Originally posted by Jim777
That's why I'm looking for web hosts with PGP - GnuPGP formmail capibility.

Jim,

Most good carts have a PGP option for encrypting orders. Some, like quikstore (quikstore.com), have integrated encryption for server side and a stand alone client for decryption.

Even with encryption it is not a good idea to leave orders on the server or email them outside of your local mailserver.

Rick

I like QuikStore. Rick does a fine job on that program. Hey what are you doing with your orders on the server then after they are finished? Deleting them manually?

Yes, when we batch out nightly. You could set up a cron job to remove them if you wanted to.

Quikstore is the best PERL based cart available in my opinion. We looked at oScommerce but after watching the project for awhile and seeing a couple exploits/patches on it we decided it was not far enough along to trust.

It does have PGP options and it is a really nice PHP based cart in general. Open source is great but when it comes to customers data, skimping on a cart is not an option. I agree with Bailey that it is our responcibility to keep data secure. People setting up carts and treating the process as a casual matter is what has enabled this problem to get out of control.

Rick

Originally posted by hilda
LOL!

We received an obviously fraudulent order (biggest plan, domain registered to someone in the US, IP from Australia, Italian cc, freemail address). So we opened the account, (1MB space, 1MB traffic, no cgi, no SSH, no mySQL, no email, no ftp) and sent the guy a normal welcome email. He must have spent half the night trying to make it work, lol.

That has got to be the most effective method I have read yet !!!!:dgrin: :pimp:

Seriously, this thread has been of the utmost value.
Thank you all for sharing this info!!!

ps- combatfraud.org --- Sweet !!!!!!

Hello ,

Could any one tell me as to where can i confirm, whether
which IP belongs to which country.

Is there any site, where in i punch these IP numbers and get the name of the country ??


regards/-

use visualroute

http://freshmeat.net/projects/ip-atlas/?topic_id=87 :D

3 orders for a total of $2100.00 All from the same IP

202.149.84.162

We manually process each and every order. Time consuming but saves us on a regular basis.

We do the same thing, sort of.

We "Auth" every new order, but only after an accounting rep has reviewed and on questionable orders confirmed the validity of the order do we let the charge go through and the account get setup. Only then we manually "ship" each and every credit card order.

It does cause a small delay in setting up new accounts and adds to our workload, but charge backs from fraud have just about dropped off to nothing.

In my opinion, the time loss is well worth it because the costs related to the fraud are ten times worse.

Just my $0.02 worth.

It seems more fraud is commited with CC's than any other way.........I guess the best policy is,dont take CC's...But,is this possible???? And if not,is it possible to weed out the potential fraud???

The Dude :confused:

Hello
We encourage UK customers to pay by cheque.

We could also do direct debit but this is open to chargeback in the same way (if the customer denies any knowledge of the transaction).
Standing order is more secure for the seller but complicated to do.

[these relate t the UK not sure what you can do in the US or overseas]

According to Visa 84% of online credit card fraud is by the card holder against the vendor.
i.e. people using their own cards and then claiming they do not recognise the transaction to get goods or services free.
This is why they are introducing the requirement for PIN numbers for online transactions.
We are in the pilot program for this.

Customers enter their card pin number at the point of sale.
If they do not have one then they can still make the transaction.
The liability for chargebacks is shifted from the vendor to the card issuer for all transactions )even if the number was not provided).
It only works in Europe at the moment but should be worldwide in 2003.

Gordon

This is why they are introducing the requirement for PIN numbers for online transactions.If anyone would like more information on this see below:
http://www.contact.worldpay.com/newsletter/december2002/news.php?jumpto=9

Originally posted by Travis
Just a thought, all...

While our recurring billing process is completely automated, we still process each and every order manually. This gives us a chance to review the order completely, and we've nailed a lot of fraud this way.
But how exactly do you know its bogus data?

Originally posted by muppie


Actually this is much better than putting it in .htaccess

just insert this code in a function and call it from your order form and if it returns true, then you just say "sorry we are currently not accepting orders from your area"

Note tho... that this script blocks 202.* which includes Australia as well!

Cheers

But that makes those people just switch to some american proxy..

