I never thought of that before. Maybe there should be a central shared central repository of who are known good customers/address/cc combinations, or maybe that is what stripe etc do already.
In our case we often do something similar to this:
No order is rejected outright - but various combinations of criteria cause a manual review of the order. This prevents customers getting error messages and also avoids having fraudsters receive quick feedback.
Shipping addresses known to be forwarding mail centers or mailboxes are flagged.
If the billing address does not match the shipping address, and the IP is flagged as proxy/vpn/datacenter, etc. or is too far from the billing/shipping address, it is flagged. This allows most people to ship to their office even though the credit card is at their home address, etc.
If the billing address is to far from the shipping address it is flagged. Fraudster are limited to using cards that have billing addresses in a close range to where they can receive goods.
The machine learning system gives a score and various thresholds of that score are used to trigger in combination with other factors.
Flagged items are manually reviewed. Sometimes customers are called to do human verification.
Some still get through, but I just implemented one a few weeks ago and saw 99% reduction in fraud orders, and a 90% reduction in man-hours for reviewing orders. In most cases, the fraudsters will just see that it is no longer worth their time and move on to easier targets. Obviously this particular store had a serious problem due to a high level of automation and an easily resalable product. The margin of the product and relatively low shipping costs allowed the fraud to get to pretty high levels before they really focused on it.
TLDR: don’t be last, second to last is still OK. I guess.
They have databases of "known addresses" so if your order doesn't match, it can be hard.
(They keep the old addresses too, as an attempt to get UPS automated phone center to hold for pickup one time ended up with them shipping the clothes to an 8 year address of mine in a adjacent state. )
It should he an issue for you. That is because PayPal is stopping a lot of payments with false positives. I live outside US and using PayPal is generally a pain in the ass.
If it's true I'd expect that we'd get alot more complaints from customers that their cards are being rejected.
In particular, credit card setings are multi-step and all done on the paypal site, I wouldn’t imagine going back to some merchant site to complain about that process.
In the absence of any hard data on this, I'm writing it off as nectodal.
The Internet is full of this stories from people with good karma. Just look for it on Internet. Probably you are from one of the few countries where the experience is different.
Obvious freight forwarder + foreign IP + local US credit card with the wrong billing address...doesn't raise any suspicions from them.
I was visiting Philippines recently, and wasn't able to withdraw cash - the ATMs (I've tried different banks' ones) were rejecting me with a generic error message. So I've contacted my bank to check what's wrong and if they're blocking me for any reason. Turned out that they haven't seen any transaction attempts at all - like something along the path wasn't working (no clue, really). The suggested method of trying an ATM in a different part of the city worked.
I've also had issues with some payments via PoS terminals. Normally, when payment fails I get a push notification about the failure - but none happened at those times. So, I guess, this could be similar.
The banks still advise customers to inform them when travelling, but I've not found that to be necessary when in countries with chip and PIN. (If I'm going outside Europe I will inform the bank of my main card, but in South America, Asia, Africa there will be some point where it isn't accepted, and I use a backup card -- that bank doesn't know I'm travelling.)
The USA used to be the problem -- about once a year, someone in the office would get a robot phone call from the bank saying their card had just been blocked due to suspect activity in the USA. That should be becoming a lot less common.
There is always a defcon pwn
The ide behind chip is that transaction result is written back to your card, something mag stripe cannot do. I had a family related fraud where my son used my card in store to buy few video games. Over the phone amex told me to go to the bank which was able to show me this card has been swiped physically in the store because confirmation hashes were written on the chip of my card.
I was explained up to 16777264 transaction hashes can be written on one chip before overwrite process starts.
So at this point you wont get your loeny back if you have your card present but claim someone made copy because they will simply pull data off the card.
Side issue Europe switched to touch credit cards some 3 years ago. Its insane fast yoy dont even touch reader you just wand your card transaction approved. You will need another 5-8 years to wait for that in usa tho.
Back in the day, eBay had ludicrously good fraud rates (and hundreds of engineers working on models, from what I heard). We hired a few people from them and were quite proud to achieve rates in the same ballpark with orders of magnitude less traffic.
Could a Blockchain/DHT solution work for this? Normalize and hash the data and send it to the network to check its karma. If there's no karma then it's a new customer, otherwise the karma tells if it's a good/bad customer. Then after they buy you add or reduce a karma point.
