Hello
Our friends in Indonesia decided to hit us for $1000 of orders with stolen credit cards today.
Because we use a real time payment gateway its costing me $60 to do the refunds.

So I have added this to the .htaccess for our main brand web site.
Should block out most of Indonesia, Malaysia and the Phillipines while leaving other APNIC countries with access.

As we have never had any genuine orders from these countries it won't be any great loss.

I just couldn't see any other long term solution.

Does anyone know how to do a mod rewrite so that visitors from those IP's will be directed to a specific page?

Gordon




AuthName "Country access blocked"
AuthType Basic
<Limit GET POST>
order allow,deny
allow from all
deny from 202.4
deny from 202.46
deny from 202.47
deny from 202.57
deny from 202.93
deny from 202.134
deny from 202.145
deny from 202.146
deny from 202.148
deny from 202.149
deny from 202.150
deny from 202.151
deny from 202.152
deny from 202.154
deny from 202.155
deny from 202.157
deny from 202.158
deny from 202.162
deny from 202.164
deny from 202.168
deny from 202.171
deny from 202.178
deny from 202.180
deny from 202.183
deny from 202.184
deny from 202.185
deny from 202.186
deny from 202.187
deny from 202.188
deny from 202.189
deny from 202.190
deny from 210.14
deny from 210.16
deny from 210.19
deny from 210.56
deny from 210.186
</Limit>

have a look at http://www.engelschall.com/pw/apache/rewriteguide/#ToC36

Actually I looked at this page earlier (found it on Google) but I can't work out what should be here:

RewriteRule ^/.* - [F]

The rule needs to point to a file.
I will need to read through the manual.

Gordon

I think the best way to fight those orders is by not having a realtime processing for the CC.

How about a secure order form that emails you the info then you will double check the information of the IP, CC address, and the domain registration info then if it looks OK, you can go and enter the info your self. (Isn't this what Revecom does anyway?)

IP could be generated to be in the US even though the user could be overseas.

Just my thoughts.. ;)

The only problem with that is we would have to offline process all our monthly payments manually.

I considered doing manual entry of annual plans earlier today and its certainly a possibility.

However, as I said, we have never had a genuine order from those countries so any loss of business is likely to be minimal.

Gordon

That's quite nice Gordon, thank ou, as I am goign to copy-paste that entry into our .htaccess right now, we have been hit with over 3K in chargebacks due to fraud from those same countries :(

How about "IP could be generated to be in the US even though the user could be overseas"

It happened to us few times..
IP is in US, Card is US card, but domain was registered from abroad..

Thanks Gordon

Anyone have any clue on the ips coming from BULGARIA?

This guy signed up 3 accounts so far, we now have a feature in our signup system that can block both ip, blocks and even names, because he uses BGN Networks as his signup name (everytime)

Always signs up with a different ip, but always from BULGARIA

OK Carlos and everyone else.

To make up the list I took the APNIC allocations, used my favourite text editor (editpad) to generate the lists of IP's and then ran them through a look up tool to get the country codes.

I didn't want to cut out Australia and New Zealand so it was the only way to do it.
It does not protect you against IP spoofing or someone using a proxy server but if they can't see the site through their normal connectionI think its unlikely they will go to those lengths.

Bulgaria might be more difficult because RIPE has huge allocations compared to APNIC and the search you would have to do could be a lot bigger.

Gordon

Just a thought, all...

While our recurring billing process is completely automated, we still process each and every order manually. This gives us a chance to review the order completely, and we've nailed a lot of fraud this way.

It's a bummer to have to re-enter all the order information into your billing system, but it's less hassle as far as I'm concerned than dealing with fraud.

quote from above "How about a secure order form that emails you the info then you will double check the information of the IP, CC address, and the domain registration info "

BAD BAD BAD IDEA, not only that, you become liable for damages if something leaked out.

Um... if you're storing credit card info for recurring billing, you're liable for leaked information anyway.

It's a little easier for someone to snoop your connection
than to hack your system to get that info, which should be encrypted anyhow.. Believe me when I say your support machines are being snooped frequently.

Many hackers will email your support and when you reply they got your ip address.. Then your snooped, you make a mistake and telnet or something into your box from there, or have same emails coming thru unsecure or something silly like that and you are comprimised quite easily

Hearing these stories makes me wonder if i should still continue with my plans to resell! Are you guys using Revecom? I am planning to use them because i heard their fraud protection is good. Would their fraud protection help against these cases?

Hello
I am using Worldpay as a payment gateway with real merchant accounts so they store the card details for us on their system and handle the billing.

We actually have insurance against chargebacks (and it pays up promptly!)
But if we were putting $1000's through it the premiums would skyrocket.

I just found out that APNIC got two more IP allocations in July so I will have to look them all up and add them to the list.

218.
219.

Gordon

218. /219.

I have checked these and they are still allocated to USA so it looks like APNIC have not started using them yet.

Gordon

Where do you get a chargeback insurance?

From your bank/Merchant account supplier.....

Just to update:

What a quiet few days!

Same level of sales as normal, but no fraudulent ones.
Its only been a few days, but the signs are good so far.

Gordon

We've been hit by cc fraud a few times. but im not blocking any subnets/ips. What we do is simply let the order go thru and check the ip. If there is still any suspicion we ask for some sort of proof like a copy of the cc or the drivers lisence or any thing which can be used to verify that the person is acutally the card holder.

Heres a list of ips so far, we have gathered from Gordon, a few of ours, and the host coalition forum


deny from .id
deny from .interpacket.net
deny from .lt
deny from .mk
deny from .my
deny from .ro
deny from .yu
deny from 139.92
deny from 152.158
deny from 161.142
deny from 194.102.130
deny from 194.165
deny from 202.134
deny from 202.145
deny from 202.146
deny from 202.148
deny from 202.149
deny from 202.149
deny from 202.150
deny from 202.150
deny from 202.151
deny from 202.152
deny from 202.152
deny from 202.154
deny from 202.155
deny from 202.155
deny from 202.157
deny from 202.158
deny from 202.160
deny from 202.162
deny from 202.164
deny from 202.168
deny from 202.171
deny from 202.178
deny from 202.180
deny from 202.183
deny from 202.184
deny from 202.185
deny from 202.186
deny from 202.187
deny from 202.188
deny from 202.189
deny from 202.190
deny from 202.4
deny from 202.46
deny from 202.47
deny from 202.57
deny from 202.57
deny from 202.93
deny from 202.95
deny from 207.192.198
deny from 210.14
deny from 210.16
deny from 210.186
deny from 210.19
deny from 210.56
deny from 212.138
deny from 212.19
deny from 212.50
deny from 212.59
deny from 213.169
deny from 213.240
deny from 216.3.242.10
deny from 217.9
deny from 62.220.194
deny from 64.110
deny from 64.49

Thanks for that info
We have never really had any problems with eastern europe.

Its about 6 days since we blocked the three countries and we have had zero fraudulent transactions.
Normally it would be at least one per day.
Traffic and sales are at normal levels so it must be working.

The fraud used to be targetted at our US brand.
Since the war in Afghanistan started our UK brand got hit as well.
I don't believe that this can be entirely coincidental.

Blocking those countries has made a huge difference and our bank/insurers are also a lot happier.

Gordon

Here's our International IP checker.



sscanf($ip, "%d.%d.%d.%d", &$quad1, &$quad2, &$quad3, &$quad4);

switch($quad1)
{
case 57:
case 61:
case 62:
case 80:
case 151:
case 193:
case 194:
case 195:
case 202:
case 203:
case 210:
case 211:
case 212:
case 213:
case 217:
case 218:
case 219:
return true;

case 24:
if($quad2 > 132 && $quad2 < 136) return true;

case 130:
if($quad2 == 237 ||
$quad2 == 242 ||
$quad2 == 243) return true;

case 134:
if($quad2 == 75) return true;

case 141:
if($quad2 < 86) return true;

case 165:
if($quad2 == 21) return true;

case 169:
if($quad2 > 207 && $quad2 < 224) return true;

case 170:
if($quad2 == 60) return true;

case 192:
if($quad2 == 36 ||
$quad2 == 164 ||
$quad2 == 165 ||
$quad2 == 166 ||
$quad2 == 167) return true;
}

return false;
}

I can now report 2 fraudulent transactions since we made those changes.

One from Israel/Palestine.
One from Romania.

Compared to previous levels of fraud its barely worth worrying about.
We still get the odd malicious chargeback from the US (someone fancying 6 months free hosting) but we are covered by our insurance.

Its sad that these countries have become synonomous with criminal activity.
I can't think of Indonesia now without thinking of credit card fraud.

Sad.


Gordon

Agreed!

What's scary is that I've developed a 'nose' for fraudulent signups. It's based a combination of the IP (I recognize most international class As), the domainname/email address, the billing address, and the customer name.

And if they get past that filter without us deleting their account immediately after they sign up, then a sure sign is them using our payment gateway and trying 5 cards (with different names and addresses) and then finally getting one that works and pre-paying a year.

We nuked a Romanian signup (using a California proxy IP) day before yesterday after they pre-paid $800. Executing that transaction cost us some $21...

It's the classic 'bad apple' story. We're now denying real-time signups to non-Americans. Frustrating!

Yes
I have got "the nose" for it as well.

Here's an e-mail sent to one of the two frauds that have got through:

Hello
We have recieved an order form you for web hosting.

We are not processing the order until you have clarified the following
points:


1. You claim to be in Louisiana, but its 6am there at the moment.

2. The domain name you have requested hosting for does not exist:
braila-net2.com

3. You are actually in Israel (194.90.229.195)

4. The address you gave appears to have been cut and pasted into our order
form as there were no carriage returns.


I hope you understand why we are querying this order and look forward to
hearing from you shortly.

Gordon Hudson
Hostroute.com Ltd
http://www.hostroute.net/

With evidence as clear as in your example, we don't both contacting the attempted thief. We simply nuke them immediately. I'm apt to spend more time tracking down the real card owner to let them know their card's been compromised. Typical phone conversation:


Me: "I'm not going to ask you anything about your credit card information, but if it ends in 4254 and expires 8/02, then your card may have been compromised."

Card Owner: "HOLY S***!!"

anyone else got any other ips to block other then the ones already submitted?

That depends on how strict you want to be or where your market is.

I am considering blocking Israel as we have no customers there and don't really intend to, but its a bit like using a sledgehammer to crack a nut.
We can cope with the odd fraud.
Blocking those 3 main countries reduced our fraud by over 90%

Other countries which are prone to this sort of thing are:

Thailand (but we have had none from there for a long time)
Romania
Russia (again not seen one of these for a long time)
Pakistan

Certainly these are countries our bank is always issuing warnings about.

Gordon

Originally posted by magnafix
Here's our International IP checker.



sscanf($ip, "%d.%d.%d.%d", &$quad1, &$quad2, &$quad3, &$quad4);

switch($quad1)
{
case 57:
case 61:
case 62:
case 80:
case 151:
case 193:
case 194:
case 195:
case 202:
case 203:
case 210:
case 211:
case 212:
case 213:
case 217:
case 218:
case 219:
return true;

case 24:
if($quad2 > 132 && $quad2 < 136) return true;

case 130:
if($quad2 == 237 ||
$quad2 == 242 ||
$quad2 == 243) return true;

case 134:
if($quad2 == 75) return true;

case 141:
if($quad2 < 86) return true;

case 165:
if($quad2 == 21) return true;

case 169:
if($quad2 > 207 && $quad2 < 224) return true;

case 170:
if($quad2 == 60) return true;

case 192:
if($quad2 == 36 ||
$quad2 == 164 ||
$quad2 == 165 ||
$quad2 == 166 ||
$quad2 == 167) return true;
}

return false;
}




Little bug in the above code -- make sure to insert 'break;' where appropriate....

Here you can add these IP's to your list. This guy has Names, Addresses Zips all matching the cards, but they all come back as chargebacks. A lot of the accounts use this domain/password info **but not all the time**

expl0de.net
870621345
d0pe@expl0de.net

195.24.130.57
212.45.192.10
24.186.135.216
203.146.138.103
24.186.135.216

He has charged about 1000 dollars, but we catch them before the batch runs and void them before they even hit the persons CC

Worst fraud attempt ever.....

Prepaid Dedicated Server that cost $10,000 a year... The order was filled...... Good thing I caught the culprit before Revecom processed it.

Originally posted by magnafix



Little bug in the above code -- make sure to insert 'break;' where appropriate....

return exits from the function so there is no need for a break statement. ;)

Originally posted by magnafix
Here's our International IP checker.



sscanf($ip, "%d.%d.%d.%d", &$quad1, &$quad2, &$quad3, &$quad4);

switch($quad1)
{
case 57:
case 61:
case 62:
case 80:
case 151:
case 193:
case 194:
case 195:
case 202:
case 203:
case 210:
case 211:
case 212:
case 213:
case 217:
case 218:
case 219:
return true;

case 24:
if($quad2 > 132 && $quad2 < 136) return true;

case 130:
if($quad2 == 237 ||
$quad2 == 242 ||
$quad2 == 243) return true;

case 134:
if($quad2 == 75) return true;

case 141:
if($quad2 < 86) return true;

case 165:
if($quad2 == 21) return true;

case 169:
if($quad2 > 207 && $quad2 < 224) return true;

case 170:
if($quad2 == 60) return true;

case 192:
if($quad2 == 36 ||
$quad2 == 164 ||
$quad2 == 165 ||
$quad2 == 166 ||
$quad2 == 167) return true;
}

return false;
}



How do we use this ? :dunce:

Originally posted by dbnet


How do we use this ? :dunce:

Actually this is much better than putting it in .htaccess

just insert this code in a function and call it from your order form and if it returns true, then you just say "sorry we are currently not accepting orders from your area"

Note tho... that this script blocks 202.* which includes Australia as well!

Cheers

add this IP to your list

202.162.34.30

This guys pissin me off

Hello
As the person who started this thread I thought I should give an update.
We are continuing to block certain countries and our credit card fraud rate has decreased to practically zero.
All we get now is the odd malicious chargeback where a real card has been used but someone fancies some free services.

However, we have noticed some very odd logs with repeated multiple (automated?) attempts to access our web sites thousands of times from the same IP's in the countries we have blocked.

e.g.

1 3335 4.04% 0 0.00% 997 0.46% 1 0.02% 202.155.37.233


3335 attempts to access our main website resulting in 0 files being served to the visitor.
The IP is in Indonesia

Our logs are full of these by the thousands from Malaysia and the Philippines also.

SO........... I guess we have pissed some people off big time and they have decided to retaliate.
Not quite a ddos attack but strange none the less.

Gordon

Hi Gordon,

Could you post your latest IP list? Much appreciated thanks

Hello

Haven't really updated it since, but I am about to add the new IP blocks for the three countries i am interested in blocking.
At the time I drew up the original list they had been allocated but not delegated to APNIC.
Now some of them are being used I need to add them.
I will post the list or the raw data when I get round to updating it.

I would also say that the majority of these issues come from IP's on the academic/university networks.

While we are at it, could someone explain why these countries produce credit card fraudsters, but others don't seem to?
I mean, yes these countries have some poor rural areas but they are not that poor.
We have never had a credit card fraud from Singapore but we have from Malaysia (an d we do a lot of business with Singapore).
We have never had a fraud from India but we have from Pakistan.
We have never had a fraud from a central or south american country, even relatively poor countries like ecquador and bolivia where we have customers have not proved to be any problem.

So..... what gives?
Why these countries?

Gordon

Culture perhaps?

By the way have you had any experience good or bad with China?

Funny you should mention China.
About 10 minutes ago we had a domain registration from the US but an IP in china.
Just phoned the card holder - he has no knowledge of the transaction.

Thats our first fraud for a very long time.

As always it was a 5 year domain registration.
I don't think we have ever had a genuine domain registration longer than 3 years and every 10 year one we have had was a fraud.

Gordon

How do you find out / phone the real CC card holder?

Which payment gateway did you use, does the card info get through you first?

Sorry if this is too many questions :) But I will be opening CC order soon so these things are pretty important.

Thanks

The fraudster had actually put the card holders real number on the order.
Normally I look them up in one of the online telephone directories.
The purchase had already been cleared so we have lost $4.55 because of the commission we have to pay on the transaction.
We use Worldpay and its possible to do manual authorisation but if you do this it prevents you doing monthly payments as it would all get too complicated.

Gordon

Yeah, I've had the same experience where they actually use the correct phone number during signup of the cardholder. God, what a horrible call to have to make!! Needless to say, we no longer have fully automated transactions.

We have also blocked Indonesia, and other similar areas, but...

Just last night, I watched in real time as someone who said they were from Texas
1. signed up with a card from Texas - denied
2. signed up with a card from Florida - denied
3. signed up with card from Montana - ok
4. IP address from MA

Then they provided me the phone number of the credit card bank, which was in New Jersey!

Boy these people are creative

jv

One-We do require phone number and verify it with the address, calling it if at all suspicious.

Two-we require the security code from the back of the card-the three digit code-this is not as readily available and, at least to this point, requires physical presence of card.

Originally posted by muppie


Actually this is much better than putting it in .htaccess

just insert this code in a function and call it from your order form and if it returns true, then you just say "sorry we are currently not accepting orders from your area"

Note tho... that this script blocks 202.* which includes Australia as well!

Cheers

Hello All!

First let me say that it was great to stumble across this thread, it is the most useful material I have ever read on this subject in one place!

We have been dealing with this problem for years and have come to the same conclusions you have. Our deny list was not as complete as the one here however so I am going to update it.

I want to warn you that there are some problems associated with this if you have a high bandwidth site. Artbycheryl.com transfers about 30-40 gb per month and a deny list half as long as the one posted here ground our normally spectacular shared server to a complete halt. Remember that every single request goes through that routine, every image, every document, etc.

Fortunately, our cart that handles orders across all of our domains is located on a different server and has significantly less traffic. We use the htaccess deny list on it and just deny crooks access to our cart for placing fraudulant orders.

Unfortunately, this forces us to allow users from countries who habbitually abuse our goodwill to have access to our popular sites that contribute to the legitimate web community. If I had my way I would deny all of our sites to everyone in those countries. Why should we offer them anything when we could not accept an order from them anyway, they are just wasted bandwidth.

The php script discussed might solve the problem, I can think of a couple of ways to implement it that might work. I dont understand how use it though... can you be more specific? I am perl literate but have worked very little with php... what does the html tag look like to call the function and how (where) do you install the script?

We registered combatfraud.org out of sheer frustration with the system that allows fraud to flourish. It is not complete yet but the content will be very similar to this thread. I am writing it with the new web merchant in mind in order to pass along our trial and error learned knowledge to the less experianced.

I would like to offer this script along with detailed instructions on how to install and implement it. Of course you will get full credit for authoring it and a link if you allow me to share it.

I have some more to add but I will do it in another post. I can't tell you how happy I am to have found a group of people who share and talk about this serious problem! We were really starting to feel like an island under siege here.

Rick Thompson
fortweb.com
artbycheryl.com
photoimpact-objects.com
etc., etc., etc.

OK Rick
Well I felt the same way.
Somwthing had to be done.
We don't have the problem because our business sites are on dedicated servers.
The .htaccess deny list works but its not very elegant.
I don't like the php solution suggested because it blocks too many countries including Australia which would lose us money.

We have had three frauds recently.
One from Nepal with someone using a satelite internet connection with a US IP address.
The others from China.

We also had one from Taiwan although it has not been confirmed as a fraud yet (it was warez soI assume the card was a stolen number)

Gordon

Originally posted by GordonH
Actually I looked at this page earlier (found it on Google) but I can't work out what should be here:

RewriteRule ^/.* - [F]

The rule needs to point to a file.
I will need to read through the manual.

Gordon

Mod rewrite to redirect... remember that you have to redirect them to another server, they can't get anything from the domain you have the deny on except the error message.

Can you specify an entire path to your 403 file? I am not sure about this but you can try it...

Instead of ...

ErrorDocument 403 /403.shtml

use the entire path to another file located on another server for your 403 error document.


How about this, I think you can pass error messages through the default 403 document like this...

ErrorDocument 403 "We're sorry, but your access has been denied due to idiots who share your IP address.

Rick Thompson

Just want to check - no one is blocking out Singapore, right?

Since recently, I've not been able to access a few web hosting services - including mine with spiral - did you guys block us Singaporeans out by mistake? Cos the ISP that I'm on is quite major in SE Asia ;)

I posted this on hosting software and control panels forum, this is a freeware and open source script I made that checks a IP mask list and redirects a person to a different page if his IP belongs from a specific mask.

Here are the contents from that thread

Well, I was hit with about 2 fraudlent orders from Indonesia this month, so I decided to make this script, I saw couple of posts by some people with ways to disable access to the site completely using httpd.conf but I really think thats just a way to loose a fraction of customers from asian countries, small fraction but it does matter.

Therefore I made this script, what it does is that if a person's ip belongs to the one in the ipmasks it redirects him to some other page you specify and if it isnt then it redirects him to the order page you specify. On my site I made it redirect to a page where it asks the person to send faxed copy of their CC front and back side and provide other information.

It supports ability to check proxies by opening connections on ports 8080, 8008, 1080 etc (You can add your own by editing config.php) and also the ability to check the extensions of reversed hostmask (say most isps in malaysia use .my hostmasks instead of normal ips, check hostmasks.txt for adding your own) and also the ability to check a certain email address and see if it belongs to the free email providers list.

Here is the extract from readme.txt I wrote:


quote:
--------------------------------------------------------------------------------

//######################
// CC Fraud Checker Script v1.0
//######################
// Copyright (c) 2001 Varun Shoor
// Email: varun@kayako.com
//######################
// You are free to redistribute this script
// provided this header is kept intact
//######################

I made this script in my part time because I had processed about 2 fraudlent orders from indonesia
this month alone and I was getting tired of gettting hit with transaction fees and all.

Requirements:
PHP 4.0.1pl1 or later

Usage:
To use this script, edit the config.php to suit your needs, once you have failed url and success url set up
replace the current order links at your pages with the ones in this script, Example:
<a href="http://www.yourdomain.com/checker/index.php">Click Here to Order!</a>

If the person's IP belongs to the one in mask, he will be redirected to the failed url page else he will be
redirected to the success url page, I recommend you ask the person to fax his credit card's front and back
sides at the failed url page so you dont loose on customers.

Extended Functionality:
You can further make it check the emails, for this purpose you can redirect a person to say:
http://www.yourdomain.com/checker/i...aud@hotmail.com if the email host matches the
one in emailist.txt it will redirect the person to the failed url page. It is recommended you use email functionality
from within your order form script if its in PHP.

Adding more ips, hosts, emails:
Look into ipmasks.txt, all ips should have a * as a wildcard, example: 202.*.54.*
hostmasks.txt contain the last domain name TLD, I have yet to implement wildcard functionality into it
emailist.txt contains the list of free email providers
To add more proxy ports look into config.php

If you have any more questions or improve the listing of ipmasks or hostmasks then do email me at varun@kayako.com

--------------------------------------------------------------------------------



Just thought this might help other people suffering from these problems, I have yet to thoroughly test proxy checking+hostmask checking but AFAIK it should work perfectly.

Hope that helps

Regards,

Varun Shoor


EDIT: My site is down as I am moving it to a different provider so you cant see it in working but if anyone else has used this script they can post the URL's for others to see

Originally posted by avium
Just want to check - no one is blocking out Singapore, right?

Since recently, I've not been able to access a few web hosting services - including mine with spiral - did you guys block us Singaporeans out by mistake? Cos the ISP that I'm on is quite major in SE Asia ;)

All I can say is *we* have not blocked Singapore.
Malaysia - yes, so if you have IP's assigned to a malaysian company then you would be blocked.
We still get plenty of orders from Singapore so I don't think this is a major problem.

Gordon

Hi GordenH, :wavey:

It seem that you blocking out Malaysia IP to prevent CC fraud, that I understand. Let say what about those genuine buyers want to purchase your services, and they are from Malaysia?

I just want to know how you manage this kind of situation?

mamakap:blush:

Why doesn't everyone just use firewall rules to block these IP addresses? It seems like it would be more efficient (less overhead). If you just want to block orders, then put your order site on it's own IP address (if you only have a packet filtering firewall), or just block SSL traffic from those IP addresses.

Originally posted by GordonH
OK Rick
The .htaccess deny list works but its not very elegant.
I don't like the php solution suggested because it blocks too many countries including Australia which would lose us money.
Gordon

We have server and design clients in Au also, I was just assuming there was a way to be more specific with that php script, surely it could be modified to include the master list contained in this forum. The other php script just posted looks far more advanced but also far more complicated to implement.

It would be nice to offer both of them on combat fraud.org, the more advanced users could choose the complex script if they wanted. I have not checked it out yet but I am guessing that I won't be able to implement it either without more documentation.

Rick Thompson

It seems to me that the deny list could be shortened using ranges, am I wrong?

For instance...

deny from 202.183
deny from 202.184
deny from 202.185
deny from 202.186
deny from 202.187
deny from 202.188
deny from 202.189
deny from 202.190

could be...

Deny from 202.183-190


There are other ways to specify ranges BTW.

Deny from 152.165.21. <- will deny a whole C class ( 0-255).

Deny from 152.165.21.0/24 <- this is a different type of class definition, not to familiar with it but I beleive 24 is the whole subnet (255.255.255.0).

Deny from 152.165. <- denys both B and C classes ( 152.165.0.0 - 152.165.255.255)

Deny from 152.165.123.10-59 <- deny ips from 152.165.123.10 to 152.165.123.59

Those are the ones I am most familiar with, any corrections welcome.

Rick Thompson

Regarding claims that the PHP function I posted earlier in this thread is overly broad because it blocks Australian signups, etc... remember that you don't necessarily need to present a message like 'We are not accepting signups from your country'. It can be much more subtle. Ours requests that the new customer send in a check for one year pre-paid hosting and provides an email address to write to with any questions (and of course does NOT set their account up in real-time).

If it's a small business owner in London or Canberra, they write in and say "what's going on, I gave my credit card, why do I need to pay?" We of course then set up their account manually and apologize for any confusion.

If it's an Indonesian or Hungarian IP and they claim to be "Sally Peterson in Dallas Texas" (for example), they don't write in to ask questions, and they certainly don't get out their checkbook. They give up and try scamming the next webhost on their list.

Hi,

Fraud is a serious issue, and has in the past cost us many bucks :(

I’m not trying to break the forum rules by recommeding a product ours. The product can help you resolve the origin country of an IP address, this will allow you to automatically accept US/European users and approve other users manually.

Link to the IP to country system (http://www.dk3.com/dk3page.pl?id=ipc)

It is in beta stage, hope it can help you :o)


Best regards
Fallesen

fallesen,

Don't take this personally because it looks like a fine program for your subscribers. I would never consider or recommend a third party solution since more direct methods work though.

I just wanted to make a general statement about gateway services in general.

Originally posted by fallesen
this will allow you to automatically accept US/European users and approve other users manually.


Personally, I think this is a big mistake. Just because a card and/or user is from an acceptable country does not mean it is not a fraud attempt.

Anyone who employs gateways to auto-process transactions will lose a portion of profit to fraud, that is simply a fact. Maybe a much smaller portion using the methods described in this thread but a portion none the less.

I hate to be blunt but the bottom line is that if a person does not care enough to hand process credit cards, they should expect losses to fraud and not complain about it. Common sense and 30 seconds of research will stop 99.9% of fraudulent orders and we feel that we owe that to our customers.

Accepting credit card orders is a serious matter, as web merchants we are obligated to be certain that information is handled in a secure manner. The rampant fraud problem exists because careless or unqualified webmasters are storing cart data unencrypted in unprotected directories.

I know gateway processing is convienient and I don't want to attack anyones methods, your business is your business. However, when gateway processing is used, some fraud attempts will slip through, that should be expected and accepted as operating cost if you use gateways.

Rick

Since too have to deal with fraudent orders on a daily basis, I'm developing the following simple solution:

Deny live transactions for all visitors through a proxy. The script is in PHP and checks to see if the visitors IP is open on port 80, 8080, 3128, 81, 8000, 8001. Basically the ports used for proxy. If the IP is a possible proxy, it informs them and collects credit card details for manual processing.

I guess it is still possible for a way around this (perhaps though cgi proxies?) but it should significantly cut down on fraudent orders.

If anyone is interested, I can send them the php script for this!

Complicated to implement? you just change the two URLs and upload it, then all you have to do is change your order links to that PHP script. its that simple.

And it does have good documentation (well not that much, but it is enough)

Originally posted by fortweb


We have server and design clients in Au also, I was just assuming there was a way to be more specific with that php script, surely it could be modified to include the master list contained in this forum. The other php script just posted looks far more advanced but also far more complicated to implement.

It would be nice to offer both of them on combat fraud.org, the more advanced users could choose the complex script if they wanted. I have not checked it out yet but I am guessing that I won't be able to implement it either without more documentation.

Rick Thompson

The script I posted already does that, it would be nice if you could post yours so I can combine your better features with mine (if you dont mind) and post it over here.

Originally posted by hostmaniac
Since too have to deal with fraudent orders on a daily basis, I'm developing the following simple solution:

Deny live transactions for all visitors through a proxy. The script is in PHP and checks to see if the visitors IP is open on port 80, 8080, 3128, 81, 8000, 8001. Basically the ports used for proxy. If the IP is a possible proxy, it informs them and collects credit card details for manual processing.

I guess it is still possible for a way around this (perhaps though cgi proxies?) but it should significantly cut down on fraudent orders.

If anyone is interested, I can send them the php script for this!

Personally, I think this is a big mistake. Just because a card and/or user is from an acceptable country does not mean it is not a fraud attempt.

True, but I know that by blocking three countries we reduced fraud by 90%.
The proof of the pudding is in the eating.

Also I don't agree with your view that if you use a gateway you have to accept a certain level of fraud.
The implication of what you are saying is that we should not put a second layer of security into the system and rely on what the gateway provides.
The gateways anti fraud systems are there to benefit them and not the merchant ultimately.
They are also set up for the selling of tangible products sent through the post and have no additional security for the this type of business.

The facts are that before we introduced this we alredy had a second layer of security.
We chacked accounts before they were set up.
This was aftyer the cards had been processed so every time we had to refund a $300 transaction we lost about $20 in processing fees.
All we have done now is prevent those orders being placed in the first place while still keeping the advantages of using a gateway.

Our frauds have reduced to about $300 per month and I am prepared to live with that.
Its certainly better than the $3000 - $4000 we used to have to deal with.

Gordon

Gordon

Do you have any other ips to add to the list? i created my personal list at http://www-hosting.net/denied.html that includes all the ips basically in this list and my personal own and other hosts....

I have strictly kept it to banning countries.
Indonesia now has new IP ranges so I need to add them in.
WhenI have done this I will compile a new list.

Oh, and just to add to the point I made above -
Transactions from countroes like the US and Canada *can* be fraudulent (obviously) but the ratio of real to fraudulent is much smaller due to people in western countries knowing there is a good chance they will get caught and if caught, prosecuted.

We must handle thousands of US transactions every month and have very few stolen cards presented successfully.
With the other countries we have had problems with its been a 100% fraud rate with no genuione transactions ever so the risk in dealing with those countries is simply not worth it.

I notice that nearly every fraud we used to get had domain names registered through Netsol so obviously they don't have much in the way of fraud prevention.

Gordon

great, please let me know as soon as u know of those new ips

Originally posted by hostmaniac
Deny live transactions for all visitors through a proxy. The script is in PHP and checks to see if the visitors IP is open on port 80, 8080, 3128, 81, 8000, 8001. Basically the ports used for proxy. If the IP is a possible proxy, it informs them and collects credit card details for manual processing.

Only problem is, my ISP runs a transparent proxy, and I also run one myself... so all of the ISP's customers will get manual processing?

hmm... how about just blocking anonymizer and alike?

Hi,

We have had seven orders in the last few days all using the same cardholders name and address. Also they are all trying to host gay porn sites. These orders originate from the US.

We use Worldpay, the have opened Code10 investigations into these orders and we should hear later today or tommorrow the outcome.

What happens if they come back and say it is fraudulent use? Do I have to make the refund and therefore loose the Worldpay fees? Also, what are the rates for Worldpays chargeback cover?

Thanks.

Hello
You make the refund and still pay the processing charge.
There is no chargeback fee like some companies charge (often $20 per transaction).

I understand that Worldpay no longer offer chargeback insureance to web hosting companies.
I actually just cancelled ours because our fraud rate is now so low its not worth the money.

Gordon

Originally posted by Varun Shoor
Complicated to implement? you just change the two URLs and upload it, then all you have to do is change your order links to that PHP script. its that simple.

Varun,

I have very little knowledge of PHP so maybe I just assumed it would be more difficult than that.

The only problem I see is that it is a redirect and not a block. In most of the fraud attempts we had from Indonesia the thief went directly into the cart... no doubt from a link on a list of targets.

The search engines would also display the pages bypassing the redirect. If I was a thief, the first thing I would look for is known cart keywords.

Now if you could integrate the routine into the shopping cart code, then you would have something! The average person (including myself) does not have the ability to just go tearing into the code of a sophisticated shopping cart script though.

Rick

Originally posted by GordonH


True, but I know that by blocking three countries we reduced fraud by 90%.

I agree totally with this method. It has reduced our fraud attempts by 95%+ as well.



Also I don't agree with your view that if you use a gateway you have to accept a certain level of fraud.


Our frauds have reduced to about $300 per month and I am prepared to live with that.
Gordon

Are not those two statements oppsed to eachother? All I was saying was that if you use gateway services you will have fraud attempts slip through that you may have caught if you hand process orders.

I never said a person has to accept a certain level of fraud, I said a certain percentage of profit loss due to fraud... which is exactly what you are doing.


from my original post...
Anyone who employs gateways to auto-process transactions will lose a portion of profit to fraud, that is simply a fact.

...when gateway processing is used, some fraud attempts will slip through, that should be expected and accepted as operating cost if you use gateways.


I understand that someone who has a large volume of sales can justify that loss. If it is less than the cost of hiring someone to process orders all day long it makes sense. I was speaking more about the other 90% of web merchants out there (like us) who process a handfull of orders daily.

Rick

Originally posted by muppie


Only problem is, my ISP runs a transparent proxy, and I also run one myself... so all of the ISP's customers will get manual processing?

hmm... how about just blocking anonymizer and alike?

I don't see that being a problem. If the proxy is transparent, then the visitors true IP would show. In which case it won't check as a proxy.

Originally posted by Varun Shoor
The script I posted already does that, it would be nice if you could post yours so I can combine your better features with mine (if you dont mind) and post it over here.



Duh I missed your post. My script is ultra basic right now so I think I'll save time and use your script instead, thanks. Two things though:

A. Isn't it better to check for
$HTTP_X_FORWARDED_FOR and if empty then retrieve IP from $REMOTE_ADDR ?

The former will reveal the visitors true (non-proxy) IP if the proxy is transparent. Transparent IP's are used by many ISP's and I doubt anyone is dumb enough to use one when placing fraudent orders. So if we have the visitors true IP, we shouldn't worry about them (I think!).

B. Have you tested your script with cgi proxies?

Good job and thanks for sharing your script with everyone :-)

Originally posted by GordonH
That depends on how strict you want to be or where your market is.

I am considering blocking Israel as we have no customers there and don't really intend to, but its a bit like using a sledgehammer to crack a nut.
We can cope with the odd fraud.
Blocking those 3 main countries reduced our fraud by over 90%

Other countries which are prone to this sort of thing are:

Thailand (but we have had none from there for a long time)
Romania
Russia (again not seen one of these for a long time)
Pakistan

Certainly these are countries our bank is always issuing warnings about.

Gordon

Do not block russia or pakistan.
I have legitim orders from both countries, specially in adult hosting.
What you can ask them (that is what I do, if I think that is a fishy order) is a scanned License driver copy.

AFAIK search engines dont trace redirects.

Redirecting is a LOT more elegant than blocking, atleast you can get some legitimate orders.. I mean all you have to do is ask them to fax some kind of identification.

You can easily integrate it with some cart, just make successurl to the URL of your cart and change your order links to this script, if the person passes the ip check he will see the cart else he will see the failed url page.

Originally posted by fortweb


Varun,

I have very little knowledge of PHP so maybe I just assumed it would be more difficult than that.

The only problem I see is that it is a redirect and not a block. In most of the fraud attempts we had from Indonesia the thief went directly into the cart... no doubt from a link on a list of targets.

The search engines would also display the pages bypassing the redirect. If I was a thief, the first thing I would look for is known cart keywords.

Now if you could integrate the routine into the shopping cart code, then you would have something! The average person (including myself) does not have the ability to just go tearing into the code of a sophisticated shopping cart script though.

Rick

A. Good point, I never knew that kind of variable existed, you can easily modify the script to make it check that.

B. As I said earlier in my first post, I havent tested this script thoroughly with any proxy whether CGI or normal. If someone could test it and post the results then it would be greatly appreciated.

Originally posted by hostmaniac


Duh I missed your post. My script is ultra basic right now so I think I'll save time and use your script instead, thanks. Two things though:

A. Isn't it better to check for
$HTTP_X_FORWARDED_FOR and if empty then retrieve IP from $REMOTE_ADDR ?

The former will reveal the visitors true (non-proxy) IP if the proxy is transparent. Transparent IP's are used by many ISP's and I doubt anyone is dumb enough to use one when placing fraudent orders. So if we have the visitors true IP, we shouldn't worry about them (I think!).

B. Have you tested your script with cgi proxies?

Good job and thanks for sharing your script with everyone :-)

Originally posted by Varun Shoor
AFAIK search engines dont trace redirects.

No but they do spider any html product, order or other cart support pages, that is unless you have them specifically disabled in the robots file. Not that it is a bad thing, I want our product pages spidered for keywords.

Originally posted by Varun Shoor
Redirecting is a LOT more elegant than blocking, atleast you can get some legitimate orders.. I mean all you have to do is ask them to fax some kind of identification.


I guess it comes down to the products you sell and your location as to deciding if blocking a range hurts your sales. In our case, it has no effect what so ever. Like Gordon, we have had zero legitimate orders from that country and nearly a hundred fraud attempts in a little over a year. To be honest, we couldn't care less about losing a legitimate sale to Indonesia anyway. It is worth it just to not have all the voided invoices in our accounting program.

Rick

Originally posted by Varun Shoor
B. As I said earlier in my first post, I havent tested this script thoroughly with any proxy whether CGI or normal. If someone could test it and post the results then it would be greatly appreciated.


I'll test out your script sometime tomorrow maybe and post the results.. But you should know that there is a bug in PHP4 with the fsockopen command which causes it to hang indefenitely. This can cause problems when trying to check the IP # for proxy. This bug alone made me think if it's possible at all to have such a script in PHP work reliably. You can read more about this bug at
http://bugs.php.net/bug.php?id=6778

Is there a way to get complete lists of ip allocations for certain countries?

-Brendan

Right now, as I've posted previously in this thread, we're blocking basically any real-time signup from outside the US. That's frustrated a number of legit British signups in recent weeks, so we've investigated a more 'granular' filtering scheme. I wrote to RIPE (who manages all European IPs), and they replied as follows:


Dear John Masterson,

We discourage the use of IP to country mapping in general.
There are several reasons why IP to country mapping is a bad idea.

The main problem is that IP is designed to abstract the physical topology
from the logical topology. What this means is that IP is *intended* to
prevent you from knowing where a given computer is!

Because the Internet is global, it is easy for users to either
intentionally or unintentionally use IP addresses that have been assigned
to a company conducting business in another region. For example, a user
in Israel may be receiving ISP service from company who gets a link to
Japan via a satellite company run out of the US. Which company has the
space registered depends on their business and networking arrangements.

Additionally, a user can circumvent this process easily either by using a
HTTP proxy located anywhere in the world, or simply by using a Unix
account anywhere in the world.

In our experience, there are 3 main reasons why people want to perform
this mapping:

1. Legal Protection
2. Marketing and/or Targeted User Interface
3. Curiosity

Legal protection is understood here by a situation when companies attempt
to prevent specific groups from seeing their content, eg. restricting
access to encryption software.

We recommend using country/language settings in browsers to select
correct localization options, rather than bogus IP mapping. This
should handle marketing and UI needs.

For curiosity, well, go ahead, look at the inetnum file on our FTP site:

ftp://ftp.ripe.net/ripe/dbase/split/ripe.db.inetnum.gz

But don't expect accuracy!!!

If you have any more questions, please don't hesitate
to contact <ripe-dbm@ripe.net>.

Regards,

Magnus Karlsson
____________________________
RIPE Database Administration.




(warning -- their db is some 33MB)

We're looking into this language setting option, and it seems like it may help. In PHP, you can access it via:

getenv("HTTP_ACCEPT_LANGUAGE")


Hope this helps,

How can the language setting be used to block people from Indonesia? I think most are using English language browsers.

Well if they're using a straight-up English language browser then obviously it would do nothing.

Here's some example hits we've logged today:

2002-02-28 12:54:48 | IP: 213.131.66.41 | ar-sa
2002-02-28 12:55:21 | IP: 213.193.176.84 | nl-be
2002-02-28 12:55:45 | IP: 213.131.66.41 | ar-sa
2002-02-28 12:57:27 | IP: 209.73.174.251 |
2002-02-28 12:57:31 | IP: 217.162.188.78 | de-ch
2002-02-28 12:58:46 | IP: 65.115.9.66 | en-us
2002-02-28 13:00:35 | IP: 202.99.99.211 |
2002-02-28 13:00:36 | IP: 217.83.90.142 | de
2002-02-28 13:04:30 | IP: 217.162.188.78 | de-ch
2002-02-28 13:07:24 | IP: 12.253.126.252 | en-us



I guess the bottom line is that there is NO WAY to absolutely block individuals in certain countries. It can't be done, for the reasons discussed in this thread. All you can do is mitigate the risk.

I guess the bottom line is that there is NO WAY to absolutely block individuals in certain countries. It can't be done, for the reasons discussed in this thread. All you can do is mitigate the risk.

Thats not quite true. I know many of you guys do like 3. party systems, but the IP-C system trace the country of an IP address.

See: http://www.dk3.com/dk3page.pl?id=ipc

/Fallesen

Yeah, you can find out the company/country to whom the IP was issued, but as the RIPE guy said,



Because the Internet is global, it is easy for users to either
intentionally or unintentionally use IP addresses that have been assigned
to a company conducting business in another region. For example, a user
in Israel may be receiving ISP service from company who gets a link to
Japan via a satellite company run out of the US. Which company has the
space registered depends on their business and networking arrangements.

Additionally, a user can circumvent this process easily either by using a
HTTP proxy located anywhere in the world, or simply by using a Unix
account anywhere in the world.


We had a Swiss spammer signup using the Utah-based orangotango anonymizer.

So, there's no way to be 100%. All you can do is mitigate the risk.

That is all just so much fluff. The bottom line is that you can block 99%+ of the people you want to with the .htaccess IP filter discussed in this thread. Like it or not it works and as far as I have seen, it is the best solution to economically use.

Of course you are going to have people screaming and whining, especially legitimate users from the countries in question. In our opinion, as long as the government of those countries allow rampant CC fraud and Internet abuse, they don't deserve access. These thieves make everything more expensive for everyone in the long run and we certainly have the right to deny them access to our web sites.

As far as the ability to hide an IP through anon services, who cares? Any order we trace to an anon service is filed as a fraud attempt 10 seconds later. If you don't have the ability to manually filter these out because you use a gateway... well, we have talked about that too.

Rick

How about new orders are held in a queue until you review and release them.

You can do an auth when the order is taken and only post the sale when it has been reviewed and accepted.

This way everything is still recorded and able to be auto billed later and you can avoid the fraud by checking and then accepting the order. Sort of the best of both worlds.

Besides that's better than rekeying the info - which is prone to errors and time consuming!

just my $0.02

That is a good idea for gateway processing, know any carts that have the feature?

Rick

No commercial ones I know of

Ours has it but we wrote it ourselves in Cold Fusion, so we have complete control of what it does...

Originally posted by fortweb
That is a good idea for gateway processing, know any carts that have the feature?

Rick

Hi I just want to thank everyone who has contributed to this thread. It has been very informative.

Rick, i am 95% sure an app like modernbill can validate cc and then orders can be submittted for settlement later. I think you may need to be using authorize.net ot echo in order for it to work with modernbill.

Worldpay has this function but as it would be applied to monthly payments as well it would create just a bit too much work.
Its a case of getting the balance right.
We could tighten it up more but it would cost more in staff time than we would save.

Gordon

No fraud attemts for weeks and then one this morning, no doubt it is one from a new Indonesia IP block...

ipw: Connecting to server: whois.apnic.net:43
ipw: Query: 61.5.104.36
inetnum: 61.5.0.0 - 61.5.127.255
netname: IDTELKOM-ID

I just blocked all of 61.5

Rick

Correct

61.5.0.0 - 61.5.127.255 ID

This range is used mainly by dial up companies and hasn't been much of a problem up till now as most of the fraud came from the academic network (university terminals)

Gordon

have to say I have found this thread very useful and the IP block has worked for us to some extent in that we have now noticed orders coming from open proxies instead of Romania and Indonnesia.

One thing I would like peoples opinion on is - does anybody here know that with certain processors a credit card transaction will go through and show vailid even if the name doesn't match the card name and with any address. So, Darth Vader address Death Star would work.

This has happened to us (not with Darth Vader) and it really shocked us that the name didn't match the card

This is quite normal as AVS only covers certaincountries and card issuers.

Gordon

Now that we have eliminated most fraud attempts from Indonesia, it is easy to see a pattern emerge from the weekly attempt or two we still get.

Has anyone noticed the fact that most of these countries involved (all in our case) are Muslim culture countries? Indonesia, Spain, Pakastan, etc.

I noticed this right off and intend to focus on it with combatfraud.com (which is way behind schedule). This is no weird coincidence, I honestly think this is a coordinated, deliberate attack on the American economy.

Before you call me a racist... I care not who anyone worships but I am a realist and I do care about our business. The facts are simple, it does not take a PHD to see where our fraud attempts come from.

What I would really like to do is block many of our sites from being accessed at all from outside of the US but the allow list would be a nightmare to maintain.

It would also be nice to know of a source that lists IP block allocations by country. When we get a second fraud attempt from any given country we would simply remove access from them.

We are getting to the point where International orders are not worth dealing with. The risk is to great and they just don't represent a significant amount of income to make it worth the hassle. Our standard procedure now is to require faxed photocopies of front and back of the credit card as well as a form of ID before we will take any International order seriously.

Rick

I've just had the worst week, as far as problems with chargebacks go. We had a huge number of sales (unusually high) in December. Now the chargebacks are rolling in. What is really upsetting is that we take quite a few precautions...and they still got through.

