Information on Merchant Accounts,
Ecommerce and Credit Card Processing

September 1st, 2005 by Jamie Estep

What does a fraudulent transaction look like?

Filed in: Ecommerce, Fraud, Guides, Merchant Accounts, My Favorite Posts | 10 comments

Card Fraud

Nearly every online business will run into a visitor that is trying to make fraudulent purchases on their website at some point. Hopefully the transaction or situation can be identified and corrected before it ever becomes a real problem.

Unfortunately, fraud has become synonymous with online business. There are so many ways that fraud can be committed through a website, with several desired outcomes for fraudsters. Not all fraudulent transactions are made to obtain merchandise. Card testing is another problem that some merchants face, where the transaction is not meant to obtain goods.

It is important for merchants to be able to identify fraudulent situations and purchases before there is ever a shipment of products. Voiding a transaction is far easier to do than obtaining merchandise lost to a fraudulent transaction.

Businesses will always suffer more from fraud than consumers!
Lets face it. Merchants will lose every time fighting a fraudulent order chargeback that was successfully processed through their business. Credit card fraud regulations are designed to protect the consumer and only the consumer. Businesses have very little recourse if they process a fraudulent order and ship the product. The best method to fight fraud is to prevent fraud. To do this, merchants need to take a proactive approach to combating credit card fraud.

The 2 main types of fraud that merchants face while doing business online are card testing and fraudulent orders.

Card Testing (or Carding):
Card testing is a type of fraud that many merchants are not aware of. It can have devastating effects on a business even though the business may never ship out any merchandise due to a fraudulent transaction. Card testing is the systematic testing of credit card numbers, in pursuit of finding a valid credit card number / expiration date combination. Card testing can be spotted by observing a large number of declined transactions through a payment gateway, usually in a sequential and consistent pattern. Many declined transactions followed by an approved transaction for a single user can also be card testing. Card testing is usually done with small amounts. The tester only wants to find valid numbers, and is not after tangible goods, yet.

Card testing can be very costly to a business. Most businesses are charged for every transaction, declined or approved, that they attempt. Card testers can attempt thousands or even tens of thousands of tests in a day. At about $.25 / transaction, it can get extremely expensive. Visa and MasterCard also monitor gateway addresses that have huge numbers of declines on them for the same reason. Allowing the continuance of a card tester can ultimately lead to a merchant being shut down, even if the merchant had no idea it was happening.

Card testing has 2 different phases. Phase 1 is trying to find a real card number. Phase 2 is finding an expiration date to match the card number previously found.

By using the Luhn algorithm, a tester can produce a list of valid credit card numbers. The next step is to test these numbers to see if the card is real. Once the tester finds a real card, they submit expiration dates until the card is approved. The tester builds a computer script to place automated queries into a merchant’s payment gateway. These scripts can be very complex and some can foil fraud detection software.

Card testing is reliant on 2 factors of an online payment gateway. Removal of either of the 2 factors will completely prevent the effectiveness of card testing. First, the merchant’s website must give different responses for a declined cards based on the decline reason. This is key, as a tester needs to know why the card was declined, was it a bad number or bad expiration date. Secondly the tester needs to be able to get an approval without a valid address.

Once the script finds a valid card number, but getting a wrong expiration date response, the card tester then tests expiration dates until he gets one that matches. Now he has a valid credit card number and expiration date.

Preventing Card Testing:
Preventing card testing is fairly simple. Monitor the declined and approved transactions processed through your gateway daily. Make sure that the payment gateway’s decline response is the same no matter what the reason for a decline is. Finally, make sure that a valid verified address is required before approving a transaction. These three steps will prevent card testing almost entirely.

Fraudulent Orders:
A fraudulent order is when a person illegally orders something on a stolen card in order to actually receive a product. The thief may have drop off addresses where they can pick up a delivery anonymously.

Fraudulent orders can be very costly because a merchant is setup to lose their shipped goods and later lose when the real card owner charges back the fraudulent purchase. Most fraudulent orders are never recovered after they are shipped.

Preventing Fraudulent Orders:
Fraudulent orders are more difficult to stop than card testing, but through analyzing orders that are processed through a website most can be eliminated. Fraudulent orders have the tendency to look abnormal compared to a normal order. Whether a large amount, requesting expedited shipping, strange shipping addresses, or other factors, most fraudulent orders are different than normal, and thus stand out when compared to regular orders.

Common Fraudulent Order Flags:

  • Abnormally High Ticket Price.
  • Different Shipping and Billing Addresses.
  • Orders from Nigeria, Anywhere in Africa, Indonesia, the Philippines, or foreign orders in general.
  • Requesting Expedited Shipping.
  • Offering More Than the Listed Price for the Product.
  • Unusual Quantity or Type of Product Ordered.
  • Free Email Address (hotmail, gmail, yahoo, etc.)
  • Fake Sounding Name (Ex: Rickey Rickerson).
  • Persons Requesting a List of Products From You First.
  • Incorrect or Fake Phone Number

Always use AVS and CVV/CV2/CVC (Card Verification) on every transaction you process. This will at the very least guarantee that the card holder has the card, and it is being billed to an address registered to the card.

If possible, check each order that is processed through your website. If you come across a suspicious order, call the customer to verify who they are. If the order is extremely large or talking to them is unconvincing, request them to fax a copy of their drivers license to you, and a signed invoice. These may be a small inconvenience to some of your customers, but the cost of fraud to your business is far greater than not taking the extra steps. Most customers are happy to verify information with you, as preventing fraud is a concern of theirs as well.

Also if you can, require a signature with every package that you ship. A signature is the only way to prove proof of delivery.

If a fraudulent order is successfully placed through your website, ‘YOU’ are the last defense. Remember that the perfect customer also fits the profile of someone ordering fraudulently.

Reference Blog Posts:
Credit card verification numbers
Reasons For Credit Card Chargebacks

10 Responses to “What does a fraudulent transaction look like?”

  1. WebtrafficJunkie February 10, 2006 at 11:19 am

    This is an awesome article. I learned a lot of great tips and pointers that will help prevent fraudulent transactions. Thanks for the information and keep up the great work!!

  2. Michael Dwyer September 5, 2006 at 1:49 pm

    “Always use AVS and CVV/CV2/CVC (Card Verification) on every transaction you process. This will at the very least guarantee that the card holder has the card, and it is being billed to an address registered to the card.”

    This provides no guarantee of this at all. Someone who presents a valid CVV only proves that they have a valid CVV. It suggests that they did NOT skim the card from carbons (which doesn’t happen much anyway), and possibly stole the entire card.

    CVV may protect you, the merchant, however. It transfers the burden of proof over the the credit card owner.

  3. Barry Holt Blank September 23, 2006 at 3:15 pm

    Merchants should also be aware that a rogue employee may possibly produce unauthorized credits to their personal credit card account at the expense of the merchant.

  4. Fraudulent OrderVictim September 28, 2006 at 2:47 pm

    As a merchant, I am a victim of a fradulent order. My Card Processor accepts the transaction even if the CVV and AVS fail – These systems are in place to protect everyone, and yet they don’t use them, leaving me out in the cold, stuck with a huge chargeback.

  5. jestep September 28, 2006 at 2:56 pm

    As a merchant, I am a victim of a fradulent order. My Card Processor accepts the transaction even if the CVV and AVS fail – These systems are in place to protect everyone, and yet they don’t use them, leaving me out in the cold, stuck with a huge chargeback.

    How are you accepting your credit cards? If you are using a payment gateway, there should be a method to specify to decline all AVS mismatches or errors. Even the use of both AVS and CVV don’t prevent fraudulent transactions entirely. I do feel for your loss, and I know how frustrating it is. We probably get about 5 fraudulent orders per week, and maybe one or two get through per year. I hate to say that it’s a part of doing business because that is unacceptable, but it really is a part of doing business.

    The reason that a processor doesn’t stop non-AVS transactions on their end is that there are circumstances where businesses don’t want or need to use AVS. There are also AVS errors, and other miscellaneous issues that can create problems for legitimate transactions. It is up to a merchant to make sure that AVS is being used.

  6. […] single response for any decline, AVS mismatch, error or otherwise because it eliminated one of the lesser-known types of online fraud. Card testing is not something that should be overlooked, because it can have severe consequences […]

  7. dan May 10, 2008 at 4:47 am

    Congrats, this is the best page on the net explaining fraud practices. See some examples of everyday fraud in our database Even with valid 3D-Secure payment we get some every month. Merchants risk to loose their contract with VISA or MC. AMEX is by the way now suddenly the most risky payment form and no more so welcome. I wonder what they plan to not go under..

  8. […] CVV does actually deter and prevent fraud for unattended situations. It can completely eliminate card testing (carding), and does ensure that your customer had the physical card in their hand at some point. The same […]

  9. […] through August 2009, £500 million of an estimated £46 billion of shoppers money was recorded as fraudulent transactions. To visualize these alarming statistics, I thought it would be interesting to geotag the postcodes […]

  10. tony sickler January 20, 2010 at 12:18 am

    I cancelled a membership one month ago and i’m still getting bill.