Would there be a way for someone to reverse/bruteforce the hashes to figure out people information?
Use existence in the DB (weighted by number of instances) as a probability of not-fraud.
My guess is Shopify, Stripe, etc are doing something like that when they send "this might be fraud, you should review" alerts.
- Orders are placed with stolen credentials with correct billing info that matches AVS.
- Shipto address are located near billing info, typically in the same state/metro area.
- They are often rural addresses, trailer parks, what appear
to be rent houses that may be empty.
- Phone number provided has correct area code and rings a call center that has stolen billing info available and will confirm billing address order details verbally.
- Ip is geolocated at/near the billing info area via a proxy.
- Email addresses are often setup on custom domains.
We catch them, but only because they don't vary the pattern much and we know what to look for. I don't know how fraud tools would be able to effectively filter in these cases without a lot of false positives.
Yeah, I'd assume someone with a email@example.com email and a web presence is probably an indicator it's legit rather than fraud :)
That's correct, but not at all correlated with us being likely to commit fraud.
It's 79% certain the office LAN NAT gateway IP is a VPN/proxy/bad.
My work desktop's static IP gets 23%, so that's something.
My home IP gets 60%.
(Is this thing just connected to a random number generator?)
At order time I create a Google Map of the delivery address and this shows on checkout success. It also shows in the admin side with a live Google Map. If Google can get the address right then the postman probably can is the thinking.
This reduces delivery problems immensely as anything that cannot be shown on a map goes on automatic hold.
Money wasted on delivering the wrong products to people, e.g. after they have managed to cancel their order, plus the costs of back room accounting/customer service is a far bigger cost than fraud.
In your experience did you have savings to be made in your operation in shipping/customer service, to optimise that before tightening up on fraud prevention?
Or do you sell expensive items in a low-ish volume where a single fraud wipes out all of your profits rather than just cost $20 or so?
We ended up disabling the AVS system and implementing our own internal system which has been nearly perfect - but we still lose a number of legitimate customers who are unable to pass the automated verification.
Meanwhile, people who are simply trying to get flexible--or, in the case of someone using a Google Voice number on a Google account with 2FA and a strong password, a more secure phone number than T-Mobile could provide--communications are needlessly punished.
If it was a smaller company and more of an impulse buy I could see a bad system definitely hurting sales. I'd probably not order from newegg again if they weren't one of the few places that ship harddrives correctly and have reasonable prices.
Happily used AWS ever since.
Wish I could remember what the first step was, think it was pretty informal too, but can't be sure. Just remember feeling dumbfounded they wouldn't simply come back with another option.
Fender apologized and gave me the part number for the exact model I wanted and suggested I try third party stores.
EVGA was annoying. They called me at 10 am to confirm details, put me on a three way call with my bank and I thought that was it. For whatever reason they tried to call me again the following day but I couldn't answer, when I called them back they told me they cancelled my order. They said my billing details didn't match (simply not true, I've used that address countless time and checked my order confirmation), and that my phone area code didn't match where I lived (no shit, people move...). I decided to just never buy from them again, since there are plenty of other GPU manufacturers.
I tried to order from an computer component retailer here in Canada. They specifically called out that my information needed to match, so I went and logged into my credit card's online portal and copy and pasted my information directly.
However what I didn't think to copy and paste was my own fucking name.
After charging my card and taking my money automatically, they then seemingly manually went to review the transaction and found that something didn't match, though were apparently unsure as to what that might be. When I sent them a screenshot of my online banking portal showing all my information with a "Wtf?" their response was "Oh, it's probably your missing middle initial. Also we've already refunded your order so there's nothing we can do. You should have your money back in a week."
When I asked them why the hell on top of a completely user-hostile validation process they then make it worse by cancelling and processing the refund before even calling me or emailing to give me a chance to correct the information, their response was basically that that's how they have to do it and it's outside their control and shrug.
Needless to say when I finally got my money back a week later I spent it elsewhere.
Nowadays I go out of my way to buy from big stores like Amazon that already have this figured out, rather than buying directly from the manufacturer.
This ended up costing me a lot of time as I called my bank, tried the order again, called the bank again, tried different credit cards... eventually I figured out the IKEA reps were just lying, and they had flagged all orders under my name and address without telling me. Infuriating.
What I don't understand, is why the US was not able to set such a system up, but I assume it's related to the general distaste for chip+pin, as well as any sensible security mechanisms for online banking. Yes, pushTan and mobileTan are usable, but they only work if you have a phone you trust with the deductible applicable in case of pishing, or, if you have actual reason to not trust it, the daily online banking limit.
I never saw a shop accept these. Most of the times it is a regular wire transfer, sometimes PayPal with fees or via invoice. Nowadays many shops also do credit card.
If you scroll down here (https://www.giropay.de/haendler/) you can see that several more big shops (albeit not many) accept giropay.
Edit: isn't this how Stripe Radar works?
The cost of fraud is chargeback fee (usually ~15 bucks) + merchandise. It gets expensive fast. Every modern e-commerce business has to be fighting it now to stay alive. For certain SaaS / Software products the cost of failing to fight it is a tad lower, but for physical products it's killer.
that's the least of the cost. the real cost of chargebacks is in the processing rate increases.
We have a lot of those each months.
What is more important is to have a smart way to detect the frauds. Most clients that had received false positives never came back even with discount codes and apologies. Nobody likes getting stuck on a checkout page with an error message telling them they are in the wrong.
A savvy business will know (or can estimate): customer lifetime value, false/true positive/negative rates of their fraud detection system, rate of charge-backs, expected rate of fraudulent purchases, revenue from given suspected transaction.
If average discounted customer lifetime value is $10k, charge-back rate is 2%, your fraud detection false positive rate is 0.1% and true negative rate is 99.9%, fraud detection true positive rate is 95% and false negative is 5%, customer is purchasing a $20 item. Then
* expected revenue if purchase is fraudulent: $0 * (true positive rate) - $20 * (false negative rate) = -$1
* expected revenue if purchase is non-fraudulent: $20 * (true negative rate) - $10k * (false positive rate) = $9.98
* total expected revenue value (with fraud detection enabled): (expected revenue if purchase is fraudulent) * (rate of fraudulent purchases) + (expected revenue if purchase is non-fraudulent) * (1 - rate of fraudulent purchases) = $9.7604
Without fraud detection, your expected revenue is: $20 * 0.98 = $19.6
Simplifying assumptions: false positive results in complete loss of customer value (realistically, replace this with big drop in customer lifetime value). Fraud rate is constant (realistically, should be modeled). Fraud rate is charge-back rate.
In this case, it's easy to see that seemingly low 0.1% false positive rate is still too high for this small of a purchase and these customer lifetime values. The 'smart' decision would be to ignore fraudulent purchases of this size in this case. (for this scenario, you need FPR below 0.004% with all else same)
Better model still would be a fraud detector that outputs a confidence score rather than "yes/no", and use the formula above to determine if the predicted false-positive-rate at this confidence level is sufficiently high to expect a revenue uplift from enabling the detector.
So they took my money, decided they wouldn't sell to me, then I had to wait a week to get my money back.
At no point did they so much as call or email me to try and see if we could correct any issues with the information before initiating the refund.
I've spent more on identical products from other retailers just to avoid them.
I didn't use NewEgg again until 2017 as a direct result. That one bounced transaction (and frankly how they handled it) cost them six years worth of business that Amazon got (talking easily $3K+).
I think you're the edge case. Most customers will be somewhere between put out and outright angry.
I’ve only been flagged once, and that was when I was a new B&H customer. A quick phone call fixed the problem and in spite of changing addresses at least ten times since then, haven’t had a problem since.
However, it is occasionally a problem that B&H won’t ship to hotels.
We noticed that legit customers tended to take their time on our site. They would look at several pages and not immediately add something to the basket and checkout.
Of course, some legit customers would demonstrate the same pattern particularly when a new phone was launched - but that wasn't too common.
So if the user spent less than five mins on the site before checking out, or if they only looked at one product page then that order would automatically be flagged for manual review. 60% percent of those orders were rejected.
I placed an order to be shipped to my new address from a merchant I'd ordered a dozen times before for home and work. 2 days after the day the order was supposed to ship, they suddenly canceled it due to "security reasons".
I've stopped using that merchant.
Also, the regex is longer than the (reasonably clear) code which generates it…
I was selling something Ebay (a phone) and I got a really weird address, it was a shipping center.
I googled around because I got a strange vibe, apparently, this shipping center had this issue all the time and didn't really care to stop it. I got a horrendous review from the person because I canceled the order and refused to ship it.
I am wondering if fraud is honestly the business model of shipping centers. I can't really think of a good use for them nowadays, especially in a consumer context.
1 - I may buy a lot of things from Amazon. It's cheaper to pay US shipping for X times (sometimes they are free) and only one international shipping to my country.
2 - Customs taxes, etc. The company I use for reshipping takes care of everything. I pay them and they deliver the items to my house at the time I ask them to do it. If not, due to the policies of my country customs, I would have to attend a custom office for every item I purchased, which is a pain in the ass.
Don't discriminate us, please.
So say you order something and not sure when it will ship out, they'll ship it to their mail forwarder and then overnight ship all their packages and box of mail to them when they know they'll be in a area they'll use general delivery to a post office or campground if they allow receiving mail on your behalf there.
If you stayed in a area for a week or two you can have everything sent there, or if you know you'll be passing through X town in a week. You can go ahead and 2 or 3 day ship something there to be ready to pick up once they get into town. Basically they hold everything until you tell them to send it to you.
Some even also will list your envelopes and if you want to request for them to open it and scan it. So if you get a important letter and you are RVing in Utah or all the way in London you can still read your mail.
In the case of ebay sellers with american addresses, it's not a chinese seller pretending to be american, it's an american seller pretending to have stock. they just place the order on a chinese site with your address as the shipping address. You're still doing business with an american, which is presumably what you wanted when you chose a seller with a US address.
The Australian Postal Service even runs their own in the US, in order to allow australians to order from the likes of amazon:
This is awful.
I create random e-mail addresses for every online merchant I have to interact with. It's by far the best way to avoid both real spam and "promotional message" spam.
I don't even use my "real" domains, because anybody who knows my name and the domains I use can construct my personal e-mail addresses. I have special domains dedicated to online commerce, and they look pretty random.
What do you want merchants to do? It appears you have gone out of your way to make sure all your information is completely unconnected to you, which is exactly the case for someone committing fraud.
I have the same system. It achieves 100% reliable spam protection with zero false positives and zero false negatives. It's a perfect system, if I follow some basic rules. It also eliminates phishing, except in case of unannounced data leaks. I mark e-mails received from random e-mail addresses I generated in the past with green color, so it's immediately obvious what is legitimate and what is not.
It'd be a bit ironic if someone would think that I'm a fraud, because of this system that is designed to protect me from fraud. :D
Never had an issue with businesses accepting my addresses, except one person looking at me strangely, when I was opening a bank account with a random email address, when I told him that no, I'll not repeat the address to him. :)
All the person on the receiving end has to do, is open the email address domain in the browser, and there's an explanation what's up right there.
If I were a fraudster I'd make an address that looks perfectly ordinary. It's so weird for someone to assume that weird looking address indicates fraud.
I mean, they aren't assuming that... they are basing it on data. They have lots of data on fraudulent purchases, and apparently that is one of the indicators.
People don't understand email, apparently.
Become modern? Make wire transfers fast enough to be usable for purchases online. Securing the bank account could be done then with 2FA (smartcard, phone whatever).
Accept a certain amount of loss in exchange for fair customer treatment. Obviously this isn't binary, but for something like an email address, it can be considered a factor, but should not be a determining one.
"accepting loss" gets priced accordingly. personally, i'd rather give merchants my real email address and not pay an extra fee simply to give you the privilege of keeping your email address secret.
If you want to make yourself indistinguishible from a fraudster, please find a way to do it without affecting the price everybody else pays.
Of course, just being "flagged" as is the case here instead of rejected is fine. It's larger companies that use these heuristics as their final answer that are the problem, and we shouldn't blame/punish legitimate customers.
but you do think it's fair to expect a company to cater to the relatively unique way you use email?
The article specifically states that no one indicator will result in a payment being denied. There aren't any determining factors in this system
Do they compensate for lost business because of false positives? The problem is that even the wannabe seller cannot quantify it.
At several occasions I have not been able to order something online, because they would not accept my card.
They have so much more volume and cost absorption capability that they could spin up a much more talented / sophisticated detection group than any individual bank or merchant could, you would think? And charge for it accordingly?
Every time a customer gets a charge due to Fraud, they file a chargeback. If we are able to contest it, all is well, other wise they hit you with a $25-$35 fee PLUS the charge is reversed so depending on margins you are out you're costs on the transaction as well.
If the # of fraud transactions gets bad enough (even if you are working with them diligently to get things under control) and not able to stop it, they will charge you a chargeback penalty fee.
This essentially says you are high risk and so now give us 50,000 or 100,000 dollars or you can't accept credit cards AND you have X days to resolve this and get you're charge back rate to a reasonable level or we will hit you with another charge bigger charge in 30/60/90 days or whatever the risk management department wants.
They may also come back and say now we've told your processor (stripe, braintree, etc) that THEY need to charge you more because we are charging them more to deal with you. So instead of 2.5% of each transaction they are getting 3% for example.
It all adds up to billions across the world economy, it costs them only to deal with it administratively and they are collecting many many times that in fees from the merchants. It is very much a scam and the average customer doesn't realize the massive hit companies can take for the convenience of Credit Cards.
- happens globally (far outside of local police jurisdiction)
- per event small monetary value
- widespread but difficult to tell how connected (is it tens of thousand of fraudulent events from a single actor or tens of thousands of different actors?)
All of which adds up to there not being a clear cut law enforcement agency to handle these types of things (aka you can't reasonably ask the local police to help you track down a scammer in singapore).
I think the one case that law enforcement did act on was a group that was using a newly built neighborhood as a drop point for stolen goods. It was complete enough that there were addresses to ship to, but nobody was living there yet, so it was easy to just pick up packages off the front steps. From what I heard, the police ended up picking up some guy with a truck full of iPods who was just going house to house picking up the deliveries.
In my city a friend of mine had some checks stolen our of his car when he was out of town. The check info was used to pay for some utility bills. Reported to the police and no one gives a shit. The police know where the criminals live. They paid their electricity with it. Nothing done. Compared to online fraud this was a simple bust waiting to happen.
Corporate tells them to just let it happen. Presumably, it all gets charged to insurance.
Or they're a seller with higher prices that is willing to do the oh-so-dangerous thing known as international shipping. The hits make up for it.
As a here-and-there Ebayer, I price things high and I'll ship to any developed country. My issues are mostly when shipping domestically.
They're in an ideal position to 1) pro-actively notify the card owner and get them a new card, and 2) potentially give the authorities something more to work with than an individual store like Candy Japan.
Your gateway would tell you that as a merchant, it's your job & responsibility to accept a charge & related risk of fraud. Well, if big guys handling billions of payments can't catch fraud, it's quite easy for a small guy to miss it as well.
When you are selling a digital product, it's very difficult to win a chargeback. Some low level bank employee hardly cares about your meticulous documentation & proof that you delivered the product.
3D secure is one way to shift liability to issuing bank but it only works for the first charge (not recurring subscription). There are lots of reasons for getting hit by incorrect chargebacks e.g. mistake on part of a customer because they didn't recognize, customer's card getting stolen midway during a subscription, unhappy customer who wants a refund after using your service for months etc.
I wish the industry would side with the merchant as well at times i.e. maybe a rating system to see how easy is the merchant's cancellation / refund policy etc.
(I work for one, which makes me especially interested in this topic. But I don't work in that particular area, nor do I speak for my employer.)
It makes me wonder whether some sort of collaborative fraud detection might be possible. As the merchant, you have access to additional information that the credit card company lacks -- things like the customer's name and the delivery address are (as this article explains) very helpful in detecting fraud, and these are data that the credit card company does not have access to. And of course the credit card company has access to information like the customer's purchase history and their recent transactions, which are useful for identifying fraud from a different direction. If both sources of data were available, it might be possible to detect a higher percentage of fraudulent purchases, and merchants who ship goods could be provided with the information so they could delay or cancel the shipment.
Do you think merchants would be interested in such a program?
