There are services that do this. Several retail stores I consult for have transaction filtering through an independent fraud detection service which has its oen blacklists of hashed CC numbers, emails, and street addresses. They also evaluate the ip address, distance fom billing and shipping addresses and a slew of other factors.
Criminals have many tools that can circumvent these systems though and many are very hard to defeat while still providing a smooth customer experience. There are entire web browsers developed by Russian groups that exist solely to clone the entire fingerprint of the victim, complete with session cookies. A lot of bank fraud happens this way...a hidden RDP service is installed on victims machines and then sold online so you can just remote into their computer, login to their bank and nobody is the wiser. There are services to conduct COBs (change of billing) so you can get new credit cards shipped to fake addresses under the attacker's control. And nearly all online bank account/CC sellers usually include cookies with the stolen cards now. Criminals have quickly figured out that a VPN in the general location of the victim is no longer good enough and they've adapted much faster than security systems can keep up with. There's also still a very big and unfounded trust system between certain merchants and certain banks. For example, AMEX cards sell for much more on the markets because many merchants (including Amazon) will usually assume trust in those cards even if other factors seem a bit off and will often ship products before fully confirming the transaction, so even if the card is flagged, it's likely a criminal could still steal a product or two. This is nonsense and despite being well known information to anyone that's spent even a little time researching fraud networks, it remains an exploitable loophole.
I don't doubt that your statements are true. However, services like this do stop a lot of fraud. If you do not have some basic filtering in place, it is that much easier for the less sophisticated fraudster. The particulars of your business will definitely affect the ability to stop some types of fraud. However if you are shipping a product to your customer you can make fraud pretty hard. It will depend largely on the product you are selling. You have to increase the effort required to successfully get a product shipped so that it exceeds the profit that can be made from it.
In our case we often do something similar to this:
---
No order is rejected outright - but various combinations of criteria cause a manual review of the order. This prevents customers getting error messages and also avoids having fraudsters receive quick feedback.
Shipping addresses known to be forwarding mail centers or mailboxes are flagged.
If the billing address does not match the shipping address, and the IP is flagged as proxy/vpn/datacenter, etc. or is too far from the billing/shipping address, it is flagged. This allows most people to ship to their office even though the credit card is at their home address, etc.
If the billing address is to far from the shipping address it is flagged. Fraudster are limited to using cards that have billing addresses in a close range to where they can receive goods.
The machine learning system gives a score and various thresholds of that score are used to trigger in combination with other factors.
Flagged items are manually reviewed. Sometimes customers are called to do human verification.
---
Some still get through, but I just implemented one a few weeks ago and saw 99% reduction in fraud orders, and a 90% reduction in man-hours for reviewing orders. In most cases, the fraudsters will just see that it is no longer worth their time and move on to easier targets. Obviously this particular store had a serious problem due to a high level of automation and an easily resalable product. The margin of the product and relatively low shipping costs allowed the fraud to get to pretty high levels before they really focused on it.
Its not just that there are other victims. Let's say you are selling a widget for $50. The fraudster can order some of these and put them up on Amazon for $45. They have costs associated with this, including the cost of acquiring usable CC numbers, the cost of running their store, the cost of placing the fraudulent orders. I can increase the cost of the first and third in that by filtering a large number of their orders. Many of their CCs aren't going to pass the filter and many of the time they spend making the orders is wasted. Even if they have bots making the orders, there is a cost associated with it. Increase it enough and they don't really make enough for it to be worth their while.
Makes sense though. If your herd is being attacked by a pack of wolves, as long as there is someone slower/weaker/dumber than you, they’ll become the target and your likelihood of staying alive goes up.
TLDR: don’t be last, second to last is still OK. I guess.
Which do you recommend? I work with custom solutions for banks which a lot of times include fraud prevention services from third parties, so I'm consistently benchmarking for better alternatives.
Yes - you send a hashed cc number along with client ip and most of the order/payment info. I wrote another response to a sibling post with it but I must have never submitted it because I don't see it there. FraudLabsPro and Subuno are entry/mid level products. Others like Sift Science, Riskified and Simility only have very high volume options or don't advertise any entry-level pricing.