Anyway, last week our merchant account froze all of our funds and we were totally without incoming revenue from our credit card orders for about a week and a half. They *finally* released all the funds on Friday...but we've been put on a probation period and they held $1000 as a security deposit.

Here's the precautions we take...but it didn't seem to matter:

Don't accept orders from free email accounts.
Voice verify most orders
Banned certain IPs
Use AVS
Decline any suspicious order (such as, ordering every single feature we offer)

Credit card fraud must be stopped. Looks like its up to us...because the credit card companies sure don't give a damn.

--Tina

Yes Tina
Its a very very bad situation.
We have clamped down as much as we can without preventing people ordering at all.

On the islamic issue I think there is something in that as our frauds from these countries are always to our .com brand.
They never go for our .ca or .co.uk sites which are also in hosting directories too.
However Spain is not an Islamic country (or to be precise it hasn't been since about 1500 - it ws in the time of the moors, which is why Mosques have towers - they took over all the churches and they had towers already)
Spain is a member of the EEC and the state religion is Roman Catholic.

Part of the issue *may* be that in some cultures doing harm to people within your own community is forbidden but doing harm to those outside is not considered bad.

Its a difficult are to get into but thats what one of my Muslim friends told me years ago, but he was talking about very extreme groups.

We now manually process all annual orders and this has caught one or two recently and saved us the refund charges.

Gordon

Gordon, I have read recently that Muslim has overtaken Catholic as the dominant religious culture in Spain. I can't find the reference now so I don't know how credible it is.

There are a couple of issues I would like input on. Has anyone used PayPal extensively?

We have used them as an optional form of payment for about a year now have never had a bad one. We only offer some of our low cost items like site memberships through paypal though, we have never offered servers with a paypal option and they are the most often attempted to steal item.

Ititially I was concerned about not getting the IP of the user at order placement with paypal and I don't approve of the generic email addresses they allow. However, since they have had a good track record with us I can't say anything bad about them, especially since 10-20% of our customers use the option.

We always get an ISP address before we process an order so it does add a step to the process but this is a good fraud detection method anyway. Additionally they allow five days to refund so if you are skeptical about the order it can be rejected.

Overall, I am happy with paypal and must conclude that they have good filters in place for proxy and high risk IP ranges. We are thinking about offering more of our services and products through them as an optional payment method.

The second question I have is what can be done to disable proxy at the server level through firewalls?

Rick

Originally posted by fortweb
Gordon, I have read recently that Muslim has overtaken Catholic as the dominant religious culture in Spain. I can't find the reference now so I don't know how credible it is.


Roman Catholicism is professed by about 97 percent of the population.
From Encarta (http://encarta.msn.com/find/concise.asp?mod=1&ti=761575057&page=2#s7)

Originally posted by AffordableHost
I've just had the worst week, as far as problems with chargebacks go. We had a huge number of sales (unusually high) in December. Now the chargebacks are rolling in. What is really upsetting is that we take quite a few precautions...and they still got through.

Anyway, last week our merchant account froze all of our funds and we were totally without incoming revenue from our credit card orders for about a week and a half. They *finally* released all the funds on Friday...but we've been put on a probation period and they held $1000 as a security deposit.

Here's the precautions we take...but it didn't seem to matter:

Don't accept orders from free email accounts.
Voice verify most orders
Banned certain IPs
Use AVS
Decline any suspicious order (such as, ordering every single feature we offer)

Credit card fraud must be stopped. Looks like its up to us...because the credit card companies sure don't give a damn.

--Tina

Tina

Who do you mercahnt with? Nova? i do and they canned me last week, I am in the process of finding a new merchant account, and yes, like you i got a FLOOD of chargebacks just recently. They didnt even notify me that they canned my account, the other day, i thought i broke php when i upgraded (HAHA) cause all my trannsy were getting declined. then i call them up and the lady was like "this account is closed"

What pisses me off is this

I asked the lady in their hyped up "Security Department"

OK. I have 10 chargebacks this month, i show proof that 6 of them have credit card authorization forms, and your chargeback dept agrees, and I get my money back from those chargebacks. Do you still consider that I got 10 chargebacks or 4? her answer was 10.

how stupid is THAT!!!!!!!!!!!!!!!! I mean COME ON!! I just showed them PROOF that they were not fraudulent

To top it off, they wanted a $20k deposit to reactivate the account with the option to keep it after 30 days

LAMO!!!!!!!!!!!!

A merchant account is not a simple checking account that just anyone can open to accept credit cards. Yes, they have made it easy to open merchant accounts these days (you should have tried to get a Visa merchant account five years ago) but that is mainly so the third party sales agent can make money selling merchant accounts, keeping them open is another story.

With 10 chargebacks in one month, just about any merchant account provider is going to take some action from requiring a deposit to account cancellation. You can be assured that your new merchant account provider is going to look at your record with your old account too, a second merchant account is much more difficult to obtain than the first. They will probably require a deposit as well so it might be wise not to burn your bridges and work things out with your present account.

They expect you to do your own fraud screening and prevention. I am not saying that the CC companies and merchant account providers are saints, they contribute to the problem considerably by not pursuing criminals. Don't expect them to be your friends and saviors, they get their money, thats all they care about.

The bottom line is that the responsibility is yours and you better be serious about accepting it or you can close your business doors right now.

Read this thread, the methods for preventing fraud are right here! I would be willing to bet that a simple IP lookup could have removed at least 7 or 8 of your 10 fraud transactions a few seconds after you received the order. Using .htaccess to deny problem IP ranges would have probably stopped most of them from even loading your order page.

Rick

Originally posted by AlaskanWolf


Tina

Who do you mercahnt with? Nova? i do and they canned me last week, I am in the process of finding a new merchant account, and yes, like you i got a FLOOD of chargebacks just recently. They didnt even notify me that they canned my account, the other day, i thought i broke php when i upgraded (HAHA) cause all my trannsy were getting declined. then i call them up and the lady was like "this account is closed"

What pisses me off is this




We're with EMS. What pisses ME off is that they didn't even notify me that they froze my account until I noticed that my bank account was about $4,500 short and hadn't had a deposit in about a week. :angry: :angry: :angry:

--Tina

Rick

We are not all newbies when it comes to this stuff, both Affordable and WHN have been in business since 96-97

We very well know everything there is to know about dealing with fraudulent activities and how a merchant account works

Originally posted by AlaskanWolf
Rick

We are not all newbies when it comes to this stuff, both Affordable and WHN have been in business since 96-97

We very well know everything there is to know about dealing with fraudulent activities and how a merchant account works


Exactly. :D

There just isn't enough protection for the merchant, unfortunately.

--Tina

Originally posted by AffordableHost



We're with EMS. What pisses ME off is that they didn't even notify me that they froze my account until I noticed that my bank account was about $4,500 short and hadn't had a deposit in about a week. :angry: :angry: :angry:

--Tina

I've heared of EMS a few times, from what i understand NOVA had recently changed their chargeback rate from 6% to 1%, so that means basically 80% of their internet merchants just got canned....Im glad we didnt have a large deposit in the works, or like in the past (one merchant............aggess ago....) froze $10k

Originally posted by AlaskanWolf
Rick

We are not all newbies when it comes to this stuff, both Affordable and WHN have been in business since 96-97

We very well know everything there is to know about dealing with fraudulent activities and how a merchant account works

I never said you were rookies but apparently your doing something wrong if you had 10 fraudulent transactions get through in one month. We had a surge of fraud attempts that started last fall but zero were passed through. As a side note, we have had more fraud attempts in the last six months than we had in the six years prior to it.

AVS is a joke, not that you should not use it, just that it is outdated and ineffective at stopping fraud. This is what we do and in combination with our .htaccess deny list, it has worked for us.

1. Run the IP and check for proxy.
2. Don't accept generic email addresses and if the IP the order was placed from does not match the ISP email address provided, decline the order or get further verification.
3. Voice verify all orders over a significant amount of money.
4. Require photocopy fax of CC and ID for international orders or at the very least, get the security code from the back of the card as verification.

Things have changed drastically in the last six months. If a web merchant does not take aggressive, anti-fraud measures they will be driven out of business by fraud.

Again, I did not mean to imply you were rookies, I do a lot of technical writing in my work and often that carries over into my day to day writing. I honestly did not mean to sound condescending.

Rick

"get the security code from the back of the card as verification."

This is the only thing we do not do. However, I've been trying to find out how to get EMS to check this and no one knows. Any ideas?

--Tina

I don't know that anyone does on the merchant side, we request it via email or telephone on suspect orders.

Rick

We always ask for the CVV, but it seems that most international card issuing banks don't support CVV verification just like they don't support AVS.

We've only had one chargeback so far, but we have had two fraudulent orders get through. One had a chargeback, and we were able to refund the other one. Both, we lost money.

Both of our orders actually provided a CVV and AVS information, but the credit cards were stolen. The orders were from malaysia, and the card holders were from malaysia. Obviously the IP addresses checked out as being from malaysia.

We are a lot more willing to let a customer (especially an international one) know that we were unable to verify his billing information and cancel the order.

An international phone call doesn't prove anything. You're not going to be able to pursue the international fraudster, just because you have verified that you have his/her pager or voicemail number.

Hello
We are talking here about fraudulent orders, but there is another side to this - the malicious chargeback.
We have someone who has just decided to charge back 9 monthly payments claiming he did not authorise them.
We have a faxed back form with his signature but our bank has never accepted them in hte past and I don't think
that is likely to change.

So... we end up with 9 chargebacks all because someone fancies some free hosting.
9 chargebacks x $15 penaltyy = $135
Plus refunding the money = $90
Plus the commission = $4

Total = $229

And that counts as nine chargebacks not one so it show how easy these things can escalate.
The one saving grace is we use Worldpay/Nat West as a payment gateway and they hold large deposits so there should be no issue of our merchant accounts being suspended (they allways have a months turnover on deposit).

Gordon

whos your merchant so i can stay away from them?

Visa reg's state that a signature approving the charges is a OK way if you dont swipe the card.........its worked with Nova (our ex merchant) many times over.......

National Westminster Bank

Signature is only accepted if signed at point of purchase.
There is also the issue of it being faxed.
In general law thats OK but the merchant agreements don't accept it.

I am considering using the next case of non acceptance of the signature as a test case and setting our lawyer on it.
It would be interesting to see what happened because a lot of the merchant rules actually break general laws.
For example in this country (Scotland) Verbal agreements are legally binding but in the merchant agreements even written contracts appear to be unenforcable.

All of our contracts are under Scots law.
Its quite different to US or English law.
I just bought a house on a verbal agreement and didn't sign the
documents until the day after I moved in.

Other odd facts about Scots law:
1. Confessions are not admissable as evidence in Court (which stops the police leaning on suspects).
2. Jurys have 15 members to prevent a 50/50 split verdict.
3. We have three possible verdicts: guilt/not guilty/not proven.
Not proven means that the jury believes you are guilty but there is insufficient evidence to impose a prison sentence safely.

Much more sensible than English law.
Of course we did invent television and the telephone .......

Gordon

Originally posted by GordonH
For example in this country (Scotland) Verbal agreements are legally binding but in the merchant agreements even written contracts appear to be unenforcable.

That's probably true for most countries - but the problem is how to proof it.

We have had chargebacks by two angry customers too. One was for three months of charges (three chargebacks). We have sucessfully disputed all of them with nothing more than a digital signature.

We use ECHO, Inc.

I use ECHO as well -- could you please explain 'digital signature'? (To me, it could mean a lot of things, ranging from a document electronically signed with an RSA algorithm to the image of a signature on a FAX)

Dan

Originally posted by bitserve
We always ask for the CVV, but it seems that most international card issuing banks don't support CVV verification just like they don't support AVS.




How do you verify the CVV? I mean, we can ask for it...but how do we know if its valid or not?

--Tina

Most payment gateways can verfy the CVV2 number just like AVS so you will get an error message if it does not match.
However CVV is not that useful as most carders have the full details which have been copied from the real physical card at some point.

On the digital signature issue that would only be possible if the signature had been validated by the issuer and most signatures in use don't have 3rd party verification.
Even if they did I don't think that Visa and Mastercard would accept them. It may be yourbank who is accepting them.

Gordon

Originally posted by AffordableHost
How do you verify the CVV? I mean, we can ask for it...but how do we know if its valid or not?

Tina,
Echo offers CVV verification just like AVS. You just include it with your preauthorization, like AVS. And the response comes back as a MATCH, or NO MATCH, but sometimes NOT SUPPORTED. Of course ECHO's system takes the CVV response and AVS response into account when deciding on whether to accept the transaction (usually they will, so you shouldn't rely on them to deny it). Also we can set our software to refuse it here if it doesn't match.

BTW: Sorry to hear about your merchant account freeze. :(

Dan,
I guess I meant electronic signature, where they have to click "here" to agree and order. Although the customers are perfectly able to lie and dispute the chargeback reversal, they have not done it so far.

Hi,

I process all payments through worldpay.com, and they now offer a great alternative.

Each time an order is placed, the credit card will NOT be charged unless you say you accept the order! There will be no charges for this, and you will be able to avoid the refund costs.

I have 5 days to accept or decline a CC transaction.

This has already saved me some money, since CC fraud is indeed occuring once too many times!

Perhaps you can check with your CC processing company whether a similar service is possible (otherwise, simply open account with worldpay.com :)

Regards,
David.

Yes
I looked at that and it was ideal except we would need to approve every monthly payment manually and as we have thousands of those the risk of error creeping in was too high.

I decided to process all annual orders offline (manually) using their Worldaccess terminal which has the same effect.

Interestingly spammers never sign up for annual hosting and fraudsters never sign up for monthly hosting.

Gordon

we got tired of the fake orders from indonesia and implemented the htaccess supplied by gordon

many thanks so far the flies are gone

:D

Originally posted by miami_g
we got tired of the fake orders from indonesia and implemented the htaccess supplied by gordon

many thanks so far the flies are gone

:D


What are you using in your .htaccess? Which IPs?

--Tina

He must be using Gary's list
http://www-hosting.net/denied.html

Originally posted by Jedito
He must be using Gary's list
http://www-hosting.net/denied.html


Doesn't that list just about deny EVERYONE? :eek:

--Tina

No, its explained in the file why was each IP banned
Ex:
#Added 3-11-2002 Anonmoys Proxies at http://195.208.219.11/proxy.htm
deny from 212.77.192.45
deny from host11.sbone.net
deny from 4.19.144.7
.......................................................

Originally posted by Jedito
He must be using Gary's list
http://www-hosting.net/denied.html

WOW! What a complete list!

Our biggest problem the last few months has been with anon proxies and that list looks like it contains far more than I have compiled.

Would a list that long slow down a server? It does not appear to have any effect on our dedicated server but we have not moved any of our high bandwidth sites over yet. Since they are still on shared servers I am wondering if I should use a list that long on them.

There just has to be a better way of stopping proxies at the domain or server level!

Rick


...much later

After searching and reading most of the night I have come to the conclusion that there is simply no practical way of blocking anon proxies. A 50k+ .htaccess file is simply not the answer. Even if the list was ten times that size it would not cover all the anon servers out there, a person could not add them fast enough to keep up.

We block them at the router so the requests never get to the server (that will only work if you use a dedicated server for your site).

Another interesting point.
Almost all fraudsters fill in our technical comments box with something like:
"great hosting"
"nice website"

I think because they don't understand English they can't read that the box is meant for special technical requirments like domain parking.

We had a nasty one from a Japanese University last night.
It hit our UK brand which we still have automatic processing of annual orders on.
I will be changing that to manual later today.

Gordon

Originally posted by fortweb


WOW! What a complete list!

Our biggest problem the last few months has been with anon proxies and that list looks like it contains far more than I have compiled.

