We're running a completely self service system where money comes in via credit card, and (much of it) gets paid out to other users in the system. Because of this, preventing fraud is a must. When I say fraud I mean people adding credit cards that are stolen, but still work fine. These are transactions we might find out are fraud days after the transaction takes place -- but by then the funds may have been paid out to other users if the someone is playing both sides of the table to funnel money back to themselves.
Wondering if anyone has any suggestions on how to handle this situation? There's a few options here, from the manual to the automated, but we're leaning towards something automated.
Don't allow anyone to make a deposit until we've called to talk to them and white-listed their account.
Don't allow users on the other side to withdraw money until some arbitrary number of days later when we can safely say the transaction isn't fraud.
This one is 2 parts. 1) Phone verification of the MaxMind ( http://www.maxmind.com ). This just assures that the phone number they entered is valid and we can contact them at it.
2) Another call to MaxMind to verify their CC details don't raise a red flag. This takes into account a good deal of info including: IP, cc address, browser agent, browser language, forwarded ip, phone, email, username, and others. It gives a score (0-10) on how likely it is that the transaction is fraud. It bases some of this on how far away the user is from the CC location, and how far their phone area code is from the CC location. Verifying phone location in this way is a lot harder to game than faking an IP address.This could be done once for each credit card they associate with their account, which is 1 in almost every case.
Anyone have any other APIs like MaxMind that might be worth looking into? We'd love for the system to run completely automated, but interested in seeing what others have done to get around this problem.