Hacker News new | past | comments | ask | show | jobs | submit login

I would actually be interested in knowing how others deal with a certain type of fraud.

We currently have an issue where someone is using stolen credit cards to buy "digital goods".

We in the UK and Scandinavia, so we started out blocking purchases of digital goods from the UK. Fraud goes to zero right away.

The fraudsters moves to using stolen UK credit cards in Denmark, via a large number of Danish IPs, fine... We'll just require that the card is issued in the country where your IP indicates that you're located ( not 100% correct, but close enough ).

At this point fraud has been reduced to zero for a few weeks. The next we really where not expecting. The same pattern of buying starts showing up, seems like fraud and it turns out it is. We now see a stolen Danish credit cards.

At this point we're more or less reduced to having to approve every purchase manually. The only real solution currently is 3DSecure for MasterCard or Verified by VISA. These solutions are very American and not at all what European customers expect to see. Enabling 3DSecure scares of legitimate customers, but it's currently the only solution.

The article looks at high velocity, that does nothing in some cases, if people are out to scam you, they will appear as a new customer for a new IP, with a new card.

CSC are useless, these are stolen all the time.

AVS is supported by almost no one.

Looking a transaction amount compared to the mean doesn't really work when you mostly sell one product at a time.

Recently created accounts are actually a good indication of fraud, but mostly you have false positives.

Blocking high risk countries don't work for digital goods.

Large distance between IP and billing address, doesn't work well in smaller countries, but worth considering. Somewhat difficult to implement though.

High number of card from the same person... That never happens. Our legitimate customer are the only ones that might use different cards. In the case of fraud cards and accounts are often used only once.

It's not that the article is a bad write up, but non of the information will protect you against someone that wants to scam you. Physical products are easier to safe guard, because the bad guy will need to pick it up at some point, digital good is a lot harder to secure.

My company (Sift Science) uses machine learning to fight fraud, and we work with customers who sell digital goods. You're right that normal country blacklisting, IP blocking, AVS, CVV, etc. aren't terribly effective.

I think some effective techniques for digital goods are: 1) behavioral signals, such as how long the user spent browsing your site before making a purchase, 2) physical device -- have I seen activity from this particular machine before, even if they're going through a proxy to use a fresh IP? 3) e-mail address -- is it a legitimate domain? an obvious throw-away account?, 4) mismatch between IP and billing info (as you noted).

In general, fraudsters switch tactics with surprising frequency, so I'd highly recommend combining multiple types of data into a machine learning system that will adapt. Otherwise you're going to spend a lot of time tuning rules.

And if you're looking for help, feel free to send me an e-mail: brandon@siftscience.com. My company deals with fraud all the time. Even if we can't help, I'd be happy to point you to others who can.

Brandon's a great guy, very proactive and helpful. We didn't have quite enough volume yet (w/ Gittip) to use his services, but I have a positive opinion of him.

E.g.: https://github.com/zetaweb/www.gittip.com/pull/387

Thanks Chad! It's a pleasure to work with people like you!

That looks extremely interesting and it might very well be something we could use for a project we're just starting.

Preventing fraud is impossible, but you can minimize it to very low levels with a combination of filters, some of which you mentioned. This includes geo distance, public Email address, velocity, size of transaction and most important - proxy detection. The use of a public anonymous proxy is a very high indicator of fraud.

We use minfraud, a service that takes all of those parameters as input, and uses a huge database of previous fraud to return the probability the transaction is fraud. It has worked exceedingly well to prevent almost all fraud on our marketplace.

I wrote in detail about this process about half a year ago - http://www.binpress.com/blog/2012/07/31/fighting-online-frau...

I was having huge problems with fraud on my website also. A lot of stolen credit cards being used from Vietnam.

Using Braintree as my processor, I send an authorization request for the card. If the auth is successful, I send the data over to MinFraud for a check. If the fraud value is < 25 then I submit the auth for settlement, otherwise it gets voided and the user gets a message that their purchase didn't pass our fraud check.

I also log all minChecks and I manually check any request that has a value > 10 or so just to make sure it looks legit.

The biggest change I had to make to support this is that I had to add Country, City, and Region (State) boxes to my payment form. So user's have to put in 3 more pieces of information that they didn't have to with a plain (a la Stripe Purchase button) payment form.

However, that information has saved me from numerous frauds. Also, it appears that once the fraudsters determined that they couldn't use my site anymore, they've stopped trying.

I am VERY happy with their service and it's very inexpensive.

(I work for balanced, I wrote the blog and handle fraud) I am sorry you had to deal with this. Of course, we look at all other signals and of course we use machine learning. What I posted was partial information. the list by no means is complete. When dealing with opening up on fraud, you deal with two conflicting things - (1) If you open your algorithms/data and make it completely open source, the fraudsters have all the access as you do and (2) If you shut down all access and keep it closed, there's no exchange of information. Most payment processors opt for (2), we really wanted to strike a middle ground. If I can't expose the fact '@apple.com' email address is more trustworthy than a throwaway email address and regard this piece of information as the bed rock of fraud protection, I am nuts. Summary: you expose something, gain knowledge, hide the rest. There are several more signals we look at when dealing with fraud (esp. digital goods). We have built a machine learning system that has learned (is learning) from our data. We also built visualization layers on top of that. Send us an email at support@balancedpayments.com and I will provide more information.

3DSecure for MasterCard or Verified by VISA. These solutions are very American and not at all what European customers expect to see.

I can't speak for Europe, but basically every site here in Sweden where I buy something with a card uses 3DSecure and VbV. The pick up over the past couple of years has been massive.

On the other hand, it works so badly in the UK that it's been disabled by pretty much all banks.

Ahh, is that why it went away for a few years.

Back about 2008-2009 it seemed I got hit with a VbV screen for 90% of purchases. Then, it just seemed to 'go away'

In the past 3 or 4 months, I've started seeing VbV screens again though. So perhaps something else has changed?

Personally I never had any purchase problems with the system.

I'm interested in your view that 3DS and VbV are "very American and not at all what European customers expect to see".

Although generally payment methods are quite diverse across Europe, I'd say in places like here in the UK it is now fairly common to get the secondary confirmation prompts when purchasing on-line, certainly from smaller businesses. They also seem to be fairly smart about when they just let it go through without troubling the user these days, e.g., low value regular payments to the same vendor don't seem to ask me for any confirmation most of the time recently, but payments to new vendors often do.

Is this not your experience as well?

Just out of intereste, what kind of digital product are you selling? I never thought fraud was a problem with digital products, because it is very easy to just go to the torrent sites and download it there...

Edit: to mean, who would bother to do payment fraud, when you can just download torrents.

Mostly keys for games, Xbox live points, stuff like that. Very attractive products, both for legitimate customers, but sadly also for criminals.

Torrents are useless for games that require constant network access, which is most new games. You can have the "stolen" keys blocked, but you still lose money.

Drop me an email, maybe we can trade notes. I have been dealing with this for almost a year at http://nextproof.com

We had really bad chargebacks and our underwriting merchant almost pulled our account. It took going back to some manual verification and other tricks to finally get it down. We've only had a dozen or so chargebacks in the last 6 months.

You may be interested in some of the points here: http://blog.signifyd.com/2013/02/25/detecting-fraud-in-digit...

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact