Hacker News new | comments | show | ask | jobs | submit login
Ask HN: Help I need advice on fraud
51 points by eam 1300 days ago | hide | past | web | 53 comments | favorite
I run a web site (side project) where users can use their credit card to send money to a friends checking account as a gift. It seems a user created multiple accounts with fake names then proceeded to send money from stolen credit cards. All the charges to the stolen credit cards where then sent to one final destination checking account which I have all the information on. I detected all this activity a bit too late (2 days late) so the money has been transferred from the credit cards to my marketplace to the destination checking account. Overall there were 5 different stolen credit cards used with over $2,000 in charges! As a side project this a big loss for me. I'm already starting to receive some chargebacks and it's stressing me out. As a result I have permanently shut down my project because this is a major loss, more than I have ever made from the actual side project itself.

I have visited the local police department, but they said since I'm not the victim they can't do anything about it (presumably the owners of the stolen credit cards are the victims here, so they have to file a report). They referred me to the FBI. So I filed a complaint with the IC3.gov. After submitting the form, it said that it may be a while before I hear anything since they have limited resources and they receive thousands of complaints each day.

What's really frustrating is that I have the checking account details where the stolen money was sent to! So it seems it would be an easy case to break. The authorities would have to subpena the bank account since I have the bank account number and bank name, it's not like they used bitcoins.

Can anyone with experience in this situation before chime in with some advice? What should I do? Please help, any information would be greatly appreciated.

Down vote me on this, but here is my honest opinion (that may actually help others) phrased as a question.

Why would you as a hobby run a payment site linking credit cards and checking accounts when you appear to not have done any research in to how important loss prevention is in such an activity? If you were not interested why did you start? If you were interested how could you not know what steps to take?

Hi, John. I'm not the poster, but the way I look at it, everybody has to learn caution sometime. If this guy's lesson costs him just $2k and a little headache, I'd say he got away cheap.

I can think of a number of important business lessons I learned that cost me more time or money. E.g., "be careful picking business partners", "don't start work without a signed contract", or "crazy clients don't get saner". All things I should have known, or could have discovered reading. But had I waited until I had read and appreciated all business lessons, I never would have started anything.

And I appreciate him sharing the lesson with Hacker News. It reminds me of the Despair, Inc poster on mistakes:


"It could be the purpose of your life is only to serve as a warning to others."

So thanks, eam, for getting a bunch of young entrepreneurs to say, "Hey, maybe I should double-check our fraud prevention."

Hey William, you're on point. This has definitely taught me a bitter lesson. I hope others who are working on similar projects learn from my mistake. As I mention before, today payment processing API's make it so easy to launch a ecommerce service that we forget about other factors. That's pretty much what happened to me.

Always good to hear good calm advice from somebody I know and respect, Will. I admit I make tons of mistakes (and also would never start anything if I always "thought it through"). But I still really don't like what the original poster presented.

Hi OP here, thank you for your opinions. I just wanted to say that I thought that I had "thought it through" but apparently I didn't, it was more complicated than I thought it was. This is not the first time in my life that I thought I had thought something through, there have been numerous times actually in all aspects of my life. A year or so ago, I watched a Malcolm Gladwell talk on TED (http://www.ted.com/talks/malcolm_gladwell_on_spaghetti_sauce) where spaghetti sauce companies thought they had thought things through, but really didn't it. Of course I could have spend lots of time reading books, but even then I might have missed this. I just wanted to share my experience and ask for any advice (not legal) just advice/tips in general from others who had been in the same boat. So far the comments have been excellent and invaluable. They have taught me many things I didn't think of before, but more importantly it will help others who might be looking or are doing that same thing I was doing already on my side project.

This. Plus, you could very easily be charged for setting up a money laundering scheme. At the very least you shouldn't allow anyone to wire money directly to personal bank accounts. If you see the precautions companies like Western Union take you'll understand there are serious implications involved.