Would a list that long slow down a server? It does not appear to have any effect on our dedicated server but we have not moved any of our high bandwidth sites over yet. Since they are still on shared servers I am wondering if I should use a list that long on them.

There just has to be a better way of stopping proxies at the domain or server level!

Rick


...much later

After searching and reading most of the night I have come to the conclusion that there is simply no practical way of blocking anon proxies. A 50k+ .htaccess file is simply not the answer. Even if the list was ten times that size it would not cover all the anon servers out there, a person could not add them fast enough to keep up.

Actually no it doesnt, i dont see any speed difference, we also only put it on our billing server and not our main site.

Yes, you cant block every proxy, that really wasnt the point, but it surely helps.

Its always going to be a cat and mouse game...just gatta figure out how to outsmart them......for one, really verify all the information, and calling them is a surefire way of finding out..............

I must agree wolf, I tried it at peak time on our highest bandwidth site and noticed no increase in server load at all. That site is on a decked out Enterprise 250 and I know they have efficient load balancing but I still expected to see some increase!

Your also right about calling, that will always reveal the nature of the order but it is hardly ever required for us at least. It takes about ten seconds to identify a fraudulent order, IP lookup, mail server lookup, boom, it is in the fraud attempt file. None of these ever make it through our manual processing, we stop 100% of the fraud attempts we get but that was not the point.

We have already removed the vast majority of attempts just by blocking Indonesia, now if we could only block proxy servers it would effectively stop the rest. We are a small company and only process a handful of orders daily so it is not like the problem is overwhelming. It just looks ugly in our ledger to have the voided invoices tagged as fraud attempts.

I actually have a form letter we send to the server access was made from, CC the mail server admin that the criminal is using to retrieve stolen goods and CC the FBI's Internet fraud unit.

If it does any good or not I don't know, we seldom get any acknowledgements from the access ISP's and never from the FBI. I am guessing they are far to busy chasing terrorists to pursue some third world dirtbag committing Internet fraud. However, most mail sever admins/abuse dept's do reply and close the criminals account. Since it takes me less time to send a form letter than it does for the crook to set up a new email account, there is a little satisfaction in that at least.

There has to be thousands upon thousands of sites out there now that block access from the entire country of Indonesia. That a user can still use anon surfing proxies for access can be no comfort to legitimate users there, proxies are slow, usually have framed advertising and are a general pain.

Saturate enough site owners with the knowledge of how to block Indonesia and access from that country will become a real problem for their teachers, politicians, doctors, etc. These people will eventually take command and stop the lower class scum from abusing the Internet. When access for legitimate users there becomes a real problem, then our problem will end.

Gordon... Is it difficult to explain how you use your router to block proxies at the server level? If it is real complicated I understand that this is not the forum for that discussion but if it is easy, please share your method! We don't have access to the router that our dedicated server is connected to, it is on a rack host. I am thinking about running just our billing server locally though.

Rick

I just registered here to the community simply because I found this thread. As a new merchant with Authorizenet that has never had a first transaction yet, I was quite shocked when I read this exhaustive thread. We have had absolutley no e-commerce experience in terms of the fraud topic. In other words, we have not used our Authnet account yet.

Now that I've explained a bit about our utmost newbieness, I guess I have to ask if it's worth the risk of ruining a good name over reseller hosting?

I mean, $9.95 to $35.00 for small virtual hosting packages with the risk of losing a new merchant account? Your business, your name? and all of your hard work?

I would suppose that most reading this will either really enjoy the knowledge that I've found here, or they have found something that you folks have not. In any event, this information scares the heck out of me.

Thank you folks for sharing. It does appear that without the "banding" of the poor internet merchants to protect themselves with this combined knowledge, that there is little hope of a better way to to do business online and thus the poor little guy like myself will be out of business before he starts. The store script that I currently use has forum support. There are a few threads in there about internet fraud but no real response to the how to "how to" really protect yourself like this discussion.

Anyone have an oppinion on the newcomer with a not yet used merchant account?

Better to accept and encrypt cards/numbers and manually enter them one by one? Currently we have it setup to accept in real time. But with the horror of the lack of usefulness of the AVS etc... as explained here, I'm not sure auto acceptance or denial is the best way for us to persue. Having a fraud chargeback would throw us out of business altogether with the types of thousands that you have shown that you have paid back here.

Thank you.
NewMerchant-

I know some of you disagree with me when I say anyone who does gateway processing will have to accept a certain amount of loss to fraud but I stand by that emphatically.

Admittedly, it depends a lot on the product and volume of sales. Some people can save money by losing just a little to chargebacks instead of paying a full time person to manually process cards, you have to weigh the risks for yourself.

1. Use .htaccess to block problem countries
2. Process cards manually
3. Log and lookup every IP, every mailserver origin
4. Don't accept any orders from generic email addresses
5. Match up mailserver with logged IP
6. Use AVS and CVV if you can but don't depend on them
7. Voice verify orders of any significant amount and/or
8. Require fax CC front and back with ID on International orders

Is that overdoing it? All I know is we have not passed any stolen cards by using these procedures.

Have we lost sales because of these rules? No doubt about it!

Do we care? Not in the slightest! Our hosting business is secondary and our merchant account is far more important than making a few bucks off a server sold to a high risk client.


Above and beyond that... Know what your doing when buying, installing and operating your cart. Almost all of these thieves are using credit cards stolen from sites operated by people who are not qualified to set up or run a secure Internet business.

Improper SSL setup, vulnerable cart scripts, incorrect script installations, storing cart data on the server, sending unencrypted cart data via email... there are a thousand ways to do this wrong.

Should it scare you? Damn right it should, it is not only your money, it is other peoples money and they are trusting you to do it right!

Should it stop you? No way! Everyone has to start somewhere and anyone with common sense and the willingness to learn can do it. Trial and error is not acceptable though, if your not certain you can set up your cart correctly, pay the authors to install it for you.

Shared or dedicated server does not matter, if you do it right both are safe, if you do it wrong, both are vulnerable.

Good luck with your venture. Thankfully there is a lot of help on the web, this place is a great example!

Rick

Thank you,

Your condesing of the topic, your opinion, information is very much appreciated.


Thanks

Originally posted by NewMerchant
... This is not the cart and setup I currently have, but an opinion on this would be helpful.

Other people here know more about that than I do. We bought our software a long time ago and still use the same basic methods. Our cart only collects the data and we process the order though our software after looking it over.

It looks like a lot of third party processing companies are responding to the surge of Internet fraud by allowing you the opportunity to approve or deny the order. Nothing wrong with that as long as they give you the users information to verify.

Rick

Yeah I see.

I went ahead and deleted my post above. I thought maybe I might be getting off topic.

Sure appreciate your experience.

I read somewhere that if you use .htaccess with frontpage it will not work. If so is there another alternative ? I really would like to end this garbage with the fraudsters.

Thanks

Almost all of these thieves are using credit cards stolen from sites operated by people who are not qualified to set up or run a secure Internet business.

Not sure I agree with that.
Most card numbers used for carding have been obtained by taking second impressions of the cards in restaurants or other premises where the card is taken out of site.
Certainly thats what happened with one of my cards andI know that we have traced real card holders who have never used thier card on line.

On the router issue, I spoke too soon.
Just found 50,000 + attempts to get round the .htaccess block from Indonesia and Malaysia.
Seems to be coordinated.
As soon as our systemblockes the Ip they change IP.
(actually one of them is going from terminal to terminal in the university library).
I actually reported them this time and got one positive response from one of the IP owners which is a satellite interent company in Hong Kong (with the IP's used for customers in............. Indonesia)
He has promised to track them down.
Makes me feel a bit better.

However, we got 2 fraudulent orders from Egypt yesterday.
I think that the IP's may be getting used by palestinian dial up accounts as they can't get .il ones but I might be wrong.

Once again its Islamic countries.
This cannot be coincidence and the coordinated pattern of attack we are getting from Malaysia and Indonesia suggests that its not random either.
Its another form of terrorism.
Why don't they target companies like Verisign and Verio who can afford it (maybe they do).
I wonder who is reading this thread.

I AM NOT AN AMERICAN.
I HAVE NEVER EVEN BEEN TO THE USA.


Gordon

So what is the answer?

Shouting I am not an American I assure you won't cut it.

I am more interested in what can be done to protect ourselves.

It appears with this post that even the .htaccess list isn't working.

If there was a way to allow only US certain countries to even purchase through the script, would this solve the situation?

A gentleman I spoke with tonight was doing some hard coding within the templates to allow for only certain countries to even use the form. It wouldn't allow to type other countries in.

Would anything like this work? Maybe coupled with the above post as to what he is doing to accomplish the task?

Thank you

No, it will not work. After we banned Indonesia the same idiot kept signing up with US IPs. It's not that simple.

Yes, I know it won't make any difference.
I have just had a very bad 24 hours of it.
I am British and that is much the same thing as far as these people are concerned.

Not allowing them to enter Indonesia as a country is a waste of time because they are using stolen US cards and will be entering US addresses mainly.

Gordon

ok.

Originally posted by GordonH
Yes, I know it won't make any difference.
I have just had a very bad 24 hours of it.
I am British and that is much the same thing as far as these people are concerned.

Not allowing them to enter Indonesia as a country is a waste of time because they are using stolen US cards and will be entering US addresses mainly.

Gordon

Gordon, I am sorry to hear you have had a rough time in the past few days. I have been 'lurking' on this thread for a few weeks now and wanted to let you know how much helpful info you have supplied to me and I am sure many other people. I really apreciate you sharing your knowledge and experience with us on this very serious issue, and I am sure that your info will go along way to help other hosting firms like mine combat credit card fraud.

Keep on fighting the good fight!

Leeanne:)

Originally posted by GordonH

We actually have insurance against chargebacks (and it pays up promptly!)
But if we were putting $1000's through it the premiums would skyrocket.


Is this through a third party? If so, who?

Craig

It was Worldpay but we had to pull out of it as they decided to try and claw back some of the payments whioch had been made under the insurance.

It added 1% to our costs which was rather a lot of money.
We are actually slightly better off without it.

Gordon

You can expect retaliation when you block them from your site. They routinely sign our email addresses up for spam and stick mainly to porn and gambling lists. We net 30-40 spam mails a day through spamcop, which is a great service by the way.

How do I know they do this? Most porn sites don't want to send people spam, many use double blind mailing lists and we actually get the requests listing our email address and an Indonesian IP attached to the request to enter the mailing lists. On these, we just delete them, no reason to report them for running a good procedure.

The gambling sites don't use double blind lists so we do report them through spamcop with a click and never hear from them again. They also add us to nortorious major spammers like PMG and these people will not accept spamcop reports or honor remove requests so those we just block the mailserver all together.

I think these criminals actually have an HTML form set up to submit peoples email address to multiple spam sites with a single script, they usually come in 10-15 at a time and often in the exact same order.

Spamcop.net filters 99% of all the spam we get and stops no legitimate communication, at $3.00 per month, we love it! If these guys actually have time to waste doing this sort of nonsense, good for them, it does not bother us thanks to spamcop.

Rick

Originally posted by GordonH
Not sure I agree with that.
Most card numbers used for carding have been obtained by taking second impressions of the cards in restaurants or other premises where the card is taken out of site.
Certainly thats what happened with one of my cards andI know that we have traced real card holders who have never used thier card on line.

You might be right Gordon but I have found caches of stolen cart data several times on free hosting sites that I traced from the fraudulent orders email address.

These have always been accessible via the web with no directory protection but usually about five sub directories down from their root folder. They have contained anywhere from several to hundreds of orders stored in plain ASCII obviously from a cart datafile.

Rick

FortWeb,

I called my merchant bank and gateway for additional information on the topic. Neither gave any additional advice to fraud prevention etc... and in fact the said that they now have a "risk" department. So in other words, "It's up to you and if you have a problem off to the risk department you go."

:mad:

OK Rick
I suppose I am not used to the idea of storing card numbers on a web server as all ours are either stored off line or on the Worldpay system which is fairly impregnable.

Gordon

I know it is hard to imagine that people would store un encrypted cart data on their server but it is sadly often true. I don't like the idea of even storing encrypted data on the server.

This explains why I am quick to scold people on occasion. I view them as enablers because I have personally seen things like hosted clients storing un encrypted cart data in an unprotected, web viewable directory.

I should not have said "most"... your right, there are a lot of ways that criminals steal card data. I can't say more without putting ideas out for crooks to feed on but lets just say that this is definitely a significant part of the problem!

Rick

Awesone thread and a great reason that WHT exists. I thought we were the only ones getting taken advantage of.

Thanks everyone for the info in this thread. OUr entire order processing team will be looking through the issues presented looking for a way to improve our system while allowing ALL of Australia and Nz.

Thanks again to everyone for sharing your experiences.

What would you guys think of a host-only "membership" (free) based system that would allow hosts to share information on fraudulant transactions?

While the lost fees are certainly important with CC fraud, what seems more important is the potential to lose your cc processing relationship due to fraud. That prospect is SCAREY!

Robert Marsh
Head Surfer Rackshack.net

What would you guys think of a host-only "membership" (free) based system that would allow hosts to share information on fraudulant transactions?


Good idea, it's time we make something like that :)

Originally posted by headsurfer
What would you guys think of a host-only "membership" (free) based system that would allow hosts to share information on fraudulant transactions?

With WHT for sale..... it sounds like one of the things WHT could become. A thread about some ideas is here: http://www.webhostingtalk.com/showthread.php?s=&threadid=33788

I regged http://www.combatfraud.org and started building it simply because I was fed up with not being able to do anything to fight these crooks on an individule level.

Over the next week the site will finally go live and the board is functional now...

http://www.combatfraud.org/forum/index.php

This site was mainly intended to help new and existing web merchants get a handle on fraud and to enlist help from all over the world in this crusade.

If you folks would like to use this domain for a forum such as headsurfer has suggested, I would be happy to set up either a private forum or an entire private board to use for this purpose.

Addendum...
On second thought, I expect to be targeted for reprisals so maybe it is not a good idea to have the private board on that domain. The offer is still open to discuss but WHT or a similar existing user base oriented site might be a better choice.

In any case, you all are welcome to visit and add your input to the board now as it is. I can provide the site and I am going to put a weeks effort into building it but I am really hoping for the support of others sharing their knowledge to make it a success.

Hosting providers are probably the hardest hit but all web merchants are experiancing this problem to some degree. Lets not forget the millions of little guys out there working very hard to run an Internet business. Most of them are not going to know about or look for WHT and unless they pick up a search engine hit on fraud, will never read this.

Rick

Originally posted by headsurfer


What would you guys think of a host-only "membership" (free) based system that would allow hosts to share information on fraudulant transactions?

Robert Marsh
Head Surfer Rackshack.net


Good Idea.

Hi all,

We were victims of fraud from Indonesia too. From what I noticed, it was not a group of people, it was ONLY one person who made all these fraud orders. He made fraud orders of more than $20K and we refunded them all. He used all kinds of methods, and he realy made a lot of damage to us.

I noticed that the main reason for fraud orders is getting a shell account. And specifically to run irc programs like eggdrop and others.

These fraud orders made us stop instant activation for a while. Then we stopped providing shell access whatsoever, ssh or telnet. When we stopped providing shell accounts, he knew that he will not get what he wants, so he stopped.

I am sure that he is only one person because of his style and he was running the same chat programs each time he got an account.

A friend of mine called FBI and they told him that he is an international criminal that they are after him for a long time. He used stolen credit cards and made million dollar orders.


As for the Muslim issue, we are Muslims and were victims of fraud orders from Indonesia. Our web site states clearly that we are from Egypt and it is obviuos that we are muslims, and that did not make him stop his fraud orders.

Fraud and credit card theft has nothing to do with culture, it is a criminal act. Islam certainly calls for love for all people on earth and the good followers of Islam never do such criminal acts in the name of war or something like that.

These are crimes, and no culture on earth could justify for it.

I think, IMHO, that the best solution for fraud orders is to stop providing shell accounts, it helped in our case at least.

Regards,

Ahmed

Originally posted by nozol


I think, IMHO, that the best solution for fraud orders is to stop providing shell accounts, it helped in our case at least.


Ahmed

Now this is something we can all work with. We can still offer shell accounts but hold off on setup until after verifying the order and cc. Or state at the time of order that shell account access will only be activated under certain conditions.

Thanks for the info Ahmed.

You are most welcome Mike, your idea is very nice, wish you the very best of luck!

Regards,

Ahmed

Originally posted by nozol
From what I noticed, it was not a group of people, it was ONLY one person who made all these fraud orders.

I noticed that the main reason for fraud orders is getting a shell account. And specifically to run irc programs like eggdrop and others.

Then we stopped providing shell access whatsoever, ssh or telnet. When we stopped providing shell accounts, he knew that he will not get what he wants, so he stopped.

We had exactly the same person acting exactly the same way. But a small warning: last time I catched him as he tried to install a cgi script providing a shell account!

Thank you so much Walter for the warning, very interesting! I guess this theif is sick about shell accounts.

I don't doubt that a single person took you for a ride, especially if he was successful in getting past your fraud screening once. Going back to the same well until it is out of water is only logical.

However, I don't buy for a minute that this is one or even a small group of people. A search on Google for +"Indonesia" +"credit card fraud" will net you more than you could read in a week, many referencing organized fraud rings.

http://www.businesswire.com/webbox/bw.092100/202652105.htm

http://www.naspa.com.au/merchants.htm

http://www.aic.gov.au/publications/tandi/ti71.pdf

http://www.cartserver.com/americart/faq-fr.html

Yes
One person would not explain the hundreds of thousands of hits we get per month from Indonesia each month trying to hack into our systems (presumably some sort of revenge)

I routinely report them to the abuse addresses for their Ip range.
Many of these e-mail addresses bounce.
Out of the others I have received messages like:

"We do not accept abuse reports from countries outside our own area"
"These IP's are sub-delegated to a university, we cannot help you"

The only one where I got any result was IP's belonging to a Hong Kong based satellite ISP which were being used in Indonesia.

Its not just Indonesia.
Malaysia has similar problems and some of the attacks we have had do appear to be coordinated from IP's in both countries.

All I can say is it gives a very bad impression of these countries to the outside world.
I have to keep reminding myself of an old friend of mine from Jakarta who was as honest as the day is long, or I would start thinking that all Indonesians are crooks.

It is changing the worlds perceptions of Indonesia and turning their internet into a partial intranet.

Gordon

Varun

Your script works awesome but I have one question. How do you know which orders were denied or redirected? I mean - in my case I email the orders myself. The email gets triggered before the process continues with your fraud check. How would I be able to tell which 'way' the order went at the end.

I am not a programmer but how could I get your script to trigger another email to let me know what happened to IP address "X"?

Thanks!

The Fish

Varun
Your script works awesome

Thanks, its really doing wonders for me too :) , right from the time I initiated it I havent received a single fraudlent order.

How do you know which orders were denied or redirected? I mean - in my case I email the orders myself. The email gets triggered before the process continues with your fraud check. How would I be able to tell which 'way' the order went at the end.

I am not a programmer but how could I get your script to trigger another email to let me know what happened to IP address "X"?

Thanks!

The Fish


Replace the following in index.php

if ($fraudchecker->isfraudlent($ip, $email)) {
header("location: $failedurl");
//echo "Fraud!";
} else {
//echo "Genuine!";
header("location: $successurl");
}


with


if ($fraudchecker->isfraudlent($ip, $email)) {
header("location: $failedurl");
mail("YOUREMAIL@HOST.COM", "Fraudlent Order Rejected!", "Fraudlent order rejected from '$ip' IP address");
//echo "Fraud!";

} else {
//echo "Genuine!";
header("location: $successurl");
}


Replace 'YOUREMAIL@HOST.COM' with your email address.

Good luck!

:D :D

Works like a champ!

Thank you very much!

The Fish

Originally posted by GordonH
Its not just Indonesia. Malaysia has similar problems and some of the attacks we have had do appear to be coordinated from IP's in both countries.

All I can say is it gives a very bad impression of these countries to the outside world. I have to keep reminding myself of an old friend of mine from Jakarta who was as honest as the day is long, or I would start thinking that all Indonesians are crooks.

It is changing the worlds perceptions of Indonesia and turning their internet into a partial intranet.Gordon

I agree, the vast majority of fraud and hack attempts coming from RIPE areas (and lately eastern europe) is not because there are more bad people there than here or anywhere else.

It is because when you do it here you get thrown in jail and when you do it there, nobody cares! The problem lies in the fact that they have incompetent and corrupt law enforcement and server admins who allow this kind of thing to continue unchecked.

Additionally, you can call me paranoid if you want but I honestly believe that a not insignificant portion of these fraud rings are simply terrorist out to damage the International economy in general and the western economy specifically. As easy as the credit card companies have made the system to abuse, it is a wonder they have not thought of this sort of economic terrorism before now.

All the CC companies have ignored the problem and refused to pursue and prosecute criminals, just leaving the merchant holding the bag is not going to cut it much longer. This has to be affecting their overall profit margins.

Rick

Originally posted by fortweb


All the CC companies have ignored the problem and refused to pursue and prosecute criminals, just leaving the merchant holding the bag is not going to cut it much longer. This has to be affecting their overall profit margins.

Rick

I don't see how the credit card companies are losing money, when WE have to pay to reimburse their customers.

--Tina

Originally posted by AffordableHost


I don't see how the credit card companies are losing money, when WE have to pay to reimburse their customers.

--Tina

They lose money when people are afraid to use their cards on the Internet. Do you use yours over the net these days? We don't unless we are pretty freaking certain we can trust that the people taking that info are running a secure cart with secure procedures!

Our rack host, Macromedia, the author of our cart software... no problem. Kmart, QVC, magazine or television advertisers... NO WAY!

Just how bad Internet fraud is becoming is now filtering out to the public, how many of those people are going to quit using their cards online?

It took us (meaning the honest web community) years to develop enough trust with the public for them to start using their cards on-line, this will definitely be a setback.

I promise you that the bean counters looking at billions of dollars in sales are going to see this trend very clearly in their pretty little color graphs and pie charts.

Rick

the merchant industry is digging itself a deep grave as V/M recently changed their chargeback rate from 6% to 1%

The only thing that will do is making internet companies scurry for a new account (like us)

Its certainly not fair at all since the end customer everything to gain and nothing to loose by submitting a free chargeback request, and even if we show proof of the charges, we still get $20.00 charges tacked on. V/M are putting 100% responsibility on the merchant, my view is if the merchant has PROOF of the charge, they should not be held responsible and not be charged, in the end, the consumer should be charged for the time and money it takes to investigate a false or envious chargeback

Personally I will love to see the day when people start moving away from credit cards on the internet and then I will just laugh at V/M for that hole they are slowly digging for themselves.

Originally posted by AlaskanWolf
the merchant industry is digging itself a deep grave as V/M recently changed their chargeback rate from 6% to 1%

The only thing that will do is making internet companies scurry for a new account (like us)

Its certainly not fair at all since the end customer everything to gain and nothing to loose by submitting a free chargeback request, and even if we show proof of the charges, we still get $20.00 charges tacked on. V/M are putting 100% responsibility on the merchant, my view is if the merchant has PROOF of the charge, they should not be held responsible and not be charged, in the end, the consumer should be charged for the time and money it takes to investigate a false or envious chargeback

Personally I will love to see the day when people start moving away from credit cards on the internet and then I will just laugh at V/M for that hole they are slowly digging for themselves.

I agree. I am just about to get my account from Echo and i have to say i am scared ****less about the fraud situation. Merchants seem to get very little real support from cc issuers and processors and the merchant is carrying a major financial burden and saddled with terrible consequences for fraudulent orders...the playing field is definately NOT level or equitable.

There has to be a better way.

I have seen a number of people express their concerns over fraud by actually re-thinking if they even want to go into business on the web. I can't blame you for being afraid, especially new merchants who have just laid out a cash and time investment for a merchant account. However, I really think this line of thinking is based on fear instead of reality.

Especially when it is so easy to mute their efforts! Yes, they are there and you have to deal with them but you have the power to make them nothing more than a nuisance. Anyone following a handful of simple procedures can protect themselves from fraud.

I agree that the CC companies are of no help but that is nothing new. It has ALWAYS been the merchants responsibility to screen for fraud and I just can not accept the reasoning that any person with the willingness to accept credit cards should not also accept the responsibility that goes along with it.

You can't just sit back, collect orders and make money with no risk or active fraud screening procedures. That is simply a part of business, any business and if you don't realize that right up front, you won't be in business long.

Now malicious chargebacks like wolf was referring to are another story entirely. However, those are far less frequent than fraud attempts and although they will take a small percentage of profits, they won't put you out of business like fraud can.

Rick

Originally posted by fortweb

Now malicious chargebacks like wolf was referring to are another story entirely. However, those are far less frequent than fraud attempts and although they will take a small percentage of profits, they won't put you out of business like fraud can.

Rick


WRONG!!!! Last month we had just 1.08% in chargebacks. It didn't matter if it was due to fraud or maliciousness, they are all the same...a chargeback is a chargeback.

Our merchant account provider froze all of our funds for almost 2 weeks...and we had no idea if or when they were going to release those funds. It was VERY scary for those 2 weeks...because we didn't know if we should continue to take more orders, put everything on hold, or scramble for a new provider (try getting a merchant account when you've been closed down by one for too many chargebacks...HA!). No merchant account means we would effectively be OUT OF BUSINESS.

We do almost everything possible to reduce chargebacks (to the point of losing sales sometimes because we're so paranoid!)...and it still isn't good enough. It is absolutely HORRIBLE the way the credit card companies and merchant account companies treat the merchants. ALL burden of proof and precaution is on OUR HEADS. :angry: :angry: :angry:

--Tina

Originally posted by MikeF
I agree. I am just about to get my account from Echo and i have to say i am scared ****less about the fraud situation. Merchants seem to get very little real support from cc issuers and processors and the merchant is carrying a major financial burden and saddled with terrible consequences for fraudulent orders...the playing field is definately NOT level or equitable.

There has to be a better way.

Don't be scared. We just successfully disputed two more chargebacks last week. ECHO is the best! They read our disputes and accept our evidence. They seem to care about their merchants.

Originally posted by AffordableHost
WRONG!!!! Last month we had just 1.08% in chargebacks. It didn't matter if it was due to fraud or maliciousness, they are all the same...a chargeback is a chargeback. We do almost everything possible to reduce chargebacks (to the point of losing sales sometimes because we're so paranoid!)...and it still isn't good enough. It is absolutely HORRIBLE the way the credit card companies and merchant account companies treat the merchants. ALL burden of proof and precaution is on OUR HEADS. :angry: :angry: :angry: --Tina

It DOES matter, malicious chargebacks can not be prevented but fraud chargebacks can! Malicious chargebacks are not frequent enough to cause you to lose a merchant account or put you out of business, if they are, then there has to be other things going on.

I am not sticking up for the CC companies but apparently you just ignored everything I said... it IS your responsibility, it always has been, it always will be. I am sorry but that is just the way it is. If anyone could run a business without risks then everyone would run a business.

I don't know the circumstances around your chargebacks, I don't know who does your screening or how they do it but it is flawed. We are not a big company, there are only two of us here that do everything and somehow we manage to screen fraud successfully. It is not a science and we do get an occasional malicious chargeback and yes, it makes us mad too but we accept it as part of doing business.

If the CC companies lose enough money they will implement better security measures that we will all indirectly benefit from but they are never going to be on our side. They are never going to accept any risks for the merchant and they will always side with the consumer who pays them more money (in the form of interest) than we do. Nothing you or I can do will ever change that.

1.08% in chargebacks to get your merchant account frozen sounds very unreasonable to me by the way. Maybe your merchant account provider is the problem and not your methods.

I know they are freaking out over this fraud explosion just like we are. Unfortunately, non-swipe accounts are being hit the hardest so they are looking at us as high risk. Even at that, it still sounds pretty extreme, we had one malicious chargeback in recent memory that was probably closer to 3% of our monthly billing and Cardservices never even flinched.

Originally posted by bitserve


Don't be scared. We just successfully disputed two more chargebacks last week. ECHO is the best! They read our disputes and accept our evidence. They seem to care about their merchants.

Hey Mark,
thanks for the confidence building effort! I appreciate it.

You know with regard to what i said "there has to be a better way" as part of my work process to screen for fraud i will be processing all new sign up transactions manually. From what I have read and understand "real time" processing is not a reality in todays environment...to be honest I have to admit, intially I was chasing the "real time carrot" (now hype), of firing up the PC and have a few nice new orders sittiing there for me in the morning all done already to go.

Partly it was an illusion created by some of my own customers. I have customers i have setup e-commerce sites for that have been doing business for several years with no cc processing problems/fraud. Its too bad this industry(hosting) seems to attract bad customers who want to be knuckle heads.

Still doesnt seem right to me.
baby steps for me...Thanks everyone for your help and input.
This forum and its participants do provide some light! My hats off to all of you!

Originally posted by MikeF
You know with regard to what i said "there has to be a better way" as part of my work process to screen for fraud i will be processing all new sign up transactions manually. From what I have read and understand "real time" processing is not a reality in todays environment...to be honest I have to admit, intially I was chasing the "real time carrot" (now hype), of firing up the PC and have a few nice new orders sittiing there for me in the morning all done already to go.


We would love to be able to offer real-time set-up for customers, and our systems allow for it - but we don't use it because of the fraud issues. Every new account is processed by hand, and we check every last detail. We also tend not to accept orders if the customer can't supply the CVV2/CVC2 code (and whilst some cards don't have it, we usually aren't willing to take the risk - it's unfortunate but nessicary).

We did have a chargeback last month (it was one of the few times we processed an order without the CVV2 - and only becuase it was a US card and all the details matched) - but we supplied the evidence that the name, address matched and the chargeback was reversed. We were pleased to say the least, it was obviously just somebody trying to get a free ride. It restored our faith in our merchant account provider anyway.

How do you verify the CVV2 code?!?!? Does your merchant account do that for you? I can't find a way to check that with EMS...unless I'm missing something obvious.

--Tina

Why did your bank accept the name and address details?
Surely a fraudster would have put the correct name and address in as well?

I am very surprised that they did that when our bank will not even accept a faxed, signed order confirmation form because it was not signed in front of us at the point of sale.

Gordon

Originally posted by AffordableHost
How do you verify the CVV2 code?!?!? Does your merchant account do that for you? I can't find a way to check that with EMS...unless I'm missing something obvious.

--Tina

Hi Tina,

Our gateway provider (Planet Payment) will tell us if the CVV2 or CVC2 code did not match and reject the charge.

I thought that this was pretty standard ??

Leeanne :)

Originally posted by GordonH
Why did your bank accept the name and address details?
Surely a fraudster would have put the correct name and address in as well?

I am very surprised that they did that when our bank will not even accept a faxed, signed order confirmation form because it was not signed in front of us at the point of sale.

Gordon

To be honest with your Gordon, I don't know why they accepted it. I presume that when they went back to the guy who had disputed the charge and advised that we had provided proof that all his details had been input correctly, he suddenly regained his memory of the charge. This wasn't a charge for web hosting, it was for software that he purchased and downloaded. But I was surprised too, pleasantly so, but definatley surprised that the chargeback was reversed.

Originally posted by nmihosting


Hi Tina,

Our gateway provider (Planet Payment) will tell us if the CVV2 or CVC2 code did not match and reject the charge.

I thought that this was pretty standard ??

Leeanne :)

I am 99% sure echo's virtual terminal has entry for cvv2. I havent been in to see the terminal interface, but i did aske them when i signed up. I may go the route of requiring cvv2 as well. I think if you do it may help to put you in good stead with the processor and bank in that you are trying to do as much as possible to head of bad orders.

Our fraud attempts have dropped to near zero since we implemented Gary's .htaccess deny list, it must get most of the commonly used proxies.

We did have an interesting one today that would have slipped right by an automated gateway processing procedure. We called the cardholder and he was not aware that it was stolen.

I posted the trackdown procedure I used on the combatfraud.org site if your interested.

http://www.combatfraud.org/forum/viewtopic.php?t=28

It looks like the thief was using a self installed CGI proxy on a stolen US domain to hide his access IP and was going through four or five stolen domains for his email account.

Rick

Hey
We had an order from wisnu@terorist.org a while back.
Same story
Yes, they always use Network Solutions for domains because they have no security in place and just let domains run even if they are charged back.

This is the first month I have had usable web stats because of all the attacks from ID and MY
I have blocked them at the router so now my top 10 visitors are not 400,000 hits from some university in indonesia.

Also, I took all mention of SSH off our sites and have not had any attempts since.
I have probably lost sales, but I can live with that.

Just need to crack the malicious chargebacks and life will be very nice.

Gordon

Our own deny list with yours merged (more yours than ours) stopped the bulk of it, Gary's list took out the rest. I think we are going to add the basic list to our IPChain rules so they never even make it to the webserver. Now there are just going to be the occasional proxy attempts to fend off.

Can you imagine how many zombie domain names there are on the web from fraud attempts. The least NetSol could do is get rid of the clutter and make the names available.

Rick

Hi,

Sorry to pull this old thread up again, but...

Does anyone know if it is possible to block people by ip on IIS, since it has nothing like .htaccess files.

Also gordonk, you say you have chargeback insurance, if possinble could you tell me where you got this from.


Thanks,

Adam

If you got PHP installed on IIS then you can combine all the IPs and use the script I posted above..

Hello
We used to have chargeback insurance from Worldpay but we dropped it once we got our chargebacks down to a level lower than the insurance costs :)

I have an update to the original .htaccess method.

I added a 403 error handler and pointed it to an explanatory page on another server.
This prevents visitors getting stuck in a loop of 403 > 404 > 403
requests in Apache.

I stuck a counter on the page and it had a lot of hits in the first day even though we block most of the IP's at the router.

Gordon

That is a good idea, where is the update at Gordon? Would you please post the method you used in the combatfraud.org forum, I am sure others there would be interested in directing people to an explanation page rather than a standard error.

Here is the bottom end of my .htaccess file:

deny from 217.8.3.73

#Added 03-05-2002 Indonesian new block
deny from 61.5
</Limit>


ErrorDocument 404 http://www.hostroute.com/index.html
ErrorDocument 403 http://www.whatver.com/errorpage.html

I tested it by putting my Ip address in the deny list and it works fine.

The error page for the 403 must be under a different name or it will be denied as well.
I have put it on a different server just in case it gets attacked.
That might seem mad but given the level of attacks we have had oiver the past few months its worth tying up a spare box for one page ..............

Gordon

Looks like I will just have to put the payment pages onto the linux box.

Adam

Ok - you convinced me I'm putting in Gary's list right away :)

JDT

OK, here's the problem we are having...
We have blocked all IP's mentioned in this thread (and then some) using .htaccess for a few months now, and have had a slight reduction in the number of fraud orders.

But in the past few weeks the hackers have simply started using www.anonymiser.com (or some other similar service) to place their fraud order. This is a real simple workaround for them. Any suggestions on how we can block them?? Anyone has a list of all the IP's used by these proxy services?

Firstly, I wouldn't offer instant account setup as this is one of the things spammers look for. Secondly, I would always to a trace of the IP address of the person who placed the order. If the IP address points to one of those anonymous sites, simply delete the order. Setting up accounts instantly or without doing a few simple fraud checks is just asking for trouble in my opinion.

Gary's list blocks many anon services and I explain how to identify proxies on www.combatfraud.org

Rick

Thanks Greg and Rick for your suggestions. We'll try it out when the site comes back online. Right now we are getting a "phpBB : Critical Error Could not connect to the database" error when trying to access combatfraud.org.

-Robby

Robby,

Not sure what the problem was, I can't duplicate that error and it seems to be working fine for me right now. Please send me some email if you are still having problems, maybe it is a browser issue with the board?

Rick

NOTICE TO ALL: Indonesia has a new IP range to block. At least we did not have this one before on the basic deny list...

202.138.224.0 - 202.138.255.255

Add this to your .htaccess file, it will block that entire range without blocking AU

deny from 202.138.224
deny from 202.138.225
deny from 202.138.226
deny from 202.138.227
deny from 202.138.228
deny from 202.138.229
deny from 202.138.23
deny from 202.138.24
deny from 202.138.25

first, sorry for my bad english :-)

I'm web developer which mostly have my web hosted in US-based web hosting provider.

it's unfair just because some of fraud transaction came from indonesia, our IP get blocked. try to find other solution instead of doing this.

thanks
adi

adi,

No, it is not fair to legitimate users in your country and I am honestly sorry about that but there is simply no other solution available.

Trust me, no one in any business wants to limit their client base. The fact remains that we get hundreds of fraud attempts from your country and not a single legitimate order.

In some cases this puts people out of business, in ours, we detect and remove fraud attempts before we lose money on them.

We still lose money for all the work that it creates having to do fraud detection on orders from a country that we have had nothing but fraud attempts from.

It costs us money in the time it consumes and it makes our invoicing system and record keeping look sloppy. I will not tolerate people making more work for us when there is a simple solution like blocking the problem areas all together.

You can not deny this problem. This thread would not exist if we were the only ones being effected and we are a small company. This is a serious problem that mushrooms from Indonesia and effects the entire world economy.

I can promise you that is only going to get worse as far as access from Indonesia goes. More and more web merchants will be applying this method to block Indonesia because it is rapidly becoming common knowledge. When a web merchant gets tired of dealing with fraud from Indonesia, they start doing searches on Google and quickly find a lot of people and sites using this method to stop fraud from your country.

The only real solution to this problem that is good for everyone is to stop the flow of fraud from within Indonesia. Apparently your government, law enforcement and server admins do not care about this problem and are allowing it to continue unchecked. When we report fraud attempts to Indonesian server admins we have never once even received a reply and have often received virus attempts via email from the criminal days afterwards so we know the server admins did not even pull the account.

I am sorry but until the people in your country who provide you with access and run your justice system start taking some responsibility and stop this unending flow of fraud, your access to the worlds Internet servers is going to decline at a steady rate.

Rick

The fact remains that we get hundreds of fraud attempts from your country and not a single legitimate order.

That sums up our position also.
There is no point in offering services to countries where there have never been any legitimate orders.

You will continue to be able to order from companies like Verio and Network Slutions who seemt o be able to absorb enormous losses from fraud.

Its not unfair at all.

Nobody *has* to do business with anybody else.
A shop keeper can refuse to sell goods to someone if they wish.
No harm is done as there are lots of other shops in the same street willing to sell the same product to the customer.

Gordon

It is unfair in the respect that I know there are a lot of honest, hard working people in Indonesia who have their entertainment or business surfing hampered by access bans.

Just like when the whole class was punished by canceling a field trip because one person did something wrong and nobody would rat them out.

That's life... the method is usually effective but nobody said it was supposed to be fair.

Originally posted by ag-webdesign
Hi,

Sorry to pull this old thread up again, but...

Does anyone know if it is possible to block people by ip on IIS, since it has nothing like .htaccess files.

Also gordonk, you say you have chargeback insurance, if possinble could you tell me where you got this from.


Thanks,

Adam

Adam,
Right click onto the Web Site in IIS and select properties. Go to the "Directory Security" tab - you'll see the section for IP addresses and domain names - you can enter the necessary information here and are good to go!

Good Luck!

The Fish

Not knowing what your processor is charging you, I will say that:

You should be able to do just an authorization against the credit card and then cancel it or just not fulfill it. In that case you would only pay the gateway transaction fee $0.50 not the % cost on the transaction.

If the sale is good then you turn the authorization into a ticket and at that point you are charged the percentage rate.

Additionaly a gateway should be providing you with the capability to void a sale in the same day and pay nothing more than the transaction $ fee as well ( usually under $0.50 )

At 2Checkout.com you don't pay for any sale that is cancelled with 48 hours and the IP of the buyer is reported to you along with the IP's beleive location.

The countries you mention plus a few more account for the lions share of fraud on the web while at the same time accounting for a tiny tiny percentage of legit sales.

I have found an accurate list of all netblocks assigned to various countries. In the past it has been very difficult to find these because APNIC is unable or unwilling to provide this information.

This has been compiled for anti-spam organizations to use but it is not surprising that a lot of the countries where fraud is rampant are also havens for spammers.

It may be a few weeks but I intend to build 2 master blocking lists from this data. One will be an deny list for application through .htaccess and the other will be an IPChain ruleset that will deny access at the server level.

By using ranges I think these lists will be kept relatively short and I will comment each set of ranges by country so they may be removed if desired.

The countries I intend to block are the ones that have a high incidence of fraud and provide us with no legitimate sales...

Indonesia
Korea
Pakistan
China
Malaysia

If any of you wish to work on your own lists, here is the URL

http://www.cluecentral.net/rbl/

Rick

Well- i needed to update my .htaccess file today. Got a bogus order from this ip today- 213.38.69.3

This guy claimed to be from the sates, a bogus telephone number etc..

Just a heads up to everyone. Oh the email used was : haya@agurkas.com

Take care all!

Define digital signature. Like I "Jay Silver" authorize this charge?

Something like this

"This document will not be "signed" in the sense of a traditional paper document. To verify the contents of this form, the signatory must enter any combination of alpha/numeric characters that has been specifically adopted to serve the function of the signature, preceded and followed by the forward slash (/) symbol. Acceptable "signatures" could include: /john doe/; /jd/; and /123-4567/. For example: if your name is John Miller, you could type /John Miller/ below."


The above is off of ****** (YUCK)


Originally posted by bitserve
We have had chargebacks by two angry customers too. One was for three months of charges (three chargebacks). We have sucessfully disputed all of them with nothing more than a digital signature.

We use ECHO, Inc.

Alot of our frauds have actually had valid CV2#"s and correct AVS which is scary. We also had our funds frozen our previous merchant provider of 4-5 years froze about 30k of our funds and refused to give them back. We finally found a provider who will work with us, but they dont' allow yearly transactions, and their fees are very reasonable only 2.2% :) . But we keep getting the same people trying to signup all going back to silveryo.com and this guy does trace back to ID. This thread is going to save us ALOT of money. We are going to implement garys ip list asap. I can't belive i didn't find it till now.

Thanx for all your help EVERYONE.

Jay-
Have you by chance recorded the IP addresses used to place fraudulent orders at your site? If so can you please make them available to the rest of us? By sharing them it helps us all as you know now. Thanks and good luck.

Unfortunatly not, sorry to say. But we are starting to monday.

But not to post an advertisement but our new merchant account company and broker http://www.amerimerchant.net/ and cornerstone. Have been amazing got me up and running within 24 hours. Lowered my rates and my authnet fees. And I was able to speak to the CEO of the bank we were dealing with to discuss our past problems and how we can work together to fix them and how he will handle our account. VERY VERY accomdating people, the only downfall is we can accept yearly accounts, which is fine by me. Not only did they get me up and running but they are saving me $1000's in processing fees.

Originally posted by chico540
Jay-
Have you by chance recorded the IP addresses used to place fraudulent orders at your site? If so can you please make them available to the rest of us? By sharing them it helps us all as you know now. Thanks and good luck.

Gary's list will block all of Indonesia so there is no reason to block specific IP's from that country.

Regarding AVS and CVV, I recently had a conversation on combatfraud.org about the value of it with someone who worked for a processing company and they just do not have a clue what is going on out here.

I honestly don't understand how they can be so blind to how criminals are obtaining card data. AVS would not have caught any of the fraud attempts we have had and even though collecting and storing CVV data is forbidden, people are doing it and it is being stolen.

IP and mail server lookups as well as voice verification via telephone is still the best tools we have to detect fraud.

Rick

Card companies and payment gateways make more money from fraudulent orders than genuine ones.
Until that changes they will not be that bothered.

That may be a cynical view but really its borne out by our own experience where worldpay introduced a $15 chargeback fee
after adding the extra security measure of allowing Visa customers to use their PIN number.
This was made optional, just like CVV2 so nobody who is using a
stolen card will bother filling it in anyway.

Gordon

Rick


IP and mail server lookups as well as voice verification via telephone is still the best tools we have to detect fraud.

Its the only way to go in my book. And thanks to this thread I'm saving a tidy sum of money.

Chico
We are saving $2000 to $3000 per month as a result of implementing blocking and faxback
The total amount saved across all the participating hosts must be enormous.

Also, it means the fraudsters have to go to the big hosts who don't seemthat bothered about fraud.
(eveil grin)

Gordon

Originally posted by GordonH
Also, it means the fraudsters have to go to the big hosts who don't seemthat bothered about fraud.

Ah, I really hope so! :dgrin:

just wanted to to say this has been very helpful

What are the ips for the AU. So we can unblock them already getting some complaints.

The drawback of Gary's list is that it blocks ranges belonging to AU and NZ as well. That's why we use the basic deny list on combatfraud.org for most of our domains, it only blocks Indonesia and a some other known ISP's that fraud originates from.

In most cases you can't just block an entire class B because it will take out AU and NZ. You have to be careful to only block the ranges belonging to Indonesia.

Rick

LOL!

We received an obviously fraudulent order (biggest plan, domain registered to someone in the US, IP from Australia, Italian cc, freemail address). So we opened the account, (1MB space, 1MB traffic, no cgi, no SSH, no mySQL, no email, no ftp) and sent the guy a normal welcome email. He must have spent half the night trying to make it work, lol.

Originally posted by fortweb
The drawback of Gary's list is that it blocks ranges belonging to AU and NZ as well. That's why we use the basic deny list on combatfraud.org for most of our domains, it only blocks Indonesia and a some other known ISP's that fraud originates from.

In most cases you can't just block an entire class B because it will take out AU and NZ. You have to be careful to only block the ranges belonging to Indonesia.

Rick

A good way to combat this (and its been discussed in this thread) is the simple redirect in your htaccess file, we use a form that gets sent to our email, in no way bothering our automated signup process. We been catching quite a few people that way as well. They are still able to access our signup form, but they have no idea the form wont be processed

I been gone (flying) for the last 2 weeks and finally home again, i will be updating the list with some new ips i got while i was gone from folks and adding that redirect option

You can download the list @ http://www-hosting.net/denied.html

This site may hold the solution for those of you continuously hunting for new IPs to block:

http://www.caida.org/tools/utilities/netgeo/

We implemented their software within our signup system and now we have far fewer false positives and far fewer completed fraudulent signups.

Combine it with a proxy check (fopen() a few common proxy ports) and you're well on your way to a decent fraud prevention system.

Originally posted by hilda
LOL!

We received an obviously fraudulent order (biggest plan, domain registered to someone in the US, IP from Australia, Italian cc, freemail address). So we opened the account, (1MB space, 1MB traffic, no cgi, no SSH, no mySQL, no email, no ftp) and sent the guy a normal welcome email. He must have spent half the night trying to make it work, lol.

Thatz be classic :D :D :D

Did he email support ?

That's why we use the basic deny list on combatfraud.org for most of our domains, it only blocks Indonesia and a some other known ISP's that fraud originates from.