But that makes those people just switch to some american proxy..

Most dont bother
and if they do we still catch them by other means.

If you put enough obstacles in place you will encourage them to go to easier targets ( read that as "bigger hosting companies" )

Gordon

Originally posted by GordonH
Our frauds have reduced to about $300 per month and I am prepared to live with that.
Its certainly better than the $3000 - $4000 we used to have to deal with.

Gordon
I know some things in business are not to be discussed with others, but just out of curiosity, how much income do you generate per month? The reason I would like to know that is: you said than now you loose about $300 because of frauds, so I would like to know what percentage is this, out of your total income. This way I could get better picture what would be the amount of $ that I would lose due to fraud attempts, when I start this business.. Thanks a lot!

$35 to 50 k per month

So $300 is less than 1%

Gordon

Originally posted by GordonH
Oh, and just to add to the point I made above -
Transactions from countroes like the US and Canada *can* be fraudulent (obviously) but the ratio of real to fraudulent is much smaller due to people in western countries knowing there is a good chance they will get caught and if caught, prosecuted.

Gordon
Do you report each of these frauds to "police", and have they ever actually caught any of these people you reported? thx

PS: sorry for all these quotes at once, but Im reading this thread from the beginning, and reply when something interesting pops up. Thanks.

Hello

In one case I had a user with a fixed IP in the UK

I phoned the police.
They told me the fraud was against my aquiring bank not me.
The bank told me it was a police issue.

In the end the bank said they wouldinvestigate "if" a chargeback occurred with a "vew to reporting it to the police".

A fraud has not taken place until the card issuer has reported it apparently.

Gordon

Originally posted by GordonH
$35 to 50 k per month

So $300 is less than 1%

Gordon

Man :D :D Is this net income? You must have bought yourself pretty nice house then.. :D How many webhosting businesses do you run that you can generate such income?

BTW: thanks for everyones feedback, especially yours - This thread has been realy helpfull.

Originally posted by GordonH
Hello

In one case I had a user with a fixed IP in the UK

I phoned the police.
They told me the fraud was against my aquiring bank not me.
The bank told me it was a police issue.

In the end the bank said they wouldinvestigate "if" a chargeback occurred with a "vew to reporting it to the police".

A fraud has not taken place until the card issuer has reported it apparently.

Gordon

But thats nonsence.. WE are the one who have to pay those chargeback fees and all other fees that come along, including cc processing fees and our cost for each service that we setup and sell. So judging from that, the fraud IS AGAINST US, and not the bank - they have nothing to pay whatsoever. This makes me mad..

Originally posted by nmihosting
but we supplied the evidence that the name, address matched and the chargeback was reversed. We were pleased to say the least, it was obviously just somebody trying to get a free ride. It restored our faith in our merchant account provider anyway.

What kind of evidence? Please explain. And, whos your merchant account provider? thanks!


PS: How do you guys feel about third party cc processors, such as 2checkout.com (or hostcharge)?? I see your all using your own.. Thanks

Well
We have signed faxes from 95% of our customers confirming their orders.

These have never stopped a chargeback.

The problem is that with online transactions the card issuer goes straight to chargeback and forces it through regardless of documentation.

One of my friends sells mobile phones on line.
He had a customer order two and then deny all knowledge.
He had the proff of delivery from the parcel company, signed by the customer and the bank would not accept that either.

Its a money making scam for credit card companies.

If I had more cash I would take court action against Visa to see what happened.

Gordon

Yeah, thats realy annoying :( Actually it scares the **** out of me. Im not livin large, Im just about to incorporate and have to start from the scratch. So uncontrolled chagebacks could easily mean the end to my webhosting venture in first 2 months.. This thread has been very helpfull, but these precautions still dont make you scamproof. m realy into this, I would realy like to start with this biz, but all this **** Is realy concerning me..

PS: when homeless people get caught for stealing an apple to survive, they are prosecuted and spend a night in jail. When it comes to cyber crime such as credit card fraud, where theres much more damage involved to both parties (merchant and holder), they just let them go and even make it easy for them, since everyone can just decide to chargeback eventhough they had their service delivered? This system sucks..

