views:

94

answers:

2

We're running a completely self service system where money comes in via credit card, and (much of it) gets paid out to other users in the system. Because of this, preventing fraud is a must. When I say fraud I mean people adding credit cards that are stolen, but still work fine. These are transactions we might find out are fraud days after the transaction takes place -- but by then the funds may have been paid out to other users if the someone is playing both sides of the table to funnel money back to themselves.

Wondering if anyone has any suggestions on how to handle this situation? There's a few options here, from the manual to the automated, but we're leaning towards something automated.

  • Don't allow anyone to make a deposit until we've called to talk to them and white-listed their account.

  • Don't allow users on the other side to withdraw money until some arbitrary number of days later when we can safely say the transaction isn't fraud.

  • This one is 2 parts. 1) Phone verification of the MaxMind ( http://www.maxmind.com ). This just assures that the phone number they entered is valid and we can contact them at it.
    2) Another call to MaxMind to verify their CC details don't raise a red flag. This takes into account a good deal of info including: IP, cc address, browser agent, browser language, forwarded ip, phone, email, username, and others. It gives a score (0-10) on how likely it is that the transaction is fraud. It bases some of this on how far away the user is from the CC location, and how far their phone area code is from the CC location. Verifying phone location in this way is a lot harder to game than faking an IP address.

    This could be done once for each credit card they associate with their account, which is 1 in almost every case.

Anyone have any other APIs like MaxMind that might be worth looking into? We'd love for the system to run completely automated, but interested in seeing what others have done to get around this problem.

+1  A: 

Here are some random thoughts:

  • Use the AVS system and only allow cards that pass
  • Use the CVV system and only allow cards that pass (you can't store this value, so it may not work if you need to keep a credit card on file, but it would work for the first transaction)
  • Use an IP location lookup system...oh, I was about to reference the same site you put in (maxmind)
  • Use a pre-auth/post-auth system and do the post-auth a set number of days after the preauth. This lets you still only have one transaction but it lets you test the card twice.

I'll add more later if I think of anything else.

Micky McQuade
Your first two recommendations are not very good. AVS and CVV can fail for legitimate reasons. Declining transactions that fail them will certainly result in good sales being lost. Use them for what they are for: one of many tools that when combined help determine if a transaction is possibly fraudulent.
John Conde
A: 
  • Never accept an expired credit card.
  • Obtain authorization for the full amount of the sale. Declined transactions should not be accepted or split into smaller amounts.
  • Call or fax any large or suspicious orders to ensure the order is legit. If you are unable to reach the customer, you might have intentionally been given incorrect contact information.
  • Be suspicious of high-ticket sales requested to be sent next-day air or if a runner will be in to pick up the purchase at a later time.
  • Use the fraud services offered by the processing bank including AVS (Address Verification) and CVV2. By themselves they aren't proof of fraud but when combined with other tools they help form a complete picture.
  • Be very cautious of any foreign orders. Generally, orders from Asia, the Middle East, and most parts of Africa are considered high-risk.
  • Be wary of orders with domestic billing addresses and foreign shipping addresses. They are usually fraudulent.
  • Be wary of orders for which the customer is willing to pay more for faster delivery.
John Conde

related questions