My exact reaction. It just seems mind-boggling that anyone would set something up like this as a side project. I'm not even sure it would be legal in the U.S. One thing I am not at all confused about: I would shut it down right now. Literally. Go shut it down.

Just to clarify, I've worked in this business. You can set something up and test it in sandbox mode with every payment processor I've worked with. That's the proper approach for a "side project." What blows my mind is having this set up and accessible to the public. It's just amazingly naive. I don't mean to beat up on you, OP, but you really should shut this thing down. Systems like this are monitored 24x7 for fraudulent activity. You're not really prepared to be in this business yet.

No, you're entirely correct... I completely underestimated the prevention loss factor. Being a side project, I really didn't dedicate 24x7 monitoring, only late at night and early mornings, so this has been an important lesson to me. I have actually already shut it down.

I have dealt with this exact scenario in our photography ecommerce product (http://nextproof.com). Ours just happened to have an extra 0 on the end. We almost lost our merchant account because of all the chargebacks. (I'm thinking of writing an ebook on the topic)

Through some social engineering, I was even able to get the name and location of the checking account owner and get him on the phone. I was actually quite close to visiting and beating the crap out of him. Turns out he was just some poor rube from Arkansas who answered a craigslist ad. In the end he was actually more of a victim than me (basically had his identity stolen, credit ruined).

Law enforcement at all levels were completely unhelpful (I dealt with CA police, AR police, and feds). Once I located the bank and got them on the phone, they at least were able to freeze the checking account (I believe they are required by law to do this once fraud/cybercrime is reported). That's really only a temporary fix though.

Any time you're doing payment aggregation or money transfers, you have to do as much verification as possible. We learned that the fraudulent charges had very predictable patterns (international cards, fake websites, very specific range of charge amounts, etc.). At a small scale, you should just manually verify all accounts, require phone/address verification, and more. I've seen some bitcoin startups that even require you to submit a photograph of your card + ID via WebRTC. This is what you should do right away. Once fraudsters realize they have to do work, they will move on to the next target. Our chargeback rate is now near zero and never fraud-related.

At scale, you can have in-house people write code to detect fraud patterns. There are also startups like Sift Science with APIs.

Hope that helps.

Hey there, I'm the CEO of Sift Science. Unfortunately, callmeed is spot on -- law enforcement typically won't get involved unless it's in the tens of millions of dollars, at least. Even trickier if it's across international borders.

This means that you're left to defend yourself. Typically, you'll start implementing some basic verification and rules in your code base. For example, "if num_credit_cards_per_destination > 5; flag_as_suspicious()". But, it's tough to be accurate with this approach, so you'll want to manually review activity flagged by rules, so that you don't insult your good customers. As your business grows, it's more challenging to scale these fraud detection rules and manual review operations. While adding more verification helps, it does negatively impact the experience for innocent customers. It's a delicate balance.

I wish I had better news. In some sense, seeing fraud means that you're on the map. Unfortunately that means you'll only attract more and more attention as your business grows. I'm happy to be a resource, even if we don't work together - jason at siftscience dot com.

callmeed, this excellent advice and information here. I urge everyone to read this before getting yourself into a hole. Many of the payment API's such as Stripe and Balanced Payments make it super easy to deploy an ecommerce site that it makes you think you're done, though as I have learned, that's only half the work. The other half is fraud and loss prevention. And as markbnj commented below, you need to monitor it quite often (24x7).

> Law enforcement at all levels were completely unhelpful (I dealt with CA police, AR police, and feds). Once I located the bank and got them on the phone, they at least were able to freeze the checking account (I believe they are required by law to do this once fraud/cybercrime is reported). That's really only a temporary fix though.

I actually did call the bank 2 days after the transactions. I believe it takes 2-5 days for direct deposits to arrive to destination bank. When I called the bank, the support agent said they could see the deposits and that they would freeze the account. Though they haven't been very cooperative since then and communication has been limited. The bank agent I was assigned to has been difficult to reach and work with, even my processing company has had trouble getting a hold of them. I'm really hoping the account is still frozen and they will fulfill the reversals. That's my only hope.