I agree, I would love to see a class action lawsuit be brought against VISA/MasterCard and the merchant account processors, but I doubt we'll ever see it.

The real problem is that the bank and cc processor hold all the cards (no pun intended). You know that you need to accept payment by credit card to do any real business online, and since they are "the only game in town" you have to deal with them.

As such their attorneys make sure in the merchant account contacts you have to agree to that they are completely protected and they (the bank & processors) get to decide the voracity of any charge backs. Not only that, but they can take the money from your bank account at any time and usually do while deciding if the chargeback has merit.

Since they have nothing to lose by stiffing us, the online merchants, after all we can't really go anywhere else, and since they (the bank) want to keep the credit card holders happy (after all they are the ones generating the huge fees we pay by using their cards) is it really a surprise that they almost always side with the credit card holder?

We do everything we can possibly do to avoid fraud short of requiring a blood test including requiring a signed fax, and have managed to have a chargeback overturned in our favor on occasion, but it is still clearly in the favor of the credit card holder and the bank, and many consumers know this and use it to take advantage.

Unless some extremely powerful public adversary organization goes to bat for the small online business owners against these credit card monopolies absolutely nothing is going to change.

That doesn't mean you shouldn't be in an online business or that it is impossible to make a profit, it just means you have to be careful in how you accept orders and anticipate a certain amount of losses due to fraud in your business plan. It's unfortunate, but fraud losses are a part of doing business online...at least for the foreseeable future.

Ok, that's enough...I'll get off my soap box now.

Does anyone know how long people have to perform chargebacks from the date of purchase, or is it open ended.

Thanks,

Adam

In theory six months.
In practice there appears to be no limit.

Gordon

Typical!

Role on April, and the pin system

Adam

Im sure there must be a limit?? Everything is legal binding nowadays, so Im sure that period for doing chargeback is clearly stated somewhere.

!?

Hello
It is stated as six months but we have had customers do it back to 13 months (individual monthly payments) on the basis that the first unrecognised one was only last week................

Remember I am not talking about orders placed with stolen cards here.
This is the card holder attempting to obtain services without paying for them by abusing the card company.

Be afraid.
Be very afraid.

Gordon

Be afraid.. LOL ;)

If limit is 6 months, and they dont follow this rule, you should turn to Visa or whoever card issuer is.. If bank doesnt obbey these rules, thats called crime and they can easily lose their license or even worse.. You could also sue them etc. If what youre saying is true, then I dont understand why dont you (your lawyer/legal department) do anything about it? Dont forget that these rules are legaly binding, and they cant make their own..

If bank doesnt obbey these rules, thats called crime and they can easily lose their license or even worse

Yeah right... This is not true.

Give me one example of this EVER happening and I will stand corrected.

Hello
With online transactions the banks want to appear to be squaky clean so they basically force chargebacks often before there is any chance to send documentation.

I once submitted documentation within 30 minutes but the chargeback went through.
When I queried it, it turned out the issuing bank had gone straight to chargeback at the same time as they requested the documents. There was no hope of stopping it.

I have been waiting for a customer local to here to pull the chargeback stunt so I can take them to court for the money due, but so far the threat of doing it has got them to pay up.

Often these pepole are "respectable citizens".
Generally its not kids who do this.
On domain names its the web designer who didnt get paid by his client so he charges back the domain registration fee.
That seems to be a very common one.

Or, someone who was running an MLM site and made no money out of it and decides to recover thier costs.

Gordon

Originally posted by GordonH
Hello
With online transactions the banks want to appear to be squaky clean so they basically force chargebacks often before there is any chance to send documentation.

I once submitted documentation within 30 minutes but the chargeback went through.
When I queried it, it turned out the issuing bank had gone straight to chargeback at the same time as they requested the documents. There was no hope of stopping it.

You should report them to propper institution.. And then also sue them for you loss in time and everything you can come up with. It would help all of us, since banks would think of us with more respect and would double think before doing this ****. It would also help you, since you would win a nice sum of money from bank - and theres no way to lose, since they are not allowed to cross the rules. By doing so, they are considered "criminals". After all, they rip you off! They are just like regular robbers, only that they do it the the elegant way. Cant you see that?

