. It was complete enough that there were addresses to ship to, but nobody was living there yet, so it was easy to just pick up packages off the front steps. From what I heard, the police ended up picking up some guy with a truck full of iPods who was just going house to house picking up the deliveries.


Yes I tried to report CC fraud (as a merchant) and the local departments kept bouncing me back and forth between my local police and the department at the fraudster’s jurisdiction. I had address, email, IP, and name, yet no one could do anything.


Would authorities in your jurisdiction do anything? Could they reasonably be able to do something?

In my city a friend of mine had some checks stolen our of his car when he was out of town. The check info was used to pay for some utility bills. Reported to the police and no one gives a shit. The police know where the criminals live. They paid their electricity with it. Nothing done. Compared to online fraud this was a simple bust waiting to happen.


Depending on where you live, if it's not a criminal offence, the police likely won't give a shit.


I know someone who works at a place that gets ripped off to the tune of $50k+ each month. Police won’t do anything about it.

Corporate tells them to just let it happen. Presumably, it all gets charged to insurance.


Likely they self-insure.

Or they're a seller with higher prices that is willing to do the oh-so-dangerous thing known as international shipping. The hits make up for it.

As a here-and-there Ebayer, I price things high and I'll ship to any developed country. My issues are mostly when shipping domestically.


So, if you find the order suspicious enough that you would rather lose the order/customer than ship it and probably lose your money, you are probably still far short of the standard of proof which would allow anyone to get prosecuted for anything, even assuming that you could get law enforcement to investigate.


I occasionally wonder why Visa/Mastercard/etc don't make it easier to report suspected fraud directly to them.

They're in an ideal position to 1) pro-actively notify the card owner and get them a new card, and 2) potentially give the authorities something more to work with than an individual store like Candy Japan.


Time. Nothing will come of it and it will cost you your wasted time.


What authorities should your report it to?


The bad part of credit card fraud is that the card network, issuing bank & gateways pass on the liability to the small merchant. There is always a looming risk of losing your account & business due to excessive fraud, something over which you have no control at times. If you become over aggressive with fraud protection, you risk not only losing revenue but pissing off genuine customers.

Your gateway would tell you that as a merchant, it's your job & responsibility to accept a charge & related risk of fraud. Well, if big guys handling billions of payments can't catch fraud, it's quite easy for a small guy to miss it as well.

When you are selling a digital product, it's very difficult to win a chargeback. Some low level bank employee hardly cares about your meticulous documentation & proof that you delivered the product.

3D secure is one way to shift liability to issuing bank but it only works for the first charge (not recurring subscription). There are lots of reasons for getting hit by incorrect chargebacks e.g. mistake on part of a customer because they didn't recognize, customer's card getting stolen midway during a subscription, unhappy customer who wants a refund after using your service for months etc.

I wish the industry would side with the merchant as well at times i.e. maybe a rating system to see how easy is the merchant's cancellation / refund policy etc.


You know... there is one entity that is reasonably well funded, has incredibly strong capabilities for card fraud detection, and is well motivated to identify the fraud: the credit card companies.

(I work for one, which makes me especially interested in this topic. But I don't work in that particular area, nor do I speak for my employer.)

It makes me wonder whether some sort of collaborative fraud detection might be possible. As the merchant, you have access to additional information that the credit card company lacks -- things like the customer's name and the delivery address are (as this article explains) very helpful in detecting fraud, and these are data that the credit card company does not have access to. And of course the credit card company has access to information like the customer's purchase history and their recent transactions, which are useful for identifying fraud from a different direction. If both sources of data were available, it might be possible to detect a higher percentage of fraudulent purchases, and merchants who ship goods could be provided with the information so they could delay or cancel the shipment.

Do you think merchants would be interested in such a program?


> there is one entity that is reasonably well funded, has incredibly strong capabilities for card fraud detection, and is well motivated to identify the fraud: the credit card companies.

IME, credit card fraud detection is a user experience nightmare. There are dozens of false positives per true positive, and the confirmation system is implemented with little regard for the user: I'm not given a reason my purchase is denied, so I have no idea what's going on or a tip on how solve it (I know the security reasons for it, but that's the credit card company's problem, not mine - find a better way); the confirmation request is delayed, so that I've already had to move on to other solutions (call the vendor, try another order, vendor, or credit card); and the confirmation is not integrated with the purchase - the purchase is denied, it isn't put on hold so I can respond to the confirmation, and I have to start all over.

I know I'm not supposed to use all caps on HN, but I HATE the purchase experience. It wastes a lot of time, sometimes an hour or more, and is incredibly frustrating. I'm doing nothing wrong; I don't like the credit card company using my time like it's worthless nor do I enjoy being treated like a criminal for making a simple purchase. I purchase less online because of the experience.


Would merchants be interested in my purchase history? Yes.

Would I want/trust merchants to have this information? No.


Oh, I'm fairly certain that the information sharing would only go one direction: the merchants would share the data to the credit card companies, who would run fraud models on it and provide near-real-time feedback to the merchants.

In terms of user privacy, this gives the credit card information more information than they already have access to. It is reasonable to worry about the privacy implications of that sharing. But to be honest, the credit card company already knows a great deal just from processing the customer's purchases. Adding in the delivery address (when it differs from the card's billing address) is a leak of personal data, but not a huge one. Additionally, we might be able to put in place contractual controls limiting the data to certain uses. I can assure you (from my own experience), credit card companies are well experienced at compartmentalizing data and limiting data sharing.


If you really care about your customer you should be worried about false positive. I hope as a business you do not cancel customer orders because your fraud detection system has flagged them.

Depending on your scale you may using 3rd parties like Sift science, Stripe Radar or Roll your own fraud detection system.

Flagging orders as potential fraud is the easier part these days. The difficult part is how to come up with a process to verify these flagged orders. This process need to be simple and quick. Because essentially you are saying to your customer we think you are a fraud and can you prove that your not.

Banks merchant checks to verify flagged orders is extremely cumbersome. They require you to call a special phone number (which is different for each bank) provide customer Name, Billing Address, Billing Phone and Credit Information. Then they can only give you a response whether it is a match or not. They can't tell you whether it has been reported stolen or anything else for privacy reason. At scale this is a very time consuming process. It becomes even more cumbersome if you are security conscious business and do not store customer credit card information. In that case you have to communicate with the customer asking them to call you to provide your credit card information again.

There are solutions like 3D Secure but they are not widely supported and adds its own problems. It is high time credit card companies start providing merchant with a 2nd factor check for transaction. For example maybe once a transaction is placed with a merchant. They can trigger a 2nd factor check where by the bank automatically send a code to their email/phone number on file. If the customer is able to provide a correct code merchant can proceed with the order.

Fraud detection will always remain a point of contention between customer and businesses. I just hope business make sensible decision based on their situation. For example I have seen legitimate customer with all the above cases mentioned in the article.


The OP has written extensively about this subject in the past, and I get the sense that he is intimately aware of the risk of false positives, however catching a high volume of fraud could for him literally be the difference between staying in business and not. His fraud tolerance is going to be much much lower than a large vendor.


Reading all of these issues I'm really flabbergasted that you have such issues. Like, my bank offers me temporary non-physical credit cards with small limits for 1€/month/piece and that's what I use to do all my online purchases with, do US banks really not have that option? Second thing that I often use (where possible) wire transfer, it requires my ID-card and the payment is done in seconds.

This thread has honestly made me really appreciate what I have available to me compared to some countries.


Very few banks have that option, and the ones that do are bordering on user hostile, and the temporary cards don't have usable/tolerable features for this.

A wire costs $50-100 (or more for international) per transaction, no matter what the amount.

A bank transfer (ACH) can take several weeks or more depending on how much both banks trust each other and the type of account you have. Here's a fun read: https://engineering.gusto.com/how-ach-works-a-developer-pers...


> For example maybe once a transaction is placed with a merchant. They can trigger a 2nd factor check where by the bank automatically send a code to their email/phone number on file. If the customer is able to provide a correct code merchant can proceed with the order.

That is not what 3dsecure provides ? with 3d secure, I receive a code from my through SMS, I then transmit this code to the payement processor.


Today my bank detected a fraudulent transaction on my CC. They blocked the transaction right away and cancelled my card after confirming it with me... so they probably can prevent a lot of these cases. Very interesting article nonetheless...


My wife had to learn just about every one of these lessons the hard way in the first few years of running her own (small retail) business. In retrospect, we should have posted the hard-learned lessons online. I'm glad this person did.


> Later on when the post attempts to deliver it, they will at some point realize that the country is wrong and reroute it to the correct country

Will they? Or will they return it to sender with a bad address note? Would the rates be different by country?


I recall we once sent something from the Netherlands to Canada, but didn't include the country. We later got a surprised email by the recipient that they received the mail despite it not including the country.

I suppose the post office decided to do some digging and managed to deliver correctly.


I'm pretty sure my domestic package to Newfoundland ended up in your country, and then back.

My buyer reports it isn't the first time that's happened to him.


USPS used to have huge offices at its distribution centers with people who figure out bad addresses.

At one time you could send a letter to a particular famous person (I can’t remember if it was an actor named “Rip” or Mr. Ripley from “Ripley’s Believe it or Not”) by simply putting a rip in a blank envelope.

I bet the U.K. has massive departments for this since so many addresses are just something like “Stuffypants House, Humberside.”


> “Stuffypants House, Humberside.”

British people who live in places with address like that tend to go the opposite way, and add superfluous lines:

Lord and Lady Cockwomble Stuffypants House Glebe Farm Cross Road Ulceby near Thornton Curtis Barton-upon-Humber Humberside

When the official database (and preferred form) for the address will have something like

Glebe Farm Cross Rd ULCEBY DN39 6TR

The postcode tends to identify between one office in a building and about 30 houses, so with that and the building name/number the rest doesn't matter. You can paste that one into Google and change the last letter to see it move slightly.


Maybe it depends on your shipping deal? Thinking they might just charge the account the different?


If fraud is such a problem for stores would it make sense to offer a discount for payment methods like bitcoin that don’t allow chargebacks? This could reduce the cost of doing business by gaurenteeing payment.


This is an excellent idea to prevent revenue loss caused by false positives, which are rampant IMHO.

It's beyond me why so many merchants opt for the revenue-losing and customer-hostile choice to silently cancel flagged orders and let their competitors run away with the money, while they could easily get a safe sale by making a non-negotiable offer to use an irreversible payment method when a credit card gets flagged.

This reverses the trust issue, it's then up to the customer to determine if he trusts the merchant enough and is willing to give up the additional protection that a purchase on a credit card may offer - some of which the merchant may offer instead - to get the item he wants.


> Two bonus signs for the end. You can use a Geo IP database to check if the shipping address country differs from the IP address country. That's a weak sign (people do place orders while traveling, or to friends in other countries), but can break the tie if there is another suspicion.

You can add to that using the first few digits of the credit card to look up the card issuer. If the card is from a bank that does not have a presence in either the region the order is coming from or the region it is being shipped to, that order probably merits a closer look.


I kept getting flagged for that kind of thing, had to start using a proxy to make my actually legitimate purposes.

Though looking at it from the other side, using a proxy should probably count against you a little.


So if you see one of these warning signs, what should you do?

What if it is a legitimate order? You don't want to turn down a real customer?

I presume if you try contacting the person and asking them if it is a fraudulent order, they will deny it. (I suppose if you can't reach them, that is good enough indication to cancel the order as fraudulent.)

Can you call the credit card companies or payment processors and ask them to do their own fraud checks to see if it is okay, or are they going to leave you on the hook if it still goes bad? (I suspect the latter.)


I cannot imagine running a bunsiness where I ship things ot people for money without doing address verification. In the mid 90s one of my first database related jobs was parsing the complete US address list we purchased from the USPS and comparing it to our internal mailng list - the process has gotten much simpler over the years.

This would have prevented 3 of the problems on this list, and would also result in a much lower rate of failed deliveries (expensive)...


When you accept credit cards, how long do you have to wait until you know the payment went through? Could you simply wait that amount of time for every order?


Typically chargebacks can happen for 90 days. No one is going to wait that long for you to ship.


I guess that's exactly why the period is so long: they force the merchant to ship before and take that risk.


Run an e-commerce business that sells tires.

It seems that a common pattern that’s arising is for a bad actor to use a foreclosed property or rental to ship to, within spitting distance of the billing address, then have the carrier redirect to a pickup store, such as the Fedex store.

They have absolutely no problem walking into the store and signing off, all on camera. Troubling times.


I work with Signifyd. We are expanding and hiring more Data Scientists and Fraud Analytics ninjas. Apply through the website. We do care about approving good orders while stopping fraudulent ones. In case of a chargeback, we guarantee it.


Doesn't Stripe cover some / most of this?

There are some settings, or at least an overview in the dashboard where you can see if the address was verified and it matched the one on the card. Using billing / shipping address in your order form is obviously for this reason.


I’m fine with fraud detection like this, but probably 90% of my ordering is a credit card, through a VPN, or sometimes from a foreign country, shipped to a freight forwarder, with a VOIP PSTN number. There have to be ways to get around this for false positives.


There are. Mail you government ID to small business owner that will probably leave it on some vulnerable windows xp machine.


The payment service I use (Pin Payments) can include a random value in the payment card narrative, allowing you to hold delivery until the cardholder authorises dispatch with the correct code.


A velocity report is the only real way of pro-actively catching fraudsters. something like ip address by alias or something similar.


> One time when I tried googling for an address, I found that the person was also active on a forum for trading stolen credit card details. That was a bad sign

Ha. You don't say!


I have a genuine question that is kind of unrelated to this discussion:-

What is special about Japanese candy? Is it the packaging? The ingredients?


naive question: Why should merchant be worried about this? Isn't it responsibility of CC company to back up the promised credit? If someone unauthorized used someone elses CC then shouldn't CC company swallow that loss?


No. CC companies protect the customer from fraud, not the vendor, unless you have really good proof the customer isn't right a chargeback means you loose the money and often pay a fee on top. + if you are the source of to many chargebacks, they'll drop you entirely.


The credit card company charges really high fees (on the order of tens to hundreds of thousands of dollars if you have any significant volume) if you have more than 1% of all your transactions as chargebacks. The CC company doesn't swallow the loss--it's the merchant that does.


Another Problem that goes away with crypto currencies.


This seems like a variation on the Zawinski Quote -

Some people, when confronted with a problem, think "I know, I'll use crypto currencies." Now they have two problems.


Ha!

Neither buyer nor seller is protected with Crypto Currencies.


How does crypto currencies solve this if a bad actor gets a hold of your wallet...


Don't roll your own crypto, don't roll your own fraud prevention.

Stripe include very sophisticated fraud prevention in their standard pricing and charge pennies per transaction if you're on custom pricing. Numerous third-party providers offer excellent fraud detection and prevention tools for CNP transactions. Unless you're big enough to have a dedicated fraud prevention team, just leave it to the professionals.


Stripe fraud prevention is not sophistocated at all. I have been trying different fraud prevention providers and all of them are lame. They check if the ip of the buyer matches the billing location of the card and if not they will not accept the order. So far, the best method I have diwcovered is to verify the order by phone. The phone number provides me with extra knowledge about my customer. I can match their buying ip address with it. I can talk to the customer in their language to verify they are who they say they are. It is not bulletproof but I have yet to see fraudster go to that extend.

When you learn enough about your customers, you should be able to roll out your own fraud prevention solition because generic ones are broken. Here is a recent report about what works and what does not in the generic fraud prevention tools: https://www.braintreepayments.com/resources/kounts-mobile-pa...


> I have yet to see fraudster go to that extend.

You must be in a field with relatively low-volume/low-effort fraud.

I knew of many fraudsters who used to go through phone verification to buy game currency with stolen CCs. This was back in 2011, mind you.


Those graphs are entirely survey-based subjective, there's no metrics at all, and it's also an advertisement for Braintree's fraud service


Look at the original report that the graphs are based on. I think that's where the useful data is.

Braintree's fraud prevention is poor and based on generic metrics. One of my businesses had 32% chargebacks with their service.


30% is an order of magnitude higher than the typical industry fraud-attempt rate. If 30% of orders were charged back you probably had other issues? That's pretty nuts


Curious what kind of products do you sell?


Software for backing up sites.


> It is not bulletproof but I have yet to see fraudster go to that extend.

There's a comment upthread in which someone describes dealing with a fraud ring that uses a call center to defeat exactly this approach. Anecdotally, I know shop owners who have also dealt with would-be fraudsters who will happily talk to them over the phone.

Which is not to say that your experience is anything less than completely valid! It just might not encompass the whole of the range of possible valid experiences.


I've never used stripe specifically, but in my experience its always good to have your own layer of fraud prevention, because if you have too much fraud reach whoever is providing payment processing, they will terminate your account.

Beyond that, a few simple checks will make most fraudsters move onto other websites. It's not about being bulletproof, it's about being harder to abuse than the others.


I think the point is that it's very hard to do as good a job as providers like Stripe and SiftScience will do (assuming machine learning against fraud is not your core competency) - they take into account a lot of the signals you might take into account anyway if you feed them clean data. Better to focus on sending them the clean data.


totally false. Machine learning is not my companies core competency, but we do have a team of data scientists (myself included). Most of the data we get from our data providers is garbage by itself, but using our own data along with features from providers, we are able to pick out a huge amount of fraud.

These types of models are actually quite simple to build and implement if you actually have data.


Exactly the opposite. Generic fraud checks will perform worse


They're not generic, though. Those providers build custom ML models specifically from your data (and they pull in a ton of signals for this), and then have the data of many other merchants to work with.

At a previous employer we found both of those products to be effective.


These systems are the most frustrating to me, because it is the unusual transactions that are more important than the usual ones.

If I have eggs delivered every week, and one of those transaction fails, who cares?

If I buy a plane ticket for a flight that leaves in 30 minutes because of an emergency, I will be fucking enraged if that transaction is blocked.

Similarly if I can't pay the hotel at check-out and because of this delay I miss my flight.

Or when I arrive in a new country and can't pay for the taxi ride, and the ATMs don't work either.

All these events have happened to me.


Effective at preventing fraud - sure But what about false positives?


If the question is whether you'll have any - of course you will! You will no matter what method you go with. At scale it's a pretty easy curve to optimize revenue on top of though, and you have to be willing to accept that bit. You know your customer LTV, you know your fraud rate/cost.

Sift gives you direct control of expected false positive rate, Radar hides that optimization under the hood I think?


Mostly agreed. I don't know anything specifically about Stripe, but I did work on fraud prevention systems for a major company. Being able to aggregate signals across multiple customers is a massive help in fraud detection - in terms of signal quality, bigger is better here.

As a simple illustrative example from the article - a large provider will have history for email addresses and street addresses. Maybe they've seen lots of orders in the past from a given sketchy email address paired with a reshipping center that were all valid, which moves the risk of a transaction from "dodgy" to "probably fine". They'll have historical information that an individual merchant just won't have.

That said, at some point you're going to need to have your own specialists involved, because the big providers aren't going to have the specific domain knowledge about your products/users to make good decisions around the margins. Plus you'll probably want to define your own tolerance for risk.


It depends.

I've worked in the e-commerce industry for more than 10 years, not having proper fraud prevention is something that can bankrupt you. If you _know your customers_, it's easy to create a simple system that would at least notify you of possible fraudulent orders and let you take manual action. Even with the recent Stripe updates, we still see plenty of payments that go through even thought they should've definitely been caught, but because we've our own system in place, they get caught before doing any damage (and subsequently helping Stripe and marking the payments as fraudulent -- I wonder if I can get free Stripe credits for training their models using our own dumb heuristic based code).


There's nothing wrong with adding your own checks based on your specific needs, but you need a baseline to build from. An early-stage startup or a small business just doesn't have the expertise to build a comprehensive fraud prevention system. Fraud prevention providers have huge databases to train their models on and an enormous amount of experience and expertise.


Stripe's fraud detection heuristics are neither sophisticated nor particularly effective.

Judicious use of DNSBLs, port scanning and latency measurements, three measures which shouldn't take a competent technician more than a few days to knock together, will outperform Stripe.


If you're convinced you can outperform Stripe in a couple days, you should probably be launching your own fraud-fighting saas, because you'll make a killing. It's a literal many-billion-dollar opportunity.


I kind of want to take you up on this at a very basic level, as a weekend thing.


Create an API so you can check them all with one request


A better approach to writing this article would be to gather a wide array of customer features, fit a model using training data from actual fraudulent/non-fraudulent orders, and then interpret the model to explain the features actually connected to fraud.

My guess would be that given there's no reason to believe a particular functional form or additivity of effects, a random forest would likely be the most effective classifier, but ultimately I'd just go with whatever empirically does best on the test set.

As-is the article is basically a pretty naive approach to feature engineering a few features that may or may not ultimately be useful in the real data. It's a cute anecdote, but hire a data scientist.


Slightly off-topic, but last time CandyJapan made it onto HN, I decided to sign up and give it a try, and was very underwhelmed. I canceled after two boxes. Hey each contained 3-4 candies, and over half of them were very basic candies such as chocolate. In total I think only a single one was the "cool" kind of candies you associate with Japan. Honestly in the ~8 candies I tried, not a single one was even really edible or interesting.

Also, I'm not sure how much of this is their, but a lot of the candies had also melted and re-solidified into a single chunk.




Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: