CC fraud is such a big problem, it must be a huge advantage for Amazon. Most of their purchases come from repeat customers that they can be confident exist. Smaller shops have to figure that out nearly every purchase.
I never thought of that before. Maybe there should be a central shared central repository of who are known good customers/address/cc combinations, or maybe that is what stripe etc do already.
There are services that do this. Several retail stores I consult for have transaction filtering through an independent fraud detection service which has its oen blacklists of hashed CC numbers, emails, and street addresses. They also evaluate the ip address, distance fom billing and shipping addresses and a slew of other factors.
I once bought a 2k item online from a well known camera store in the US. I called and asked for a competitor price adjustment. I did end up purchasing it over the phone. A day later I noticed that a fraud specialist from that company looked at my LinkedIn profile. So, yeah I guess that they do have to figure it out on almost every transaction/customer
Services such as Stripe and PayPal indeed serve as central repositories for fraud intelligence. I imagine that other payment gateways also provide a similar function, though those two are the ones I'm personally familiar with. We've operated a small ecommerce business for almost 8 years and although PayPal fees are probably on the high side, fraud has been a non-issue for us.
Whenever I travel, I learned the hard way to put a "travel alert" on the credit cards. Otherwise, they may shut them off if suddenly charges start appearing from a foreign country!
Yes. There are significant beneficial network effects in payment processing.
Back in the day, eBay had ludicrously good fraud rates (and hundreds of engineers working on models, from what I heard). We hired a few people from them and were quite proud to achieve rates in the same ballpark with orders of magnitude less traffic.
Living abroad and using a forwarder ... I buy almost exclusively from Amazon just because I know it'll be easy. Pretty much anywhere else, it seems to be a 50/50 chance that they'll just cancel the order, half the time without so much as a notification.
Could a Blockchain/DHT solution work for this? Normalize and hash the data and send it to the network to check its karma. If there's no karma then it's a new customer, otherwise the karma tells if it's a good/bad customer. Then after they buy you add or reduce a karma point.
Would there be a way for someone to reverse/bruteforce the hashes to figure out people information?
I periodically deal with recurring fraud from what seems to be a pretty organized network.
- Orders are placed with stolen credentials with correct billing info that matches AVS.
- Shipto address are located near billing info, typically in the same state/metro area.
- They are often rural addresses, trailer parks, what appear
to be rent houses that may be empty.
- Phone number provided has correct area code and rings a call center that has stolen billing info available and will confirm billing address order details verbally.
- Ip is geolocated at/near the billing info area via a proxy.
- Email addresses are often setup on custom domains.
We catch them, but only because they don't vary the pattern much and we know what to look for. I don't know how fraud tools would be able to effectively filter in these cases without a lot of false positives.
I wonder what you have to do to become a target for such a network? I have not seen such behaviour online myself, in fact scam problems have been minimal and only once have I seen a gross picture in the customer service tickets. This was probably deserved though...
At order time I create a Google Map of the delivery address and this shows on checkout success. It also shows in the admin side with a live Google Map. If Google can get the address right then the postman probably can is the thinking.
This reduces delivery problems immensely as anything that cannot be shown on a map goes on automatic hold.
Money wasted on delivering the wrong products to people, e.g. after they have managed to cancel their order, plus the costs of back room accounting/customer service is a far bigger cost than fraud.
In your experience did you have savings to be made in your operation in shipping/customer service, to optimise that before tightening up on fraud prevention?
Or do you sell expensive items in a low-ish volume where a single fraud wipes out all of your profits rather than just cost $20 or so?
The credit card payment gateway we use has an AVS that proved to miss a sizable amount of fraud, and also identify some legitimate transactions as fraudulent.
We ended up disabling the AVS system and implementing our own internal system which has been nearly perfect - but we still lose a number of legitimate customers who are unable to pass the automated verification.
Fraud prevention can also be extremely annoying to customers when not done correctly. I've yet to be able to buy something from newegg without them cancelling the order saying its fraudulent. I'm not sure why they still continue to flag my orders considering I've contacted them every time and they've ended up authorizing it. At least now they don't immediately blame my credit card...
If it was a smaller company and more of an impulse buy I could see a bad system definitely hurting sales. I'd probably not order from newegg again if they weren't one of the few places that ship harddrives correctly and have reasonable prices.
Years ago I used up my free digital ocean credits, wanted to start paying. They asked for more details which I provided, then asked for my facebook profile. A pretty unusual request, but I complied. They told me the names don't match up and just won't deal with me anymore. Literally gave me no obvious way to proceed. Felt pretty violating to give up personal info just to get brushed off.
I've had issues mainly with manufacturers web stores.
Fender apologized and gave me the part number for the exact model I wanted and suggested I try third party stores.
EVGA was annoying. They called me at 10 am to confirm details, put me on a three way call with my bank and I thought that was it. For whatever reason they tried to call me again the following day but I couldn't answer, when I called them back they told me they cancelled my order. They said my billing details didn't match (simply not true, I've used that address countless time and checked my order confirmation), and that my phone area code didn't match where I lived (no shit, people move...). I decided to just never buy from them again, since there are plenty of other GPU manufacturers.
Yep I've spent a lot of money at NewEgg and the tricks I have to employ to get a legitimate order through are constantly changing. It let me use a PayPal account for a while (then said it was fraudulent), then a CC with a US address (then that was fraudulent because it was a Canadian card), then Bitcoin only. I'm guess the last one should work for a while.
I have the same problem with IKEA, except their customer service reps lie and tell me it's my bank that blocked the transaction.
This ended up costing me a lot of time as I called my bank, tried the order again, called the bank again, tried different credit cards... eventually I figured out the IKEA reps were just lying, and they had flagged all orders under my name and address without telling me. Infuriating.
In Germany we have a system called 'giropay', which is basically instant wire transfer via your online banking. With this system the merchant gets a guarantee from the consumer's bank (as it seems, but I am not sure who in the pipeline eats the cost, as the contracts are ask-only), so that even if there was fraud, he will not loose the money.
This does limit it to 10k EUR per transaction, which should be enough.
The merchant receives the money within 2 bank days in his account, and the max fees for the merchant are 0.89% with a minimum of 33ct, but volume discounts seem likely.
What I don't understand, is why the US was not able to set such a system up, but I assume it's related to the general distaste for chip+pin, as well as any sensible security mechanisms for online banking. Yes, pushTan and mobileTan are usable, but they only work if you have a phone you trust with the deductible applicable in case of pishing, or, if you have actual reason to not trust it, the daily online banking limit.
Banks and credit card companies in the US have a vested interest in ensuring that credit cards are used to purchase goods and services on credit. In 2017 total credit card debt in the US was ~$941 billion.[1] At an average rate of 15%[2] that's $141 billion per year that banks make on credit card debt interest (not counting interest on interest and fees).
> In Germany we have a system called 'giropay', which is basically instant wire transfer via your online banking
I never saw a shop accept these. Most of the times it is a regular wire transfer, sometimes PayPal with fees or via invoice. Nowadays many shops also do credit card.
I like how the author doesn't immediately reject orders if they have just one sign (IP address country different from shipping country, shipping to a reshipping center, etc.) but looks at all the indicators as a whole to make a decision.
Yes, Stripe Radar will automate most of these checks. They also have the benefit of being able to see other merchants' transactions within their network, which helps when someone tries test transactions across a bunch of different merchants all at the same time from the same IP.
It seems to me like the author doesn't actually do anything programmatically, and instead has few enough orders that they eyeball it and do additional human steps. A good start but not scalable.
My old employer, a phone retailer, would check how long the user had been browsing the site and what they looked at.
We noticed that legit customers tended to take their time on our site. They would look at several pages and not immediately add something to the basket and checkout.
Of course, some legit customers would demonstrate the same pattern particularly when a new phone was launched - but that wasn't too common.
So if the user spent less than five mins on the site before checking out, or if they only looked at one product page then that order would automatically be flagged for manual review. 60% percent of those orders were rejected.
Overagressive fraud protection can lose customers as well.
I placed an order to be shipped to my new address from a merchant I'd ordered a dozen times before for home and work. 2 days after the day the order was supposed to ship, they suddenly canceled it due to "security reasons".
Reshipping centers, I don't want to sound weird, are basically hives of scum and villainy in my opinion.
I was selling something Ebay (a phone) and I got a really weird address, it was a shipping center.
I googled around because I got a strange vibe, apparently, this shipping center had this issue all the time and didn't really care to stop it. I got a horrendous review from the person because I canceled the order and refused to ship it.
I am wondering if fraud is honestly the business model of shipping centers. I can't really think of a good use for them nowadays, especially in a consumer context.
I use reshipping centers a lot, even if the store ships internationally. There are two main reasons:
1 - I may buy a lot of things from Amazon. It's cheaper to pay US shipping for X times (sometimes they are free) and only one international shipping to my country.
2 - Customs taxes, etc. The company I use for reshipping takes care of everything. I pay them and they deliver the items to my house at the time I ask them to do it. If not, due to the policies of my country customs, I would have to attend a custom office for every item I purchased, which is a pain in the ass.
Full time RVers and digital nomads in general use reshipping centers too. In like South Dakota, Nevada, Florida, Texas - they let you use mail forwarders (not a PO Box) on your driver licenses and registration.
So say you order something and not sure when it will ship out, they'll ship it to their mail forwarder and then overnight ship all their packages and box of mail to them when they know they'll be in a area they'll use general delivery to a post office or campground if they allow receiving mail on your behalf there.
If you stayed in a area for a week or two you can have everything sent there, or if you know you'll be passing through X town in a week. You can go ahead and 2 or 3 day ship something there to be ready to pick up once they get into town. Basically they hold everything until you tell them to send it to you.
Some even also will list your envelopes and if you want to request for them to open it and scan it. So if you get a important letter and you are RVing in Utah or all the way in London you can still read your mail.
Reshipping centers are used heavily by people outside the US to get access to goods sold online. Tons of stores (especially on Amazon) don't ship outside a few select countries, so customers pay a small fee to these reshipping centers to have packages forwarded to them.
> Using an inconsistent and unlikely email address [...] By "unlikely" I mean one that no reasonable person would want to have, usually containing a big batch of numbers in it.
This is awful.
I create random e-mail addresses for every online merchant I have to interact with. It's by far the best way to avoid both real spam and "promotional message" spam.
I don't even use my "real" domains, because anybody who knows my name and the domains I use can construct my personal e-mail addresses. I have special domains dedicated to online commerce, and they look pretty random.
Some companies today offer a fraud prevention solution which is covered, meaning they will pay the merchant for whatever fraud transaction that slipps through their systems. These companies employ pretty sophisticated methods as this is their core buisiness. I work at one such company, Forter. We take pride at the fact that we approve more than the others would, and we take complete financial responsibility for our mistakes so merchants just don't have to deal with it...
Now that everyone has smartphones, I wonder if you could do something with the camera... like require a photo or video of the physical card in front of some visual token on the screen for orders that don't ship to the billing address on file...
You would think with the amount of value / fraud at stake, Visa/MC/AMEX themselves would invest in fraud detection technology and offer that as a service to their participating banks and merchants.
They have so much more volume and cost absorption capability that they could spin up a much more talented / sophisticated detection group than any individual bank or merchant could, you would think? And charge for it accordingly?
I've had a case of someone walking into a Verizon store and buy 4 new iphones and charge it to my account. The amazing thing is that between phones, tablets and hot spots, my family has 7 mobile devices. The perpetrator did not upgrade any of the existing phones, but created 4 new phone numbers. This should have been a huge warning sign. I'm 100% convinced that the person at Verizon was in on this. In addition, over the next few days, they've made thousands of dollars in international calls.
To Verizon's credit, they were great at resolving the mess for me as an individual customer, but in the end they ate the cost, which means that it got diluted to all the customers.
The bad part of credit card fraud is that the card network, issuing bank & gateways pass on the liability to the small merchant. There is always a looming risk of losing your account & business due to excessive fraud, something over which you have no control at times. If you become over aggressive with fraud protection, you risk not only losing revenue but pissing off genuine customers.
Your gateway would tell you that as a merchant, it's your job & responsibility to accept a charge & related risk of fraud. Well, if big guys handling billions of payments can't catch fraud, it's quite easy for a small guy to miss it as well.
When you are selling a digital product, it's very difficult to win a chargeback. Some low level bank employee hardly cares about your meticulous documentation & proof that you delivered the product.
3D secure is one way to shift liability to issuing bank but it only works for the first charge (not recurring subscription). There are lots of reasons for getting hit by incorrect chargebacks e.g. mistake on part of a customer because they didn't recognize, customer's card getting stolen midway during a subscription, unhappy customer who wants a refund after using your service for months etc.
I wish the industry would side with the merchant as well at times i.e. maybe a rating system to see how easy is the merchant's cancellation / refund policy etc.
You know... there is one entity that is reasonably well funded, has incredibly strong capabilities for card fraud detection, and is well motivated to identify the fraud: the credit card companies.
(I work for one, which makes me especially interested in this topic. But I don't work in that particular area, nor do I speak for my employer.)
It makes me wonder whether some sort of collaborative fraud detection might be possible. As the merchant, you have access to additional information that the credit card company lacks -- things like the customer's name and the delivery address are (as this article explains) very helpful in detecting fraud, and these are data that the credit card company does not have access to. And of course the credit card company has access to information like the customer's purchase history and their recent transactions, which are useful for identifying fraud from a different direction. If both sources of data were available, it might be possible to detect a higher percentage of fraudulent purchases, and merchants who ship goods could be provided with the information so they could delay or cancel the shipment.
Do you think merchants would be interested in such a program?
If you really care about your customer you should be worried about false positive. I hope as a business you do not cancel customer orders because your fraud detection system has flagged them.
Depending on your scale you may using 3rd parties like Sift science, Stripe Radar or Roll your own fraud detection system.
Flagging orders as potential fraud is the easier part these days. The difficult part is how to come up with a process to verify these flagged orders. This process need to be simple and quick. Because essentially you are saying to your customer we think you are a fraud and can you prove that your not.
Banks merchant checks to verify flagged orders is extremely cumbersome. They require you to call a special phone number (which is different for each bank) provide customer Name, Billing Address, Billing Phone and Credit Information. Then they can only give you a response whether it is a match or not. They can't tell you whether it has been reported stolen or anything else for privacy reason. At scale this is a very time consuming process. It becomes even more cumbersome if you are security conscious business and do not store customer credit card information. In that case you have to communicate with the customer asking them to call you to provide your credit card information again.
There are solutions like 3D Secure but they are not widely supported and adds its own problems. It is high time credit card companies start providing merchant with a 2nd factor check for transaction. For example maybe once a transaction is placed with a merchant. They can trigger a 2nd factor check where by the bank automatically send a code to their email/phone number on file. If the customer is able to provide a correct code merchant can proceed with the order.
Fraud detection will always remain a point of contention between customer and businesses. I just hope business make sensible decision based on their situation. For example I have seen legitimate customer with all the above cases mentioned in the article.
Today my bank detected a fraudulent transaction on my CC. They blocked the transaction right away and cancelled my card after confirming it with me... so they probably can prevent a lot of these cases. Very interesting article nonetheless...
My wife had to learn just about every one of these lessons the hard way in the first few years of running her own (small retail) business. In retrospect, we should have posted the hard-learned lessons online. I'm glad this person did.
[+] [-] rb808|7 years ago|reply
I never thought of that before. Maybe there should be a central shared central repository of who are known good customers/address/cc combinations, or maybe that is what stripe etc do already.
[+] [-] singlow|7 years ago|reply
[+] [-] janesvilleseo|7 years ago|reply
[+] [-] arbuge|7 years ago|reply
[+] [-] thecosas|7 years ago|reply
[+] [-] skookumchuck|7 years ago|reply
[+] [-] splonk|7 years ago|reply
Back in the day, eBay had ludicrously good fraud rates (and hundreds of engineers working on models, from what I heard). We hired a few people from them and were quite proud to achieve rates in the same ballpark with orders of magnitude less traffic.
[+] [-] hannibalhorn|7 years ago|reply
[+] [-] krispbyte|7 years ago|reply
Could a Blockchain/DHT solution work for this? Normalize and hash the data and send it to the network to check its karma. If there's no karma then it's a new customer, otherwise the karma tells if it's a good/bad customer. Then after they buy you add or reduce a karma point.
Would there be a way for someone to reverse/bruteforce the hashes to figure out people information?
[+] [-] ohthanks|7 years ago|reply
- Orders are placed with stolen credentials with correct billing info that matches AVS.
- Shipto address are located near billing info, typically in the same state/metro area.
- They are often rural addresses, trailer parks, what appear to be rent houses that may be empty.
- Phone number provided has correct area code and rings a call center that has stolen billing info available and will confirm billing address order details verbally.
- Ip is geolocated at/near the billing info area via a proxy.
- Email addresses are often setup on custom domains.
We catch them, but only because they don't vary the pattern much and we know what to look for. I don't know how fraud tools would be able to effectively filter in these cases without a lot of false positives.
[+] [-] move-on-by|7 years ago|reply
[+] [-] blackice|7 years ago|reply
[+] [-] Theodores|7 years ago|reply
At order time I create a Google Map of the delivery address and this shows on checkout success. It also shows in the admin side with a live Google Map. If Google can get the address right then the postman probably can is the thinking.
This reduces delivery problems immensely as anything that cannot be shown on a map goes on automatic hold.
Money wasted on delivering the wrong products to people, e.g. after they have managed to cancel their order, plus the costs of back room accounting/customer service is a far bigger cost than fraud.
In your experience did you have savings to be made in your operation in shipping/customer service, to optimise that before tightening up on fraud prevention?
Or do you sell expensive items in a low-ish volume where a single fraud wipes out all of your profits rather than just cost $20 or so?
[+] [-] corbin|7 years ago|reply
We ended up disabling the AVS system and implementing our own internal system which has been nearly perfect - but we still lose a number of legitimate customers who are unable to pass the automated verification.
[+] [-] rwmj|7 years ago|reply
[+] [-] 256cats|7 years ago|reply
[+] [-] slivanes|7 years ago|reply
[+] [-] dawnerd|7 years ago|reply
If it was a smaller company and more of an impulse buy I could see a bad system definitely hurting sales. I'd probably not order from newegg again if they weren't one of the few places that ship harddrives correctly and have reasonable prices.
[+] [-] auganov|7 years ago|reply
Happily used AWS ever since.
[+] [-] Matheus28|7 years ago|reply
Fender apologized and gave me the part number for the exact model I wanted and suggested I try third party stores.
EVGA was annoying. They called me at 10 am to confirm details, put me on a three way call with my bank and I thought that was it. For whatever reason they tried to call me again the following day but I couldn't answer, when I called them back they told me they cancelled my order. They said my billing details didn't match (simply not true, I've used that address countless time and checked my order confirmation), and that my phone area code didn't match where I lived (no shit, people move...). I decided to just never buy from them again, since there are plenty of other GPU manufacturers.
[+] [-] kentt|7 years ago|reply
[+] [-] cynicalkane|7 years ago|reply
This ended up costing me a lot of time as I called my bank, tried the order again, called the bank again, tried different credit cards... eventually I figured out the IKEA reps were just lying, and they had flagged all orders under my name and address without telling me. Infuriating.
[+] [-] ryan-c|7 years ago|reply
[+] [-] namibj|7 years ago|reply
What I don't understand, is why the US was not able to set such a system up, but I assume it's related to the general distaste for chip+pin, as well as any sensible security mechanisms for online banking. Yes, pushTan and mobileTan are usable, but they only work if you have a phone you trust with the deductible applicable in case of pishing, or, if you have actual reason to not trust it, the daily online banking limit.
[+] [-] johnymontana|7 years ago|reply
[1] https://www.nerdwallet.com/blog/average-credit-card-debt-hou...
[2] https://www.creditcards.com/credit-card-news/interest-rate-r...
[+] [-] LeonidasXIV|7 years ago|reply
I never saw a shop accept these. Most of the times it is a regular wire transfer, sometimes PayPal with fees or via invoice. Nowadays many shops also do credit card.
[+] [-] draw_down|7 years ago|reply
[deleted]
[+] [-] mleonhard|7 years ago|reply
[+] [-] illustrioussuit|7 years ago|reply
Edit: isn't this how Stripe Radar[1] works?
[1]: https://stripe.com/us/radar
[+] [-] Raphmedia|7 years ago|reply
[+] [-] zrail|7 years ago|reply
[+] [-] notafraudster|7 years ago|reply
[+] [-] DoubleGlazing|7 years ago|reply
We noticed that legit customers tended to take their time on our site. They would look at several pages and not immediately add something to the basket and checkout.
Of course, some legit customers would demonstrate the same pattern particularly when a new phone was launched - but that wasn't too common.
So if the user spent less than five mins on the site before checking out, or if they only looked at one product page then that order would automatically be flagged for manual review. 60% percent of those orders were rejected.
[+] [-] Johnny555|7 years ago|reply
I placed an order to be shipped to my new address from a merchant I'd ordered a dozen times before for home and work. 2 days after the day the order was supposed to ship, they suddenly canceled it due to "security reasons".
I've stopped using that merchant.
[+] [-] davidsawyer|7 years ago|reply
[+] [-] madamelic|7 years ago|reply
I was selling something Ebay (a phone) and I got a really weird address, it was a shipping center.
I googled around because I got a strange vibe, apparently, this shipping center had this issue all the time and didn't really care to stop it. I got a horrendous review from the person because I canceled the order and refused to ship it.
I am wondering if fraud is honestly the business model of shipping centers. I can't really think of a good use for them nowadays, especially in a consumer context.
[+] [-] pmtarantino|7 years ago|reply
1 - I may buy a lot of things from Amazon. It's cheaper to pay US shipping for X times (sometimes they are free) and only one international shipping to my country.
2 - Customs taxes, etc. The company I use for reshipping takes care of everything. I pay them and they deliver the items to my house at the time I ask them to do it. If not, due to the policies of my country customs, I would have to attend a custom office for every item I purchased, which is a pain in the ass.
Don't discriminate us, please.
[+] [-] Keverw|7 years ago|reply
So say you order something and not sure when it will ship out, they'll ship it to their mail forwarder and then overnight ship all their packages and box of mail to them when they know they'll be in a area they'll use general delivery to a post office or campground if they allow receiving mail on your behalf there.
If you stayed in a area for a week or two you can have everything sent there, or if you know you'll be passing through X town in a week. You can go ahead and 2 or 3 day ship something there to be ready to pick up once they get into town. Basically they hold everything until you tell them to send it to you.
Some even also will list your envelopes and if you want to request for them to open it and scan it. So if you get a important letter and you are RVing in Utah or all the way in London you can still read your mail.
[+] [-] zeroxfe|7 years ago|reply
[+] [-] 4ad|7 years ago|reply
This is awful.
I create random e-mail addresses for every online merchant I have to interact with. It's by far the best way to avoid both real spam and "promotional message" spam.
I don't even use my "real" domains, because anybody who knows my name and the domains I use can construct my personal e-mail addresses. I have special domains dedicated to online commerce, and they look pretty random.
[+] [-] reembs|7 years ago|reply
[+] [-] a-dub|7 years ago|reply
[+] [-] supernova87a|7 years ago|reply
They have so much more volume and cost absorption capability that they could spin up a much more talented / sophisticated detection group than any individual bank or merchant could, you would think? And charge for it accordingly?
[+] [-] jerzyt|7 years ago|reply
[+] [-] inetknght|7 years ago|reply
[+] [-] inertial|7 years ago|reply
Your gateway would tell you that as a merchant, it's your job & responsibility to accept a charge & related risk of fraud. Well, if big guys handling billions of payments can't catch fraud, it's quite easy for a small guy to miss it as well.
When you are selling a digital product, it's very difficult to win a chargeback. Some low level bank employee hardly cares about your meticulous documentation & proof that you delivered the product.
3D secure is one way to shift liability to issuing bank but it only works for the first charge (not recurring subscription). There are lots of reasons for getting hit by incorrect chargebacks e.g. mistake on part of a customer because they didn't recognize, customer's card getting stolen midway during a subscription, unhappy customer who wants a refund after using your service for months etc.
I wish the industry would side with the merchant as well at times i.e. maybe a rating system to see how easy is the merchant's cancellation / refund policy etc.
[+] [-] mcherm|7 years ago|reply
(I work for one, which makes me especially interested in this topic. But I don't work in that particular area, nor do I speak for my employer.)
It makes me wonder whether some sort of collaborative fraud detection might be possible. As the merchant, you have access to additional information that the credit card company lacks -- things like the customer's name and the delivery address are (as this article explains) very helpful in detecting fraud, and these are data that the credit card company does not have access to. And of course the credit card company has access to information like the customer's purchase history and their recent transactions, which are useful for identifying fraud from a different direction. If both sources of data were available, it might be possible to detect a higher percentage of fraudulent purchases, and merchants who ship goods could be provided with the information so they could delay or cancel the shipment.
Do you think merchants would be interested in such a program?
[+] [-] 47|7 years ago|reply
Depending on your scale you may using 3rd parties like Sift science, Stripe Radar or Roll your own fraud detection system.
Flagging orders as potential fraud is the easier part these days. The difficult part is how to come up with a process to verify these flagged orders. This process need to be simple and quick. Because essentially you are saying to your customer we think you are a fraud and can you prove that your not.
Banks merchant checks to verify flagged orders is extremely cumbersome. They require you to call a special phone number (which is different for each bank) provide customer Name, Billing Address, Billing Phone and Credit Information. Then they can only give you a response whether it is a match or not. They can't tell you whether it has been reported stolen or anything else for privacy reason. At scale this is a very time consuming process. It becomes even more cumbersome if you are security conscious business and do not store customer credit card information. In that case you have to communicate with the customer asking them to call you to provide your credit card information again.
There are solutions like 3D Secure but they are not widely supported and adds its own problems. It is high time credit card companies start providing merchant with a 2nd factor check for transaction. For example maybe once a transaction is placed with a merchant. They can trigger a 2nd factor check where by the bank automatically send a code to their email/phone number on file. If the customer is able to provide a correct code merchant can proceed with the order.
Fraud detection will always remain a point of contention between customer and businesses. I just hope business make sensible decision based on their situation. For example I have seen legitimate customer with all the above cases mentioned in the article.
[+] [-] trumped|7 years ago|reply
[+] [-] rossdavidh|7 years ago|reply