Regards

Originally posted by intraweb


Yeah right... This is not true.

Give me one example of this EVER happening and I will stand corrected.

I wasnt paying attention to this until now when Im about to start with wh my self, so im not aware of such case.. I dont know where youre from, but in democratic world, there are rules that even banks with money cant disregard. And thats exactly what they are doing by granting chargebacks after 6 months are over.

And if this hasnt happend till now, it doesnt mean that it wouldnt if somebody had filed a report against them. Theres alway a first time..

OK
So I sue Visa and Mastercard.

I assume they wouyld then stop my merchant accounts?

You can see the problem.
They have got online merchants by the balls.

I work within their open ended chargeback rules by ensuring I have signatures from web hosting customers, because customers will often back down because they think the signature will force their card company to stop the chrageback.
Sometimes this works.

Also if the domain name is registered through us we can often make it difficult for them to change web host and n soem cases we can get the domain name put on hold.

There are things we CAN do but as soon as I have blatant, local fraud against us I am going to pursue it.


Gordon

I am amazed that some of the posters here feel that the banks would never violate the rules and that if they did they would just take the banks to court.

If anyone here thinks that suing either VISA/Mastercard or the issuing bank is going to be a simple matter you are extremely naive.

First of all as with most of these types of agreements they stipulate the court where you will be required to file suit, which is not likely to be local to you, but to them. That fact by itself adds cost and logistical issues to any action you might wish in bring against them.

Even if you are able to file a case locally the costs involved in filing a suit against one of these entities severely outways the losses you are already incurring from the chargeback.

These entities already have large legal departments will full time attorneys for dealing with much "larger" issues than anything any one online merchant is going to be able to bring.

The other issue is that normally the amounts of chargebacks for most vendors fall under the amounts for small claims, which is in and of itself it's own problem as those courts are not designed for a complex legal battle against such a large defendant.

Even if you were to try and roll in all these other questionable losses like time and services to bring it up to an amount you can file with a regular court their attroneys can easily make sure that it costs you more than $10K in court and legal fees before they even break a sweat.

The net result is they know it is not at all practical for you to fight them on this and so for them it is business as usual. The only way such an action would ever have a chance of prevailing is if it were brough by a large group as a class action so that the amounts of the suit are worth the costs involved in bringing it.

I wasnt paying attention to this until now when Im about to start with wh my self, so im not aware of such case.. I dont know where youre from, but in democratic world, there are rules that even banks with money cant disregard. And thats exactly what they are doing by granting chargebacks after 6 months are over.

I am from the greatest country in the world - the U.S.A.
But he who controls the money controls all.

Banks CAN disregard any rules they want, and they do.

Again give me one example of a bank being severly punished for this and I will stand corrected.

Well
I am in the UK and anyone can start legal action here very cheaply.

I am intending to take customers to small claims courts after they have charged back sums they have paid for services already supplied.

I am not intending taking a crd company to court unless there was sufficient evidence that they had colluded in a fraud against me by encouraging them to claim chargebacks going back over many months (and years in some cases)

Gordon

GordonH, then I assume the rules are very different in the UK than here in the US.

Here in the US you can take someone to small claims court for a small filing fee, however you must do so in the local jurisdiction of the person you are filing against.

Then someone must appear on your behalf, and if you win or they fail to show up you receive a judgement from the court for an amount.

Then you have to actually collect the judgement, which is not always that simple. You would need , for example, in an attempt to attach the persons wages you need some information you are not likely to have including their SSN and current employer.

Unless the amount of the chargeback is substantial (say $200 or more) the costs involved in collecting the amount may outweigh the monies you receive, if any, at the conclusion of the process.

You also cannot take someone from another country to small claims court in the US, so if the customer is outside the US you have very little chance of recouping anything.

These are the unfortunate realities of doing business globally in an online environment.

Its actually very similar but as the furthest court from here is 500 miles away the locality issue is much more manageable.

Gordon

Not to stretch out the point further, but...

I was wondering if anyone here has ever successfully received monies by suing either a customer that used a chargeback or the bank or processors that allowed it?

I think it would be very on point to have their story of how they found the process.

Anyone?

Originally posted by GordonH
OK
So I sue Visa and Mastercard.

I dont think you have to sue Visa nor Mastercard (I didnt say that). They have nothing to do with your chargebacks, since banks are ones that approve them. As far as Visa is concerned, chargebacks are not to be done after the period of 6 months. So whoever does that, clearly violates the agreement between them and Visa. So all you have to do is report them to Visa, and if you want to make some additional money and make sure they learn a lesson, you can sue the bank that granted those chargebacks.

Originally posted by clapadula
Unless the amount of the chargeback is substantial (say $200 or more) the costs involved in collecting the amount may outweigh the monies you receive, if any, at the conclusion of the process.
We are not talking about one single chargeback here. We are talknig about all the chargebacks over the time, and Gordon isnt the only one with this problem. If you count in all the merchants that get few of chargebacks like this per moth, you can see that these banks are making lots of money just by issuing chargebacks. On the ot her hand, we (merchants) are ones in lost..

I see no reason in discussing this issue with someone who sais: "Banks can do what ever they want, and theres nothing you can do about it" - That says all about ones intellect, and its not worth even to argue.

We have concept in Uk called "natural justice" and what a "reasonable person" would expect.

Is it reasonable for someone who is being billed monthly to suddenly not recognise the transactions 15 months later (as one case I currently have open does)?

Is it reasonable for the card company to accept his story that he has only just realised they were made without his permission (when I have logs to prove he has been using the service to promote his business)?

Is it reasonable for the card company to collude in this by providing him with copy ststements going back the 15 months and encouraging him to dispute them back that far?

I am just highlighting this as an example.
There has to be apoint where card holders would be viewed as being unreasonable or negligent in not noticing these "errors" much earlier.

Gordon

Originally posted by GordonH
We have concept in Uk called "natural justice" and what a "reasonable person" would expect.

Is it reasonable for someone who is being billed monthly to suddenly not recognise the transactions 15 months later (as one case I currently have open does)?

Is it reasonable for the card company to accept his story that he has only just realised they were made without his permission (when I have logs to prove he has been using the service to promote his business)?

Is it reasonable for the card company to collude in this by providing him with copy ststements going back the 15 months and encouraging him to dispute them back that far?

I am just highlighting this as an example.
There has to be apoint where card holders would be viewed as being unreasonable or negligent in not noticing these "errors" much earlier.

Gordon
If you went to a small claims court and lost - especially since the guy was blatently promoting his business site -
as a English citizen I would be ashamed of our legal system.

I have been fortunate enough to not process any of the orders from my "Indonesian Friend" that have resulted in chargeback. The main reason for this is that all new hosting orders have always been manually processed and most of the fraud orders look fishy to me.

When the order is placed, both the ordering IP and User agent is stored at the top of the order. I check the IP in Visual Trace and/or Whois Web. I check the address information against Microsoft Streets. If anything looks fishy, I start doing resource on Google and using Whois Web to lookup all associated domains.

Basically, orders are accepted or declined on my intuition.

Best regards,
Frank Rietta

Guys,

I don't know if we can do this method to stop credit card fraud or not. For every order you receive, the customer need to print a credit card authorization form and fax us a signed form along with a copy of the credit card they are using.

I think only merchants can use this method but not if you're using a 3rd party processor.

What do you guys think, will it work ?


Cheers,

Well
We used to do manual processing but once the ratio of fraud to real orders dropped it was more trouible than it was worth.

It depends on what volume of transactions you are doing.

Incidentally we got a fraud yesterday, looked like the domain was in the indonesian language but it had come through a proxy server owned by one of those content filtering services.
So it looks like the guy used a stolen card to obtain that service and was then using it to obtain other things.

It was our biggest (fraud trap) plan of course.

This is the IP:
66.250.68.40

I have blocked the whole class C as it seems to belong to the same service.


Domain: relungkalbu.com

Customers email address: **@ciremay.com


ciremay.com
Registered to
ciremay@cherbon.net

cherbon.net
Registered to

DWIJAYA, CV (CHERBON2-DOM)
Cirebon, West Java 45118
Cirebon, West Java 45118
ID

Via Network Solutions of course (who dont delete domains
paid for with stolen cards)

Gordon

Hi folks,
Frank could you please post links to the tools you use with regard to "Visual Trace and/or Whois Web"?
We are about to go live with real-time cc processing but it looks like we'd better just do it manually. Thanks for the great thread you guys.