I work in fraud management in the payment space for my day job. (Unfortunately we not have a publically available option yet for someone at your scale).

  - You are most likely violating OFAC/KYC regulations in the US  (Assuming you are in the US with references to the FBI)
  - It is easy/cheap to buy on the black market complete combinations of credit cards/cvv/social security info
  - People who buy/have these stolen cards want a cash exit
  - Verification of both sides of the transaction are really needed for what is essentially a money transfer, to keep fraud down (steps beyond CCV to prove someone is in control of a CC)
  - You are lucky, that $2000 was probably an initial probe to see what checks you had in place.  Shutting down was the right thing to do.  If you had left it open, you could've added three zeros to the damages
  - CC's are not secure and the "merchant" is always the loser in fraud.  Visa/Mastercard will always make their cut.  Additionally ACH/echecks doesn't provide much in the way to claw back funds (any really).

Edit: Oh some other notes, the local PD are simply not equipped to handle this, even though you are the victim as you have been defrauded. Chargebacks can continue to roll in down the line, typically 30-90 days after the transaction. You may have violated your MCC code on your merchant account by doing this, as getting an MCC code to do a balance transfer like this is not a simple thing.

Run from this. You've been lucky.

1) You are almost certainly operating a money transmitting service (like Western Union). If you are an intermediary between people giving each other money, there are piles of regulations and compliances you must deal with just to stay out of jail!

2) Anything dealing with money and internet is HARD. This is like complaining that you tried to be a veterinarian on the side and some animals died. There is a minimum amount of knowledge you need just to start. You presently don't know what you don't know in this space. Its dangerous.

Sorry for the downer, but pick a different side project.

You were basically providing a cash advance, which is against the credit card companies' TOS, so chalk it up as a lesson learned and move on.

I can pretty much guarantee that no one in law enforcement will do anything about your situation. I work for an online retailer and we've been down that road. Everyone will mumble something about jurisdiction and hang up on you.

If you're looking for legal advice, you absolutely must ask a lawyer. Most good lawyers will give you an initial consultation for free.

If you're looking for business advice, I don't think there's any practical or safe way to run a business that allows people to charge a credit card and return cash to a bank account. If that's necessary for the functioning of your site, you may need to rethink your site.

What makes you think the bank account's details you have that the (presumably) stolen funds were sent to are those of the actual criminal? It could very easily (and extremely likely) be an account opened under a stolen identity.

I'm afraid it's likely you're going to have to put this one down to experience... You haven't gone into specifics, but your side project sounds like a money-launderer's dream.

>What makes you think the bank account's details you have that the (presumably) stolen funds were sent to are those of the actual criminal? //

Did he say that? I thought he was just saying as he had the account number then the bank could easily stop that money; the implication being that someone trying to retrieve the money could be traced.

Maybe you're right (that that is what he meant)... but all it takes is the criminal to withdraw cash (or have someone do it for him) and that money is long gone.

I was more getting at the fact that the money is probably not retrievable.

You were running a money transmitter, and once you learn the regulations and liabilities that come attached to that you'll be glad you shut it down before the gap widened any further.

>> 2000 was basically the year of fraud, where we were just losing more and more money every month. At one point we were losing over $10 million per month in fraud. It was crazy.

—Max Levchin, founder of PayPal

Where this quote came from?

A book that any founder should read. It's a great set of interviews with founders telling relatively unsanitized versions of their startup stories. It serves as a great antidote to the business press's "all winners are perfect geniuses" school of reporting.

I actually even called the destination bank fraud department which is where the checking account resides. They seem to not care. I called them 2 days after the transactions happened and asked if they can reverse the transactions though the agent that I spoke with said he would work on it and call me back. He never called me back, so I called him back and he said he's still has to get to it and told me to have my payment processing company call him. My payment processing company has tried to call the bank agent for 2 days with no avail. I even tried to call him and many times I was sent to voicemail. It has been 11 days and I haven't heard back.

> My payment processing company has tried to call the Ally Bank agent for 2 days with no avail.