IME, credit card fraud detection is a user experience nightmare. There are dozens of false positives per true positive, and the confirmation system is implemented with little regard for the user: I'm not given a reason my purchase is denied, so I have no idea what's going on or a tip on how solve it (I know the security reasons for it, but that's the credit card company's problem, not mine - find a better way); the confirmation request is delayed, so that I've already had to move on to other solutions (call the vendor, try another order, vendor, or credit card); and the confirmation is not integrated with the purchase - the purchase is denied, it isn't put on hold so I can respond to the confirmation, and I have to start all over.
I know I'm not supposed to use all caps on HN, but I HATE the purchase experience. It wastes a lot of time, sometimes an hour or more, and is incredibly frustrating. I'm doing nothing wrong; I don't like the credit card company using my time like it's worthless nor do I enjoy being treated like a criminal for making a simple purchase. I purchase less online because of the experience.
Would I want/trust merchants to have this information? No.
Depending on your scale you may using 3rd parties like Sift science, Stripe Radar or Roll your own fraud detection system.
Flagging orders as potential fraud is the easier part these days. The difficult part is how to come up with a process to verify these flagged orders. This process need to be simple and quick. Because essentially you are saying to your customer we think you are a fraud and can you prove that your not.
Banks merchant checks to verify flagged orders is extremely cumbersome. They require you to call a special phone number (which is different for each bank) provide customer Name, Billing Address, Billing Phone and Credit Information. Then they can only give you a response whether it is a match or not. They can't tell you whether it has been reported stolen or anything else for privacy reason. At scale this is a very time consuming process. It becomes even more cumbersome if you are security conscious business and do not store customer credit card information. In that case you have to communicate with the customer asking them to call you to provide your credit card information again.
There are solutions like 3D Secure but they are not widely supported and adds its own problems. It is high time credit card companies start providing merchant with a 2nd factor check for transaction. For example maybe once a transaction is placed with a merchant. They can trigger a 2nd factor check where by the bank automatically send a code to their email/phone number on file. If the customer is able to provide a correct code merchant can proceed with the order.
Fraud detection will always remain a point of contention between customer and businesses. I just hope business make sensible decision based on their situation. For example I have seen legitimate customer with all the above cases mentioned in the article.
This thread has honestly made me really appreciate what I have available to me compared to some countries.
A wire costs $50-100 (or more for international) per transaction, no matter what the amount.
A bank transfer (ACH) can take several weeks or more depending on how much both banks trust each other and the type of account you have. Here's a fun read: https://engineering.gusto.com/how-ach-works-a-developer-pers...
That is not what 3dsecure provides ? with 3d secure, I receive a code from my through SMS, I then transmit this code to the payement processor.
Will they? Or will they return it to sender with a bad address note? Would the rates be different by country?
I suppose the post office decided to do some digging and managed to deliver correctly.
My buyer reports it isn't the first time that's happened to him.
At one time you could send a letter to a particular famous person (I can’t remember if it was an actor named “Rip” or Mr. Ripley from “Ripley’s Believe it or Not”) by simply putting a rip in a blank envelope.
I bet the U.K. has massive departments for this since so many addresses are just something like “Stuffypants House, Humberside.”
British people who live in places with address like that tend to go the opposite way, and add superfluous lines:
Lord and Lady Cockwomble
near Thornton Curtis
When the official database (and preferred form) for the address will have something like
The postcode tends to identify between one office in a building and about 30 houses, so with that and the building name/number the rest doesn't matter. You can paste that one into Google and change the last letter to see it move slightly.
It's beyond me why so many merchants opt for the revenue-losing and customer-hostile choice to silently cancel flagged orders and let their competitors run away with the money, while they could easily get a safe sale by making a non-negotiable offer to use an irreversible payment method when a credit card gets flagged.
This reverses the trust issue, it's then up to the customer to determine if he trusts the merchant enough and is willing to give up the additional protection that a purchase on a credit card may offer - some of which the merchant may offer instead - to get the item he wants.
You can add to that using the first few digits of the credit card to look up the card issuer. If the card is from a bank that does not have a presence in either the region the order is coming from or the region it is being shipped to, that order probably merits a closer look.
Though looking at it from the other side, using a proxy should probably count against you a little.
What if it is a legitimate order? You don't want to turn down a real customer?
I presume if you try contacting the person and asking them if it is a fraudulent order, they will deny it. (I suppose if you can't reach them, that is good enough indication to cancel the order as fraudulent.)