Originally posted by AtlantaWebhost.com
I have been fortunate enough to not process any of the orders from my "Indonesian Friend" that have resulted in chargeback. The main reason for this is that all new hosting orders have always been manually processed and most of the fraud orders look fishy to me.

When the order is placed, both the ordering IP and User agent is stored at the top of the order. I check the IP in Visual Trace and/or Whois Web. I check the address information against Microsoft Streets. If anything looks fishy, I start doing resource on Google and using Whois Web to lookup all associated domains.

Basically, orders are accepted or declined on my intuition.

Best regards,
Frank Rietta

I use Sam Spade for windows which you can download at www.samspade.org

It does whois and traceroute but the traceroute is not visual.

I am not totally convinced by the ones that produce a map.

e.g All AOL IP's trace to Virginia regardless of what country they actually route to.

Gordon

Dont let this thread die..

Originally posted by GordonH
Hello
Our friends in Indonesia decided to hit us for $1000 of orders with stolen credit cards today.
Because we use a real time payment gateway its costing me $60 to do the refunds.

So I have added this to the .htaccess for our main brand web site.
Should block out most of Indonesia, Malaysia and the Phillipines while leaving other APNIC countries with access.

As we have never had any genuine orders from these countries it won't be any great loss.

I just couldn't see any other long term solution.

Does anyone know how to do a mod rewrite so that visitors from those IP's will be directed to a specific page?

Gordon




AuthName "Country access blocked"
AuthType Basic
<Limit GET POST>
order allow,deny
allow from all
deny from 202.4
deny from 202.46
deny from 202.47
deny from 202.57
deny from 202.93
deny from 202.134
deny from 202.145
deny from 202.146
deny from 202.148
deny from 202.149
deny from 202.150
deny from 202.151
deny from 202.152
deny from 202.154
deny from 202.155
deny from 202.157
deny from 202.158
deny from 202.162
deny from 202.164
deny from 202.168
deny from 202.171
deny from 202.178
deny from 202.180
deny from 202.183
deny from 202.184
deny from 202.185
deny from 202.186
deny from 202.187
deny from 202.188
deny from 202.189
deny from 202.190
deny from 210.14
deny from 210.16
deny from 210.19
deny from 210.56
deny from 210.186
</Limit>

We had a same problems before but now we are member of ChargeBack Bureau. http://www.chargebackbureau.org
We also had a few chargebacks but we reported all.

:spam:

Originally posted by ThomasC
:spam:

The only word you know is Spam? I think you sick. Go see a doctor

I never said a word it was an image....
Anyways im off to bed.

Originally posted by ThomasC
I never said a word it was an image....
Anyways im off to bed.

Well you right! Sorry

Originally posted by kingstar21


The only word you know is Spam? I think you sick. Go see a doctor

..."DO YOU NEED AN ANONYMOUS BULK EMAIL SOFTWARE TO SEND YOUR BULK EMAIL FAST, EASILY AND ANONYMOUSLY?....."


SPAM :angry:

Hello
I found this today.
http://www.idefense.com/Intell/CI022702.html

It is not complete but it may be helpful.

Actually there was a site with a .us domain that listed IP's by country but I cant remember what it was called.
It was a spam blocking project.
Can anyone remember what it is called?

Gordon

Gordon,

You're using .htaccess right ? Does it slow your page down a little, comparing when you have it without .htaccess ?

Hello
I thought it would slow it down but it doesnt seem to make any difference.

I have tried it with and without the .htaccess file and the
pages load in the same time.

However, if you are coming froman IP on the banned list then the loading of the page they are redirected to is quite slow.

Gordon

Originally posted by GordonH
Should block out most of Indonesia, Malaysia and the Phillipines while leaving other APNIC countries with access.
As we have never had any genuine orders from these countries it won't be any great loss.

I'm from the Philippines but I was still able to buy hosting from you last year. :stickout:
I'm a 'genuine customer', don't worry. :D