‘Don’t Be Victimized by Online Credit Card Fraud — Prevention Tips’ By T.J. Walker
Don’t Be Victimized by Online Credit
Card Fraud — Prevention Tips
If you are accepting online orders and would like to greatly
reduce your exposure to credit card and check fraud, implementing protective measures
can reduce online fraud by approximately 80%. If you would like to have access to
more tools and techniques to further reduce and automate this fraud prevention, please
consider becoming a member of AntiFraud.Com (http://antifraud.com).
Please note: Some of the techniques contained below require
a working knowledge of .cgi scripts and HTML coding. We cannot provide technical
support or explanations for non-members. However, most competant webmasters will
be able to easily implement these tools and techniques.
This material is adapted from a series of articles written
by the founder of AntiFraud.Com that originally appeared in the online newletter
The VirtualPromote Gazette.
The Internet is the perfect environment for every crook,
thief, and pickpocket to ply their trade with almost complete anonymity. Being in
the online software business, I have seen a tremendous increase in fraudulent purchases
made with stolen credit card information. In many cases, the thief has more complete
and current information about the actual cardholder than the credit card company.
In some cases, credit card numbers that receive an approval number turn out to be
totally fictitious numbers — based on the algorithm used to produce authentic numbers.
I recently formed an alliance with a large merchant account
provider specializing in providing credit card merchant accounts for Internet and
Home-Based businesses. Through working closely with the credit card companies and
other online merchants, I know the bottom line is this: You, as a merchant, are the
one who is going to get stiffed! The cardholder is not responsible for more than
$50 of fraudulent purchases. The issuing bank of a stolen credit card really doesn’t
care because they will simply charge the merchant back for any fraudulent purchases,
plus a $10-$15 charge back fee. In fact, the issuing banks actually make $50 on these
situations. They get the $50 from the cardholder (the cardholder’s obligation), then
they charge back each and every merchant for all the fraudulent charges.
So why is this situation getting so bad? Technology! Yes,
the very same technology that allows us to have a profitable online business also
allows others to rip us off. The advent of free, web-based, non-ISP e-mail addresses
such as @hotmail.com, @usa.net, @juno.com and the hundreds of e-mail forwarding addresses
afford a credit card thief a perfect veil to hide behind. The free e-mail addresses
can’t be traced back to the real owner;it usually takes a court order to get an e-mail
forwarding service to disclose customer information. For those of us in the software,
subscription or membership business, the e-mail address is the only point of contact
we have. That address is where our products are shipped.
To make matters worse, there are now underground software
programs available that can generate an unlimited number of mathmaticaly valid, yet
fictitious credit card numbers. Combine that with complete anonymity and it spells
big trouble for any business conducting online commerce. In addition, there are newsgroups
out there that actually post stolen credit card data. So someone picks your pocket
now and ten minutes later all your data is available world-wide.
So, what can you, as a merchant, do to protect yourself
– short of not accepting online credit card orders? Over the last few month, my
company has had to establish certain procedures for all online orders:
1. No order is accepted unless complete information is provided
including full address and phone numbers.
2. We no longer accept any order originating from a free,
web-based, or e-mail forwarding address — the customer must provide an ISP or domain
based address: one that can be traced back to a "real" person.
3. Since the list of these types of e-mail addresses is
growing daily, we check every e-mail address by going to a browser and putting a
www in front of the domain. Try this with firstname.lastname@example.org — you will see
that www.cyberdude.com puts you on I-names’ (150+ free e-mail domains) homepage.
We don’t accept orders unless the e-mail/domain is a legitimate website or ISP –
something that can provide definitive identification of the e-mail address in question.
This method is not fool-proof. When in doubt, go to step number 4.
4. If in doubt, we call the phone number listed on the order.
We have alerted many cardholders that their card information was being used by making
this phone call. On the other hand, the party on the other end may have never heard
of the "customer." This results in a call to the issuing bank of the credit
card to alert their fraud department.
5. We use the HTTP_USER_AGENT and REMOTE_ADDR code on all
our order forms. This line works with most form handlers such as FormMail, cgiemail
and others. The exact syntax varies with the form handler, but it provides information
about the computer used to send the order, including the IP address. The IP address
can then be traced to its owner — usually an ISP. You can then contact the ISP System
Administrator and inform them of the illegal activity. Members of AntiFraud.com are
provided an automatied way to do this. Check the documentation for your particular
form handler or cgi script for implementation of this input field.
6. Virtual Checks — we receive a great number of orders
via online virtual checks. While this has greatly increased our sales, the same cautions
prevail. Having been burnt a few times, we now call the account holder’s bank and
verify the account number, account holder’s name and current funds to clear the check
before processing the order.
The Front Line of Defense
Isn’t the policy of rejecting orders from free, web-based,
or e-mail forwarding services a little severe?
After receiving several dozen credit card charge backs resulting
from fraudulent orders placed exclusively through free, web-based, or e-mail forwarding
addresses, we established the policy of not accepting orders from any of the over
700 such e-mail domains.
We have NEVER had a fraudulent order placed through a standard,
ISP-based e-mail address. Conversely, EVERY fraudulent order has come through the
free, web-based, or e-mail forwarding services.
Although adding the HTTP_USER_AGENT, REMOTE_ADDR line to
your form handler to capture a "customer’s" IP address helps, sometimes
this information really isn’t very useful. There are several sites that a crook can
log onto before proceeding to any of the web-based e-mail services that offer total
protection of your identity — when you log onto one of these sites — you are reissued
a random IP address and they keep absolutely no logs of this. Hence, I can log onto
one of these sites, go to the hotmail site and send e-mail, or go to a site to buy
something, with absolutely no possibility of being traced.
If someone places an order using a standard, ISP based e-mail
address such as email@example.com, it is fairly easy to track this individual. However,
it is very difficult to track the identity of someone using one of the free e-mail
services — and if they know what they are doing,it is absolutely impossible.
All we are asking for, as a merchant, is positive identification.
Would you accept a check from someone using someone else’s ID? Would you accept a
credit card purchase if someone signed a different name to a charge slip than was
listed on the card? Virtually everyone who has a free, web-based, or e-mail forwarding
address also has a tracable ISP or domain based address. That is the address I accept
for online orders — nothing less.
Has the screening of all orders cut into your sales?
No. The vast majority of people using the free e-mail services
use an ISP to access the Net. Every ISP I know of issues at least one e-mail address
with every account. So firstname.lastname@example.org (which one of my employees, a Mr.
John Smith of 111 main street) recently registered in about 30 seconds, also has
a legitimate, more easily traceable ISP issued address. We simply inform our customers
that we don’t accept orders through free e-mail services and ask them to use their
standard, ISP issued address. We do this by placing a link on our order forms to
the redflag.htm. Members of AntiFraud.Com are provided an automated way to screen
against this ever growing list. Granted, there are some honest folks out there who
really, truly don’t have anything but a Juno.com account — so guess what – they
can call us to place the order (yes, we have caller ID on our phones).
Are there problems with real-time ordering processing?
There are many services out there that offer (for a fee
or percentage) to process your orders in real-time, while the customer is logged
onto the site. The first question you need to answer is whether you need to use such
a service. If you are selling any hard goods that are physically shipped to an address,
the answer is no. Legally, you can not even charge the customer’s card until the
order has been shipped. However, the option of real-time processing is very attractive
to software vendors or subscription services. This convenience does have its risk.
Many real-time order processors do absolutely no pre-screening
of orders. If the credit card goes through verification, the order is processed and
the "customer" is immediately given a serial number or subscription user
name. You, as the merchant, won’t ever find out about the fraudulent nature of the
order until you receive the chargeback. Yes, these services will tell you they use
the Address Verification Service to insure the address provided is what the credit
card company has on record, but that does not mean that email@example.com is
the actual owner of that card. I am currently working with a couple of real-time
processing services that are installing the same fraud prevention measures that are
available to members of AntiFraud.com
The last area of concern is shipping orders out of your
own country. I can sum this up with a few short sentences. Make absolutely, positively
sure that you have a legitimate order before shipping anything, including soft goods,
across the border. Regardless of the circumstances, regardless of the proof you may
have, regardless if you have a signed confession from the crook who stole your goods
through a fraudulent order, if that order went across the border, you can basically
kiss it good-bye. It’s hard enough here in the states to get the proper authorities
to do something about credit card fraud. Try getting the authorities in a foreign
country to pursue such a matter!
To sum up the situation I believe fraud committed against
merchants conducting online transactions is increasing dramatically, and will continue
to do so. However, there is no need to panic. While many years ago it was safe in
most places to leave your house with the doors unlocked, that is no longer true.
While only six months ago is was safe to blindly accept any online order, that is
no longer true. But, like locking the doors to your house, protecting yourself from
online fraud is really not that big a deal. Some common sense, and a few specialized
tools, policies and techniques usually will do the trick.
Thwarting More Advanced Thieves, and Those From Abroad
I have recently seen an increase in the number of fraudulent
orders originating from European Educational Institute domains. This is probably
being conducted by college student/hackers who gain access to the school’s e-mail
On these types of orders, call your credit card processor,
give them the first 6 digits of the card number and ask for the name and phone number
of the issuing bank. If you receive an order from Romania and the Card is issued
by the "First National Bank of Chicago," I would think twice about processing
Unfortunately, this type of fraud is ever-changing, ever-evolving.
You circumvent one method and they discover a new one. I will post revelant news
to AntiFraud.com as new trends become visible. To be instantly updated with this
news, please consider becoming a member of AntiFraud.Com. On one front — the site
we have been working on is up and ready to assist you. But on the other front, it
seems certain criminals out there are getting a little smarter when it comes to committing
online fraud. If I didn’t know better, I would swear these guys must have read my
previous articles and have adjusted their methods to compensate.
However, there is no reason to panic. In any criminal activity
there are usually three classes of perpetrators. First, you have you rank amateurs
who are easily thwarted with simple precautions. Then you have "small-time hoods"
who, while a little more proficient than the rank amateurs, are not much more of
a threat. Then you have the professionals. These guys do this for a living and have
enough smarts to outwit the precautions that deter the others. Fortunately, their
numbers are few.
You may recall some of my previous suggestions for preventing
the majority of online fraud. We no longer accept any orders from a free, or web-based,
or e-mail forwarding address. This list is currently over 1500. Secondly, unless
we recognize the e-mail domain as being from one of the large ISP’s such as ibm.net,
mci2000.com, earthlink.net, etc., we always go to a browser and put a "www."
in front of the e-mail domain to look at the website associated with that domain.
We make a determination from there where to check further. We also use coding on
our order forms that captures the IP address of the sender.
So how has the game changed? We have encountered 3 different
cases of this during the last two weeks. I am not making any accusations nor condemnations,
nor am I suggesting that you refuse to accept orders from the individual cited in
the example below. I am merely stating facts as we discovered them. You will have
to draw you own conclusions. OK — my lawyers say I can continue now:
On February 21, 1998 at 1:53a.m. EST, an individual placed
an order for our Web Promotion Spider software using the name of Alex Williams from
Nashville, Tennessee. "Alex" placed his order using a Master Card and the
e-mail address of firstname.lastname@example.org. Since this is neither a free nor an ISP based
e-mail address, I went to http://www.dknight.com. As of Sunday, March 01, 1998, the
page had nothing more than an "under construction, come back later" notice.
This made me a little uneasy so I quickly went to
to do a WhoIs on the domain name of "dknight.com". I quickly
found this domain is registered to a Mr. Fahad Al Blehed with both phone and fax
numbers of 000-000-0000. This made me even more uneasy so I used the same form to
WhoIs the IP address he was using at the time he placed the order. You know, it’s
funny, the IP address of 220.127.116.11 belongs to the PTTNET Dialup Network — out
of Moscow, Russia.
Now, you can call me paranoid or overly suspicious, but
I sort of doubted that Mr. "Alex Williams" of Nashville, TN, was over in
Russia placing an order for web promotion software for a site that barely existed.
A quick call to VISA/Master Card security confirmed the card number provided belonged
to neither "Alex Williams" nor "Fahad Blehed." The card was immediately
put on hold while the actually card holder could be contacted and, needless to say,
I did not process the order.
Had I processed the order, I would have been out not only
the $100 software but also a $15 chargeback fee when the actual card holder disputed
all the charges. So, was all the extra effort worth it? It took me less than 3 minutes
to complete all the steps above, including the call to VISA. I saved a $115 plus
a blemish on my merchant account record. Let’s see, $115 for 3 minutes of work, that
works out to $2,300 per hour. My corporate attorneys barely make that much
In another case, we received an order from a email@example.com.
This domain belongs to a Mr. Chong Shihwai of Shihwai Networks located in West Caldwell,
NJ. Unfortunately, there is no such person. However, the individual that does live
at the WhoIs-identified address for this domain has received over a half-dozen invoices
from Internic for domains the real culprit has registered and is using as fronts
to commit credit card fraud. In our case it was a stolen VISA card from Australia.
The poor guy in West Caldwell has received hundreds of phone calls from merchants
trying to track down Mr. Shihwai.
As a side note, I went the extra step in all these cases
and contacted the System Administrators of both the hosting services and the ISPs
to alert them to the illegal activity being conducted by these individuals. Hopefully,
I stopped them from victimizing too many other merchants.
Review all the steps we use on our AntiFraud.Com site. Take
an extra step or two if you are at all suspicious. You might save yourself and many
others from getting burnt by these guys. If you would like additional tools and technology
to automate these techniques, please consider becoming an active member of AntiFraud.Com.
And, be careful out there.
As originally published in the
VirtualPROMOTE Gazette (www.virtualpromote.com). Reprinted