We currently have an issue where someone is using stolen credit cards to buy "digital goods".
We in the UK and Scandinavia, so we started out blocking purchases of digital goods from the UK. Fraud goes to zero right away.
The fraudsters moves to using stolen UK credit cards in Denmark, via a large number of Danish IPs, fine... We'll just require that the card is issued in the country where your IP indicates that you're located ( not 100% correct, but close enough ).
At this point fraud has been reduced to zero for a few weeks. The next we really where not expecting. The same pattern of buying starts showing up, seems like fraud and it turns out it is. We now see a stolen Danish credit cards.
At this point we're more or less reduced to having to approve every purchase manually. The only real solution currently is 3DSecure for MasterCard or Verified by VISA. These solutions are very American and not at all what European customers expect to see. Enabling 3DSecure scares of legitimate customers, but it's currently the only solution.
The article looks at high velocity, that does nothing in some cases, if people are out to scam you, they will appear as a new customer for a new IP, with a new card.
CSC are useless, these are stolen all the time.
AVS is supported by almost no one.
Looking a transaction amount compared to the mean doesn't really work when you mostly sell one product at a time.
Recently created accounts are actually a good indication of fraud, but mostly you have false positives.
Blocking high risk countries don't work for digital goods.
Large distance between IP and billing address, doesn't work well in smaller countries, but worth considering. Somewhat difficult to implement though.
High number of card from the same person... That never happens. Our legitimate customer are the only ones that might use different cards. In the case of fraud cards and accounts are often used only once.
It's not that the article is a bad write up, but non of the information will protect you against someone that wants to scam you. Physical products are easier to safe guard, because the bad guy will need to pick it up at some point, digital good is a lot harder to secure.
I think some effective techniques for digital goods are: 1) behavioral signals, such as how long the user spent browsing your site before making a purchase, 2) physical device -- have I seen activity from this particular machine before, even if they're going through a proxy to use a fresh IP? 3) e-mail address -- is it a legitimate domain? an obvious throw-away account?, 4) mismatch between IP and billing info (as you noted).
In general, fraudsters switch tactics with surprising frequency, so I'd highly recommend combining multiple types of data into a machine learning system that will adapt. Otherwise you're going to spend a lot of time tuning rules.
And if you're looking for help, feel free to send me an e-mail: email@example.com. My company deals with fraud all the time. Even if we can't help, I'd be happy to point you to others who can.
We use minfraud, a service that takes all of those parameters as input, and uses a huge database of previous fraud to return the probability the transaction is fraud. It has worked exceedingly well to prevent almost all fraud on our marketplace.
I wrote in detail about this process about half a year ago - http://www.binpress.com/blog/2012/07/31/fighting-online-frau...
Using Braintree as my processor, I send an authorization request for the card. If the auth is successful, I send the data over to MinFraud for a check. If the fraud value is < 25 then I submit the auth for settlement, otherwise it gets voided and the user gets a message that their purchase didn't pass our fraud check.
I also log all minChecks and I manually check any request that has a value > 10 or so just to make sure it looks legit.
The biggest change I had to make to support this is that I had to add Country, City, and Region (State) boxes to my payment form. So user's have to put in 3 more pieces of information that they didn't have to with a plain (a la Stripe Purchase button) payment form.
However, that information has saved me from numerous frauds. Also, it appears that once the fraudsters determined that they couldn't use my site anymore, they've stopped trying.
I am VERY happy with their service and it's very inexpensive.
I can't speak for Europe, but basically every site here in Sweden where I buy something with a card uses 3DSecure and VbV. The pick up over the past couple of years has been massive.
Back about 2008-2009 it seemed I got hit with a VbV screen for 90% of purchases. Then, it just seemed to 'go away'
In the past 3 or 4 months, I've started seeing VbV screens again though. So perhaps something else has changed?
Personally I never had any purchase problems with the system.
Although generally payment methods are quite diverse across Europe, I'd say in places like here in the UK it is now fairly common to get the secondary confirmation prompts when purchasing on-line, certainly from smaller businesses. They also seem to be fairly smart about when they just let it go through without troubling the user these days, e.g., low value regular payments to the same vendor don't seem to ask me for any confirmation most of the time recently, but payments to new vendors often do.
Is this not your experience as well?
Edit: to mean, who would bother to do payment fraud, when you can just download torrents.
Torrents are useless for games that require constant network access, which is most new games. You can have the "stolen" keys blocked, but you still lose money.
We had really bad chargebacks and our underwriting merchant almost pulled our account. It took going back to some manual verification and other tricks to finally get it down. We've only had a dozen or so chargebacks in the last 6 months.