Ally isn't going to help you in this case. Ally doesn't know you, and you're asking them to give you money from one of their customers.

Who is your payment processor? You can issue an ACH reversal. You would get your money back if the money is still in the recipient's bank account. It's worth a try since they may not be expecting you to reverse the transaction and will still have money in the account.

I hate to say it and I hope I am wrong, but this situation is exactly what it is and you have to pay the consequences, fair or not. And that is your company is on the line for a $2000 mistake. No other way I can see around it.

INAL but document everything as in send certified letter to this bank etc, you may need to prove good diligence.

My spouse works as a BA/project manager for a large e-commerce player. The efforts they go to in order to handle fraud are crazy. Fraud management is an entire department in any e-commerce organization. They're fighting not simple scammers, but international organized crime syndicates.

My not-a-lawyer advice? Drop your "side project" as fast as you possibly can, before it destroys you.

Someone will say, "use bitcoin instead!" So follow the directions here to help your situation:

1) Set up an exchange. 2) Wait for people to deposit >$2000 worth of bitcoin. 3) Run away.

Problem solved.

More seriously, I think you're more or less in a very unhappy place without good options. Chalk it up to experience and consider yourself lucky that you only lost $2k.

Though, a question for the legally-minded: if this project had been done in a corporate structure, could the poster just walk away from it and be insulated from the loss?

As long as you're incorporated, you're personally shielded from incurring those loses yourself or anyone going after you for those losses, as long as you didn't personally guarantee those accounts (i.e. AMEX business cards are guaranteed with your personal SSN vs company EIN).

No offense, but that sounds like terrible advice. Please consult a lawyer or accountant with questions, but corporations do not magically and universally shield your side business from incurring debts you have to pay. (And your business credit cards would almost certainly be personally guaranteed -- who would give a credit card to a business with no credit history?)

Again, I should have prefaced this with stating that I am not a lawyer and do not provide legal advice. With a DUNS number, you can open business cards if you have an established history of paying your suppliers and can show sales to other companies.

> And your business credit cards would almost certainly be personally guaranteed -- who would give a credit card to a business with no credit history?

Not true. While it is easier to get a business credit card if you personally guarantee it from day 1, you can get one using you business identification information. You can get Citi business cards with a DUNS and EIN number. https://www.citicards.com/cards/wv/html/cm/business/know-the... You can also get corporate AMEX cards once your business has $10M in revenue a year. Employee cards only require a SSN to verify identity, not to guarantee them (the regular, business amex cads, however, do).

> As long as you're incorporated, you're personally shielded from incurring those loses yourself or anyone going after you for those losses, as long as you didn't personally guarantee those accounts

That's not necessarily true. There are a number of things which can allow the "corporate veil" protecting stockholders from personal liability to be pierced, including a stockholder that is also a corporate decision-maker engaging in grossly negligent or reckless acts as a corporate decision-maker that produce the corporate liability.

Incorporation provides a shield against personal liability, but it is not an absolute, unconditional shield, especially for stockholders who are also decision-makers in the corporation.

If officers act in a reckless and fraudulent manner, the veil can be pierced to pay back creditors. I should have prefaced this with stating that I am not a lawyer and do not provide legal advice. I can speak from personal experience having been part of companies with liabilities when they folded that none of the officers assumed those liabilities personally. No one accused them of negligence or fraud, so I do not know how that would play out.

Credit Card companies basically tell merchants (in their merchant guides) not to (1) deposit funds from CC transactions in any account but their own, or (2) allow CC users to extract cash or the equivalent from CCs as by cash refunds, and highlight that these things are wide open gates for fraud, money laundering, and high chargeback rates. [1]

This sounds like a grossly irresponsible "side project".

[1] example: See "Laundering" on p. 11, "No Cash Refunds" on p. 13 of https://usa.visa.com/download/merchants/card-acceptance-guid...

You lost $2000 in stolen goods. Someone defrauded you by knowingly using fake cards. Your police department should see you as a victim as well. If they don't you might want to think about talking to a lawyer to get things moving.

Actually- just go talk to a lawyer about getting the wheels of justice moving for you.

I am not a lawyer, this is no legal advice. You have to be careful. Depending on your country's laws you might have been running a financial service. These services usually require you to register, fulfill tons of requirements (at the least hold enough reserves) etc. Offering a financial service without registration might get you in a lot of trouble. The only course of action you have is to try to reverse the transactions to the checking accounts. This will largely depend on your provider.

Talk to a lawyer. Make sure you haven't been running a financial service.

I know this is not what you want to hear right now but this is where the importance of KYC requirements for any company dealing with financial transactions comes in. I imagine you made a trade-off between providing a frictionless service and best practice, but that's a trade-off you need to pay for eventually.

EDIT: I would also like to add that typically those who dabble in credit card fraud are sophisticated enough NOT to link their own bank details to the cards. What they will do is either buy some unknowing person's account for a few hundred dollars or steal details of an otherwise inactive account. Then all they have to do is use any ATM to withdraw the money, and it can be nearly impossible to catch the culprit without committing significant police resources.

IMO, you would probably be best speaking to an attorney. They may also be able to get more cooperativeness from the FBI.

Unfortunately at a normal rate of $300/hr or so you're going to rack up well over $2000 in attorney fees.

IMHO he should still talk to an attorney.

If he provided financial services without a proper license, he might be in a world of hurt.

This should be at the top.

Card-Not-Present online commerce draws fraud and that is a reality that you need to address. There are methods to mitigate the losses from fraud. You could collect webserver, internet traffic data and credit card data to filter your signups to prevent this happening in the future. One such company that could help is siftscience.com.

I'm curious to those that downvote how they would address online fraud. It is a real problem with online commerce.

You can request strict full address validation and request that charges fail on CVC mismatch. On the cashout side, you can use a system like http://www.idology.com/ for identify verification, which can be either as complete or as superficial as you want it to be (think credit card application level verification, with questions about past employers, loans and monthly payment amounts). If this person has all the information to steal your customer's identity, then you can't really defend yourself against that scenario and that customer likely has to deal with larger identity theft issues.

I would highly recommend that you contact the banks for whatever accounts the money went to. If you are able to prove fraud, you may be able to work with them to freeze the accounts and then recover enough funds to cover the chargebacks. You can use the routing numbers to figure out which banks to talk to.

When I was at WePay, we used this to help recover fraud losses. It's not 100% effective (because often the account has already been drained/closed), but it's better than nothing.

In the future, I would also recommend using a PSP like WePay, Stripe, or PayPal that will handle KYC and fraud detection for you. https://www.wepay.com/api/payments-101/preventing-losses-fig...

I've lost 2 merchant accounts in the past due to a high chargeback rate involved with selling web hosting online.

Most chargebacks are a result of orders from people with stolen credit cards, usually from international IPs. To mitigate this, I ended up using:

1. A service called MaxMind, which includes automated phone verification (e.g., ensuring the person owns a phone number in the a area code matching the credit card zip code).

2. Using payment providers like PayPal or 2CO since they have their own built-in fraud prevention systems.

Of course, this does not prevent chargebacks for non-fraudulent reasons (e.g., unsatisfied customers). For large orders, you may need to get the customer's signature on a credit card authorization form, to enable you to win the chargebacks if they occur.

1. Consider this a very expensive lesson for you. Loss prevention isn't easy. It's why I stopped using Ebay and do local direct (CL, gumtree, leboncoin, etc.) sale.

2. FBI cybercrimes division will eventually want to hear from you but the fraud was small potatoes compared to what they are up against. Your local PD is right, this is out of there league. Most likely this is across county, state, and international borders.

And that's why you don't consider money payed with CC an immediate part of the balance.

Unless you can swallow the loss.

As an example, some airlines require that you present the Credit Card used in the purchase upon check-in.

Just curious - who'd you take the transaction costs from? The sender?

Both, from sender and receiver.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact