Protecting Your Site from Fraud






Protecting Your Site from Fraud

Problem

You need to prevent fraudulent transactions from being accepted by your online store.

Solution

Take these steps, both preventative and proactive, to avoid the deceptive schemes that can inflict financial disaster on your web business:

  • Validate and authorize the credit card numbers from your customers in real time.

  • Enable the security features that your bank or authorizing authority provides, such as address (AVS) and card verification number (CVN or card verification value) checking.

  • Report suspicious activity to your bank and/or authorizing authority as soon as possible.

  • Refuse to do business with customers in countries known to be hotbeds of corruption and fraud (check the list referenced in the "See Also" section of this Recipe), and be careful of any overseas order.

  • Ban visitors who appear to be attempting to make fraudulent transactions by blocking their IP address from connecting to your web server.

  • Contact suspected fraudsters with a cease and desist letter or email, assuming they give you a valid address.

  • Don't ship merchandise until payment is confirmed.

You might also consider these more extreme measures:

  • Refuse orders where the billing and shipping address do not match.

  • Refuse orders to be shipped to non-physical addresses, such as post office boxes.

  • Refuse orders from customers using a free email account, such as Hotmail or Yahoo!.

  • Confirm large orders by phone and/or request faxed copies of the credit card and customer signature.

Bear in mind that taking these extra steps will snub many honest customers along with the fraudsters. To address this problem, your might consider placing a pop-up window on your failed order page that allows customers to provide anonymous feedback about why their order failed. Or, since many people block automatic pop-up windows, send a follow-up email to shoppers whose orders were not acceptedif you can match up failed transactions with an email address.

Discussion

In these days of identity theft and phishing scams, web surfers have every right to be skeptical of the many web-based businesses seeking their money and personal information.

Phishing is the slang term for the deceptive practice of attempting to collect account numbers or other confidential information through fake emails and web sites that impersonate the look and branding a reputable business. Many cases of so-called identity theft are perpetrated through phishing scams.


Although the risks are real and potentially large for consumers, online merchants face even higher stakes when hanging out their virtual shingle.

In general, a consumer whose credit card falls into the wrong hands is liable only for the first $50 worth of fraudulent charges. On the other hand, the merchant who ships goods to an imposter might be out every cent of an illegitimate transaction when the card holder contacts her bank to contest the charge. (Banks know they can get the money from the merchant more easily than from the legitimate card holder, and certainly, from the fraudster.)

Credit card companies do not publish statistics for online fraud, but experts estimate that it is far more prevalent than in face-to-face or even mail order and telephone transactions. Perhaps as many as one in 20 online transactions is fraudulent. That's because the credit and debit card payment systems were designed for in-person transactions in which the merchant has proof (a signature, card imprint, or card swipe on point-of-sale terminal) that the transaction is legitimate.

Web transactions offer much more anonymity than other types of credit card transactions, although the use of technical safeguards presented in the Solution (AVS and CVN) make it reasonably possible to link a real person (if not a face) and credit card (not just a number) to a transaction. With address verification enabled, the credit card authorizer will only approve the transaction if the provided billing address matches the billing address for the given credit card number. Requesting the CVN numberthe little three-digit number that appears next to the account number in the signature box on Mastercard and Visa charge platesconfirms that the buyer has the card in hand (although not the means by which the card got in those hands).

Online fraud has become an appealing endeavor for a variety of criminal interests. Their favorite victims include sites that sell intangibles (such as subscriptions or downloads), items with good resale value, and those operated by inexperienced online merchants eager for their first "big" sale. Regardless of what you sell online, your best defense is to keep tabs on your e-commerce activity, trust your instincts, and listen to your inner pessimistif it's too good to be true, it probably is.

Some other warning signs to look for include:

  • Repeated failed orders from the same customer using one or more credit cards.

  • A large order of seemingly random items, or a large quantity of the same item.

  • Repeated inquiries about shipping status, or a customer offering to send his own "courier" for pick-up.

  • A customer willing to pay any price for an item.

  • An order amount far above the average transaction amount for your store.

  • A request that the total transaction amount be charged on two or more cards for it to be approved.

  • Extremely poor spelling and grammar in communications from a customer.

  • Use of a free email address, when combined with several other warning signs.

See Also

For more on the flip-side of the relationship between online merchants and customers, see Recipe 8.1. Recipe 8.10 describes a way to turn away suspected fraudsters.

Transparency International list of the most corrupt countries is online at http://www.transparency.org/pressreleases_archive/2004/2004.10.20.cpi.en.html.



 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows