views:

227

answers:

4

I'm developing a marketplace website where tutors and students can find each other. I'm building an online payment system (much like elance or guru.com) where the tutor can get paid and we take a cut.

Couple questions:

  1. What's the best way to block IP addresses from certain countries like Nigeria? (Note, I am using Ruby on Rails so any recommendations specific to that would be even better but if not thats fine too.)

  2. What other techniques can I use besides blocking certain IP's? (I'm already doing AVS and normal gateway checks).

  3. What common scams do I need to check for?

For example, one I can think of is someone using the system to pay themselves, they receive the funds as payment (minus our fee) and then do a chargeback on the credit card.

I imagine these are similar to problems faced by sites like Paypal or Google Checkout (some call these aggregation sites) since they are taking a small percentage fee - so if the original source of funds is lost it's a huge loss (many time multiple of the profit involved unlike normal higher margin products).

Couple additional notes:

  1. My user accounts already require email validation - this is a bare minimum, I'm looking for something beyond this
  2. There is a 3-5 day waiting period on the direct deposit - this is required by the bank - but still does not answer the question of how to determine during those 3-5 days whether it is fraud or not so it can be canceled
  3. I'd prefer to avoid a solution which punishes the good people along with the bad - such as charging to signup or having them leave their funds there account until a withdrawal is requested (like Paypal)
A: 

To block ip's from a specific country, you'll have to figure out what the ranges of ip addresses are from there. Then all you have to do is configure your firewall to deny traffic from those ranges.

Jack BeNimble
+2  A: 

I think there are several ways to add additional layers to deincentivize these acts.

  1. All payments are made by confirmed user accounts (confirmed via email)
  2. Delay in payments based on banks clearing for 3 - 5 days.
  3. Rather than payments being directly applied to a user's credit card/bank account, it can be stored "online" in a similar way PayPal does and users must manually request a withdrawal.
  4. For IP blocking, I'd actually go to the server level and an IP tables set up. I'm not a sysadmin so I don't know the ins and outs.
  5. I've read about and been part of several sites trying to reduce malicious efforts by instituting a nominal sign-up fee. It surprisingly reduces the level of cretinism present on a site.

In general, where there's a will there's a way. Keep a very close eye on activity on the site and have some systematic rules for flagging that tips site administrators to take a closer look at accounts or activity.

jerebear
+1 on #2. Depending on where you're sending the money, you may need tax forms to (i.e. W-9 in U.S.). You could add ID verification to that process potentially. Don't try to do it all through software until you understand your weak points.
runako
I'll second that as well!
jerebear
+1  A: 

For country blocking, you'll want an IP geolocation database, of which there are numerous free and commercial ones available. I recommend evaluating potential candidate databases based on how well they're maintained.

chaos
+1  A: 

Here is what I have done so far, if people have more suggestions please respond:

  1. Setup a "fraud review" flag which if set requires someone (me) to look at it manually before the direct deposit funds get sent
  2. If the amount being sent is > $300 then automatic fraud review
  3. If the ip address of the tutor & student requests are the same, then fraud review
  4. check their names and address and see if they "substantially match" - i.e. they could both have the first name "John" so there is a threshold of how many "matches" constitute a reason to flag for fraud review

The function looks a bit like this (note this doesn't include the code to check the IP addresses)

  def fraud_review invoice
    return true if invoice.total > 300

    #try to find out if they are the same person!
    client = invoice.client
    tutor = invoice.tutor

    count = 0
    client.full_name.split.each do |piece|
      count += 1 if tutor.full_name.include? piece
    end
    client.name_on_card.split.each do |piece|
      count += 1 if tutor.full_name.include? piece
    end
    client.street.split.each do |piece|
      count += 1 if tutor.street.include? piece
    end

    return true if count > 2
    false
  end
Brian Armstrong