I'm sure most of you resellers have experienced the problem of credit card fraud. There is this one particular customer that constantly tries to place orders on my site with false credit card detials. While this is picked up by our credit card processor, it is starting to be a burden from sifting through the "false" order forms.

Does anyone have any ideas on how to stop this person from even entering my site? I know it sounds kinda difficult to do so, but to at least minimise the risks? I do have his IP address and all I know is that he/she is using a computer from Soeul, Korea.

Any ideas?

Ban his IP from the order page. Simple as that really. You can use any sort of scripting you like ASP/PHP, and redirect to another page stating that they are banned.

James

The problem is that his IP is dynamic so I can't ban a single IP address. Unless I ban a whole country!!

Ah... you shoudl be able to ban his IP block though. DO you have server control?

James

You may have a larger volume of accounts than I have but there are a few things you can do without banning any IP's. Probably the best is automatic verification of credit card details. Unless this fraudulant customer has all the details of the credit card including billing address the order won't even make it through your system to burden any employees who have to weed the good from the bad. I think this is the best method.

I have a variation which is more manual but offers more control. The first thing that happens when accounts are requested is billing. I, or one of my very helpful assistants, go to a page on the internet, which I could use in the above manner but choose not to, and enter in their credit card info. If it is rejected I CALL (I SAID CALL) the supposed customer. It's easy to give bogus e-mail addresses. It's hard to give bogus phone numbers.

I personally *try* to call and welcome all new customers. Using the phone is a powerful tool. I think we have all had our share of attempted frauds. It was funny because my first one happened the very same day I began to do any kind of serious advertising. I was hoping that wouldn't be a sign of things to come and it wasn't I can say I've had only 10 attempts in 5 years and all were caught.

While calling your clients is a great thing, I think that when you get a good amount of signups per day, that is not something that that is feasible, coupled with the normal workload. There is also a large cost to this as well, unless you cater to a certain market like only US customers or only Canadian customers, or whatever country you are from. Once you start getting international customers, that is when calling becomes very expensive.

There are many things that you can do to workaround the banning of an IP or an IP range.
Ban free e-mail accounts for signups, as they must use ISP e-mail
Run an arin whois on the IP that signed up.
Run a trace on the IP
Check whois records if domain is already registered, and many more.

-Steven

Address verification in CC processing is based on the numbers in the customer's address, not the full address. So a fraudulant order could use the right numbers and still be a wrong address but you wouldn't know at the time of charging them.

One thing you may want to do is see if he is using the same kind of card each time, like if he selects Visa or Mastercard. Call the company and see if they are CC numbers that have been sent out in the mail and waiting to be turned on. I know of people that have been using card numbers that were not activated yet and they are fined large sums of money or even out in jail.

Well someone was listening to this post because since I posted it I have been getting fraudulant orders almost every day. Someone wanted to test my theory and I got lazy and didnt call everyone. One or two orders slipped through. Theya re all cancelled now and all the customers have been notified.

The odd part is this criminal used the same IP most of the time. I hope he is on cable or dsl because I reported him to the police. Maybe he will make it on the stupid criminal show.

Is there any other logging that can be performed? Some kind of thumb print the computer leaves? IP's change but computer names don't. I wonder if it is possible to log the name of the computer or something unique to the computer this will aid us in repeat fradulant orders.

In any case I will still have to call my customers, it is very expensive but so sould giving access of your server to a hacker or spammer that will only take advantage of your server and harm your reputation.

Seems like the culprit is doing it form the same machine each time. I don't know about other details you can log but you could aslo grab some more info from the HTTP headers. The more you have the better, I know it's not totally uniqu info but the browser info would give you something that looks like this:

Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)

More on browser detection here : http://www.htmlgoodies.com/beyond/msiepage.html

Oh I've logged all that, printed it and passed it on to the fbi. http://www1.ifccfbi.gov/index.asp

Originally posted by xhilr8
I'm sure most of you resellers have experienced the problem of credit card fraud. There is this one particular customer that constantly tries to place orders on my site with false credit card detials. While this is picked up by our credit card processor, it is starting to be a burden from sifting through the "false" order forms.

Does anyone have any ideas on how to stop this person from even entering my site? I know it sounds kinda difficult to do so, but to at least minimise the risks? I do have his IP address and all I know is that he/she is using a computer from Soeul, Korea.

Any ideas?

Need to ban his IP block. There are no two ways around it. Get yourself a good htaccess file if your on unix/apache. Here's mine if you'd like to modify it. I block MANY places but mainly Jakarta from viewing my site due to proven fraud. The two bottom IP's are anonymizers. The slight decrease in business this blocking causes is more than offset by the savings in chargebacks.

Add to your current .htaccess file or save the text below in a file named .htaccess and upload it to your server

AuthName "Country access blocked"
AuthType Basic
<Limit GET POST>
order allow,deny
allow from all
deny from 202.4
deny from 202.46
deny from 202.47
deny from 202.57
deny from 202.93
deny from 202.134
deny from 202.145
deny from 202.146
deny from 202.148
deny from 202.149
deny from 202.150
deny from 202.151
deny from 202.152
deny from 202.154
deny from 202.155
deny from 202.157
deny from 202.158
deny from 202.162
deny from 202.164
deny from 202.168
deny from 202.171
deny from 202.178
deny from 202.180
deny from 202.183
deny from 202.184
deny from 202.185
deny from 202.186
deny from 202.187
deny from 202.188
deny from 202.189
deny from 202.190
deny from 210.14
deny from 210.16
deny from 210.19
deny from 210.56
deny from 210.186
deny from 168.143
deny from 216.65
</Limit>

Verify their credit card before the signup form is even posted! That will save you time and money!

Just my 2 cents!

Originally posted by frankc420
Verify their credit card before the signup form is even posted! That will save you time and money!

Verify how?

AVS is all you're allowed and that is far from 100% accurate/reliable.