Can you call the credit card companies or payment processors and ask them to do their own fraud checks to see if it is okay, or are they going to leave you on the hook if it still goes bad? (I suspect the latter.)
This would have prevented 3 of the problems on this list, and would also result in a much lower rate of failed deliveries (expensive)...
It seems that a common pattern that’s arising is for a bad actor to use a foreclosed property or rental to ship to, within spitting distance of the billing address, then have the carrier redirect to a pickup store, such as the Fedex store.
They have absolutely no problem walking into the store and signing off, all on camera. Troubling times.
There are some settings, or at least an overview in the dashboard where you can see if the address was verified and it matched the one on the card. Using billing / shipping address in your order form is obviously for this reason.
Ha. You don't say!
What is special about Japanese candy? Is it the packaging? The ingredients?
Some people, when confronted with a problem, think "I know, I'll use crypto currencies." Now they have two problems.
Neither buyer nor seller is protected with Crypto Currencies.
Stripe include very sophisticated fraud prevention in their standard pricing and charge pennies per transaction if you're on custom pricing. Numerous third-party providers offer excellent fraud detection and prevention tools for CNP transactions. Unless you're big enough to have a dedicated fraud prevention team, just leave it to the professionals.
When you learn enough about your customers, you should be able to roll out your own fraud prevention solition because generic ones are broken. Here is a recent report about what works and what does not in the generic fraud prevention tools:
You must be in a field with relatively low-volume/low-effort fraud.
I knew of many fraudsters who used to go through phone verification to buy game currency with stolen CCs. This was back in 2011, mind you.
Braintree's fraud prevention is poor and based on generic metrics. One of my businesses had 32% chargebacks with their service.
There's a comment upthread in which someone describes dealing with a fraud ring that uses a call center to defeat exactly this approach. Anecdotally, I know shop owners who have also dealt with would-be fraudsters who will happily talk to them over the phone.
Which is not to say that your experience is anything less than completely valid! It just might not encompass the whole of the range of possible valid experiences.
Beyond that, a few simple checks will make most fraudsters move onto other websites. It's not about being bulletproof, it's about being harder to abuse than the others.
These types of models are actually quite simple to build and implement if you actually have data.
At a previous employer we found both of those products to be effective.
If I have eggs delivered every week, and one of those transaction fails, who cares?
If I buy a plane ticket for a flight that leaves in 30 minutes because of an emergency, I will be fucking enraged if that transaction is blocked.
Similarly if I can't pay the hotel at check-out and because of this delay I miss my flight.
Or when I arrive in a new country and can't pay for the taxi ride, and the ATMs don't work either.
All these events have happened to me.
Sift gives you direct control of expected false positive rate, Radar hides that optimization under the hood I think?
As a simple illustrative example from the article - a large provider will have history for email addresses and street addresses. Maybe they've seen lots of orders in the past from a given sketchy email address paired with a reshipping center that were all valid, which moves the risk of a transaction from "dodgy" to "probably fine". They'll have historical information that an individual merchant just won't have.
That said, at some point you're going to need to have your own specialists involved, because the big providers aren't going to have the specific domain knowledge about your products/users to make good decisions around the margins. Plus you'll probably want to define your own tolerance for risk.
I've worked in the e-commerce industry for more than 10 years, not having proper fraud prevention is something that can bankrupt you. If you _know your customers_, it's easy to create a simple system that would at least notify you of possible fraudulent orders and let you take manual action. Even with the recent Stripe updates, we still see plenty of payments that go through even thought they should've definitely been caught, but because we've our own system in place, they get caught before doing any damage (and subsequently helping Stripe and marking the payments as fraudulent -- I wonder if I can get free Stripe credits for training their models using our own dumb heuristic based code).
Judicious use of DNSBLs, port scanning and latency measurements, three measures which shouldn't take a competent technician more than a few days to knock together, will outperform Stripe.
My guess would be that given there's no reason to believe a particular functional form or additivity of effects, a random forest would likely be the most effective classifier, but ultimately I'd just go with whatever empirically does best on the test set.
As-is the article is basically a pretty naive approach to feature engineering a few features that may or may not ultimately be useful in the real data. It's a cute anecdote, but hire a data scientist.
Also, I'm not sure how much of this is their, but a lot of the candies had also melted and re-solidified into a single chunk.