September 1st, 2005 by Jamie Estep
What does a fraudulent transaction look like?
Nearly every online business will run into a visitor that is trying to make fraudulent purchases on their website at some point. Hopefully the transaction or situation can be identified and corrected before it ever becomes a real problem.
Unfortunately, fraud has become synonymous with online business. There are so many ways that fraud can be committed through a website, with several desired outcomes for fraudsters. Not all fraudulent transactions are made to obtain merchandise. Card testing is another problem that some merchants face, where the transaction is not meant to obtain goods.
It is important for merchants to be able to identify fraudulent situations and purchases before there is ever a shipment of products. Voiding a transaction is far easier to do than obtaining merchandise lost to a fraudulent transaction.
Businesses will always suffer more from fraud than consumers!
Lets face it. Merchants will lose every time fighting a fraudulent order chargeback that was successfully processed through their business. Credit card fraud regulations are designed to protect the consumer and only the consumer. Businesses have very little recourse if they process a fraudulent order and ship the product. The best method to fight fraud is to prevent fraud. To do this, merchants need to take a proactive approach to combating credit card fraud.
The 2 main types of fraud that merchants face while doing business online are card testing and fraudulent orders.
Card Testing (or Carding):
Card testing is a type of fraud that many merchants are not aware of. It can have devastating effects on a business even though the business may never ship out any merchandise due to a fraudulent transaction. Card testing is the systematic testing of credit card numbers, in pursuit of finding a valid credit card number / expiration date combination. Card testing can be spotted by observing a large number of declined transactions through a payment gateway, usually in a sequential and consistent pattern. Many declined transactions followed by an approved transaction for a single user can also be card testing. Card testing is usually done with small amounts. The tester only wants to find valid numbers, and is not after tangible goods, yet.
Card testing can be very costly to a business. Most businesses are charged for every transaction, declined or approved, that they attempt. Card testers can attempt thousands or even tens of thousands of tests in a day. At about $.25 / transaction, it can get extremely expensive. Visa and MasterCard also monitor gateway addresses that have huge numbers of declines on them for the same reason. Allowing the continuance of a card tester can ultimately lead to a merchant being shut down, even if the merchant had no idea it was happening.
Card testing has 2 different phases. Phase 1 is trying to find a real card number. Phase 2 is finding an expiration date to match the card number previously found.
By using the Luhn algorithm, a tester can produce a list of valid credit card numbers. The next step is to test these numbers to see if the card is real. Once the tester finds a real card, they submit expiration dates until the card is approved. The tester builds a computer script to place automated queries into a merchant’s payment gateway. These scripts can be very complex and some can foil fraud detection software.
Card testing is reliant on 2 factors of an online payment gateway. Removal of either of the 2 factors will completely prevent the effectiveness of card testing. First, the merchant’s website must give different responses for a declined cards based on the decline reason. This is key, as a tester needs to know why the card was declined, was it a bad number or bad expiration date. Secondly the tester needs to be able to get an approval without a valid address.
Once the script finds a valid card number, but getting a wrong expiration date response, the card tester then tests expiration dates until he gets one that matches. Now he has a valid credit card number and expiration date.
Preventing Card Testing:
Preventing card testing is fairly simple. Monitor the declined and approved transactions processed through your gateway daily. Make sure that the payment gateway’s decline response is the same no matter what the reason for a decline is. Finally, make sure that a valid verified address is required before approving a transaction. These three steps will prevent card testing almost entirely.
A fraudulent order is when a person illegally orders something on a stolen card in order to actually receive a product. The thief may have drop off addresses where they can pick up a delivery anonymously.
Fraudulent orders can be very costly because a merchant is setup to lose their shipped goods and later lose when the real card owner charges back the fraudulent purchase. Most fraudulent orders are never recovered after they are shipped.
Preventing Fraudulent Orders:
Fraudulent orders are more difficult to stop than card testing, but through analyzing orders that are processed through a website most can be eliminated. Fraudulent orders have the tendency to look abnormal compared to a normal order. Whether a large amount, requesting expedited shipping, strange shipping addresses, or other factors, most fraudulent orders are different than normal, and thus stand out when compared to regular orders.
Common Fraudulent Order Flags:
- Abnormally High Ticket Price.
- Different Shipping and Billing Addresses.
- Orders from Nigeria, Anywhere in Africa, Indonesia, the Philippines, or foreign orders in general.
- Requesting Expedited Shipping.
- Offering More Than the Listed Price for the Product.
- Unusual Quantity or Type of Product Ordered.
- Free Email Address (hotmail, gmail, yahoo, etc.)
- Fake Sounding Name (Ex: Rickey Rickerson).
- Persons Requesting a List of Products From You First.
- Incorrect or Fake Phone Number
Always use AVS and CVV/CV2/CVC (Card Verification) on every transaction you process. This will at the very least guarantee that the card holder has the card, and it is being billed to an address registered to the card.
If possible, check each order that is processed through your website. If you come across a suspicious order, call the customer to verify who they are. If the order is extremely large or talking to them is unconvincing, request them to fax a copy of their drivers license to you, and a signed invoice. These may be a small inconvenience to some of your customers, but the cost of fraud to your business is far greater than not taking the extra steps. Most customers are happy to verify information with you, as preventing fraud is a concern of theirs as well.
Also if you can, require a signature with every package that you ship. A signature is the only way to prove proof of delivery.
If a fraudulent order is successfully placed through your website, ‘YOU’ are the last defense. Remember that the perfect customer also fits the profile of someone ordering fraudulently.