Well I would think that you would use that list, since combatfraud.org is your own site :rolleyes:

http://www.combatfraud.org/forum/viewtopic.php?t=2&sid=37988a121bcdc2320fac8505137201db

Are we on a little site-promotion kick here lately? This is the 2nd forum you've posted to to promote your own sites under the auspices of "being helpful." This practice is expressly banned in the WHT forums:

Participants may not use the forum to publish or discuss any information regarding their product or services, or future (possible) products or services, or any product or services they are, or have been, associated with. This includes, but not limit to suggesting your own services, or services of partners or family.


:( Let's play nice. :\

Bailey

Baily, please re-read his post. He was saying that he uses MY list on HIS website

He has helped a bunch in this thread. Maybe you should.

Be spunky like you normally are. I like that Bailey better. ;)

We don't run require any kind of membership, we don't charge anything or ask for donations (unlike some sites of this nature) and we don't even run advertising on it.

It does represent a considerable amount of time and a few bucks out of our pocket since we also provide the hosting on the domain.

I fail to see any way someone could say that we put the site up for personal gain or for any other reason than the stated purpose of helping other online merchants.

Rick

Sorry, I don't mean to be getting on anybody's nerves. :(

He's on mine today, making threats over site content that isn't even his. :angry: Getting his undies in a bunch on other people's boards without even contacting the supposedly "offending" site first.

I rec'd this today, roundabout from an uninvolved 3rd party, from him:

"> We
> do pursue copyright violations with a vengeance and recently won a sizable
> judgement for just such a case on artbycheryl.com. It was not a threat at
> all, simply a notification.
>
> Rick Thompson"

What exactly is he notifying anybody of? For what? Nobody had heard of him before today, on the particular matter that he is pursuing.

If he hadn't been advertising in a different forum, and then complained because his post was removed, I probably never would have even noticed the guy.

I am reading through the thread and I realize he's done a lot to help, but understand that behind the scenes, he's actively burning bridges with other people who are also fighting the same fight as he. (He is attacking content on another anti-fraud site) It's really a shame, and I sure as heck had better things to do today. :(

AlaskanWolf> You've put up a great .htaccess how-to on your site, and you maintain a great list. I personally have no problem with your block list as I have never had any legitimate orders from the IPs on your list. Accordingly I hope to incorporate your list onto my sites soon.

Actually fortweb is saying that your list is too inclusive. He is using a "modified" "basic list" which is posted on his own site, combatfraud.org. That's why we use the basic deny list on combatfraud.org No mention of him using your list is in that post. The combatfraud.org site includes links to his hosting site, fortweb.com. While this might not be considered "advertising," the links are clear, as is whois.

I think there's room for more than one anti-fraud site out there. I host one too, it has very little content and very little traffic (which is fine, I haven't had time to update it in a long time). I operate it at a loss, it's there strictly to help other people.

Our .htaccess section was written by one of the admins, this is his explanation for his article:

"I wrote the htaccess how-tos from my experiance in installing them. Kept
uploading the the wrong way, etc. so I thought there might be somone else
who was a bit of a "newbie" about .htaccess. :)"

He says it was original content that he wrote; Mr. Rick says it was a copyright infringement. As I don't have a lot of spare time to mess around with stuff, I have removed the supposedly offending content without even researching how "original" it is (siding with Mr. Rick), but this really leaves a sour taste in my mouth. He couldn't even take the time to contact me directly; in fact, he still has not. Why is a "helpful" site so competitive? A simple friendly e-mail would have gone a long way, and maybe even earned him a fan or two around my neck of the woods.

Yes, I am trying to help, on the great wide internet, I'm sorry I haven't had a chance to follow this single particular thread. I am still spunky Bailey, I just don't like it when people needlessly screw around with my time. :rolleyes:

I jumped into this thread by searching for "combatfraud.org" and then reading the last page. My error, I should have read more first, before posting, and for that I apologize. My fuse is a little short today for the aggravation I've already been thru. :blush:

:D Bailey

I knew there had to be more to this than met the eye. Not the usual Bailey.

Maybe Rick can clarify things for us so we can move along. This thread needs to stay focused in my opinion, but let's get whatever this is out and get on with protecting our merchant accounts.

Just my 2 cents not that I am anybody at all.

If you wish to discuss this in a public forum, that is fine with me but it is way off topic and does not belong here.

You posted an excerpt from an email to you after removing my post, you conveniently left off the rest of the email and the post itself.

You should have read my post instead of deleting it, I never made any accusations of copyright infringement. Since the site has next to nothing on it presently, there is certainly no grounds for an accusation. In fact, if there was a copyright infringement, we would not say anything and the first you would know about it is when you are served with papers from a local attorney.

We just went through a 4 month lawsuit involving 2 lawyers and $3500 of our own money to obtain a $9000 judgement in our favor for a copyright infringement on another site we own. We are indeed quite qualified to know what cases of this type entail and the procedures involved. No, we don't prosecute them and I am not an attorney, I don't have to be because we have one who we trust to manage such issues.

I was notified by someone that a site was going up duping our combatfraud.org site. Upon visiting I did not see anything of the sort, in fact, I saw little of anything at all since the site is practically bare (except for a PayPal donation link) but we did notice that the site was hosted by someone who is a registered forum member of combatfraud.org.

Dropping the next url given to us into the browser led me to your forum where I saw two other registered members of the combatfraud.org forum discussing it with you.

I posted in the forum but made no accusations of copyright infringement, however I wanted to make it clear that we were aware and watching. Maybe we are hyper-sensitive to this issue because of the case we just went through but when I see 3 registered users of a site discussing a similar intended site the implication is rather clear to me.

Secondly, I strongly suspect the motivation behind any "public service" site that asks for donations. If you want to make money off of a public service site, even if it is to recoup expenses, you should apply for a grant and not put it on the users.

Rick

Darn it. That's not the usual Rick either. :eek:

There was never any accusation of copyright infringement in my post or my email to you, if you wish to discuss this that is fine but outright lies will not enhance your argument. Whatever some "third party" said to you does not make it my words at all and I find it difficult to believe that you never saw the actual text when you were the one who deleted it.

Actually, our "basic" deny list was compiled from whois lookups on fraud attempts we have had and a merging of Gordans list. I don't think that a deny list has any bearing on copyright issues and fail to see what you are talking about.

We use Garys list on the site our cart is hosted on only and we tell people that is how we apply it. We also put a notice under the Advanced deny list on combatfraud that says the following...

"I won't post the list here as it is constantly being updated, pick it up from the authors site at...

http://www-hosting.net/denied.html

Thanks to Gary at www-hosting.net for this fine list!

NOTICE: You should know that this list will block some regions of AU and NZ as well as Indonesia. It will block just about 100% of the fraud attempts you are likely to receive but the cost will be denial of innocent, possible customers to your site.

This is not meant to be an insult to Gary, he goes through a lot of work to maintain this list and a lot of people use it. You should know the consequences of it before you use it though."

Rick

Rick, you brought this to the public arena yourself. Your original post at the other forum was deleted because you were promoting a site you host & maintain personally. Whether you do or don't get personal or financial gain of a site is not the issue, it's your site, and you were promoting it. You registered specifically to post about your site. It was against the rules. End of story.

As for the e-mail, here it is. It was sent to my site's upstream. I have yet, as my fraud site's admin, to receive any e-mail from Rick directly.


Forwarded e-mail from Rick Thompson:

"Return-path: <combatfraud@combatfraud.org>
Envelope-to: info@venturesonline.com
Delivery-date: Sun, 30 Jun 2002 00:58:58 -0600
Received: from [64.246.15.60] (helo=plesk.morehost4u.com)
by athlon.vosn.net with smtp (Exim 3.34 #1)
id 17OYfi-0005wm-00
for info@venturesonline.com; Sun, 30 Jun 2002 00:58:58 -0600
Received: (qmail 13932 invoked from network); 30 Jun 2002 07:01:06 -0000
Received: from chcgil2-ar1-4-62-097-156.chcgil2.dsl-verizon.net (HELO Rick.combatfraud.org) (4.62.97.156)
by 64.246.15.60 with SMTP; 30 Jun 2002 07:01:06 -0000
Message-Id: <4.3.2.7.2.20020630014829.00b816e0@artbycheryl.com>
X-Sender: combatfraud@mail.combatfraud.org
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Sun, 30 Jun 2002 01:59:42 -0500
To: info@venturesonline.com
From: Server Admin <combatfraud@combatfraud.org>
Subject: Board post
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed

If you don't think it is important for your users to know that the advanced
deny list provided by Gary will deny a good portion of AU and NZ that is
fine. They will find out soon enough when legitimate people who are blocked
by the list start emailing them.

I seriously question the motivation behind any "public service" site that
asks for donations but that is not the issue and it does not concern me. We
do pursue copyright violations with a vengeance and recently won a sizable
judgement for just such a case on artbycheryl.com. It was not a threat at
all, simply a notification.

Rick Thompson


>baileysemt123
>Scissors. Me. Heh.
>Registered: Mar 2001
>Location: Wisconsin
>Posts: 726
>A brief reminder that trolling does not catch fish in this forum
>
>Bailey
>__________________
></mod>
>Last edited by baileysemt123 on 06-30-2002 at 05:23 AM

Fortweb.com
Artbycheryl.com
Etc., Etc., Etc."





So there is the e-mail in its entirety. If they are not your words, you might want to change your password, because someone has access to your POP account. :blush:


Regarding my site: The donation link is there to pay for bandwidth. I expected the site to be much busier than it is. I have received one donation of $10 and accordingly this should pay for about 5 years' bandwidth. In fairness I do hope to do more with the site and get more traffic, because it's an important topic and needs all the attention it can get. I get fraudulent sign-ups every week too, and I am no happier about it than anyone else. :(

I am not trying to be mean here. Please understand I feel totally blind-sided over a site that I haven't touched in weeks. :bawling:

:confused: I do not understand, then, your purpose the post & the e-mails, if there is no problem by your own admission? Who is "we" and what's with the copyright stuff? What was so wrong with the content on my site that it inspired such a rise??? I am sorry, I simply don't understand the motives, and I'm only seeking to understand.

I asked by e-mail and have received no answer, so please do us all the courtesy of explaining here. What are you trying to "notify" my upstream and the other users of that forum about? You said yourself here that there was no infringement... so what was your purpose if not to promote your own site??? What was the purpose of strutting your "legal experience?" How is it even related??? I'm not trying to be a pain, I just don't "get it." :(

I first visited combatfraud.org yesterday and neither I, nor my hosting site, are not registered members of your forums. Better double-check those registration records...

I can't speak for other people who are registered on my fraud site forum; their actions are independent of me... we are a community but I don't monitor where they go or what they do on their own time; neither do they speak for me. It would make sense, however, that a person would register at multiple sites about the same topic. There's nothing suspicious in that. I do it every day, and I bet a lot of other people do too. (How many of us here, are at SitePoint too?)

There's nothing to get all excited about. I registered my domain a day after you registered yours. It was as a result of requests by members of another forum, who were also sick of fraud. You developed your site. I ran out of time, so mine sits empty.

:eek2:

Again, a simple e-mail would have taken care of a lot of Rick's inaccurate assumptions... especially since we're all supposedly serving the same community and everybody's running their sites on their own time, energy and resources.

:D Bailey

This is all a bunch of non sense. Let's leave it as is. I don't see anything in this at all except Rick wanting to protect some of his schtuff and Bailey not having anything to do with Rick's schtuff.

No issues here. Let's move on....

For all those promoting merchant security thank you. Rick, Gary, Bailey and the rest.......

We should probably get back on topic now. I see nothing whatsoever in these posts that resemble the topic, nor do I see anything in the posts that resemble maturity. Looks like some mistakes were made. Oh, well.....move on. You both have fraud sites. Congratulations to both of you. I'll visit both of them.

My merchant account 2checkout just told me that since I didn't provde a country code, all Indonesian IPS will be blocked..I guess that is a good thing because the person from Indonesia who DID order, was a fraud orderer. (ordered twice for our 200.00 plan which no one in their right mind would do) But I am wondoring about how many Indonesians would actually want to buy hosting?

Originally posted by sHosts
My merchant account 2checkout just told me that since I didn't provde a country code, all Indonesian IPS will be blocked..I guess that is a good thing because the person from Indonesia who DID order, was a fraud orderer. (ordered twice for our 200.00 plan which no one in their right mind would do) But I am wondoring about how many Indonesians would actually want to buy hosting?

I'm not saying that there are none. What I will say is that they don't have the laws other countries do to protect and prosecute against fraud. There is a real high rate of fraud going on from this country. Having them blocked will do no more than save yourself some headaches.

NewMerchant> Thank you. I am as befuddled about this as anyone. :confused:


On to Fraud>
What I find interesting is that the use of CVV isn't a required thing by authorize.net. Last week I had a transaction go through that had a CVV mismatch. I couldn't believe they accepted it! :( I thought that they had implemented CVV matching being required to accept a transaction.

As well, I can put AMEX transactions through without any CVV number at all. :eek:

Since I put sign-ups through my authorize.net account, it's been catching a lot of declined cards. However I am now considering just doing all transactions manually, because I will be able to do full detective work on the sign-up first. Of course this means possible delays on account processing, but hopefully the legitimate clients won't mind.


:D Bailey

Bailey,

I too use Athnet. For you to not manually do your transactions would be a big mistake. Do all transactions manually. This is the first step at getting this taken care of. You may even do what I am implementing and let them know on your checkout page that you do all transactions manually. This is what they don't want to see. Gives them the idea that you just might check them out.

You'll find that few talking about fraud in this thread actually do instant transactions.

CVV and some of the other Authnet security policies are pretty lame and don't solve the problem with the fraudsters. It helps and you should use most of what is available to you, but it won't stop a true fraudster. The best way is the list and blocking. For the rest it is manual transactions along with a few tricks of your own.

Originally posted by baileysemt123
NewMerchant> Thank you. I am as befuddled about this as anyone. :confused:


On to Fraud>
What I find interesting is that the use of CVV isn't a required thing by authorize.net. Last week I had a transaction go through that had a CVV mismatch. I couldn't believe they accepted it! :( I thought that they had implemented CVV matching being required to accept a transaction.

As well, I can put AMEX transactions through without any CVV number at all. :eek:

Since I put sign-ups through my authorize.net account, it's been catching a lot of declined cards. However I am now considering just doing all transactions manually, because I will be able to do full detective work on the sign-up first. Of course this means possible delays on account processing, but hopefully the legitimate clients won't mind.


:D Bailey


its your responsibility to setup the rules in which CVV information is accepted or denied, its not anet's

*nods*

That's what I picked up on. At first I thought they were referring to instant SITE set-up, because it's one thing to go ahead an have accounts set up by cron; but it's another thing to do the $$ transactions.

:)

I've been doing opposite: doing the $$ transactions automatically, and doing the account set-ups by hand. The idea was that I would research the sign-up before the batch transmits and I would simply Void any transaction that failed my own fraud screening.

Only problem there, is sometimes the batch transmits before I have a chance to even process the sign-up.

Then I am stuck doing a refund.

:(



:D Bailey

Yup backwards. :D

AlaskanWolf> I wasn't aware of that, what they sent me had said it was automatically configured and required for all tx's. I'll have to go back and take another look, because I definitely want it required. Thanks for the lead on that!!!

;)


:D Bailey

Originally posted by baileysemt123
*nods*

Only problem there, is sometimes the batch transmits before I have a chance to even process the sign-up.

Then I am stuck doing a refund.

:(

Bailey

Maybe Rick from FortWeb will post on how he handles this. I don't remember seeing this in previous posts in this thread, but I PM'ed him a while back and spoke with him on the subject. He has a "way" he handles his transactions.

1) No instant signups.
2) Block list
3) I can't remember what all he said.


I was working on implementing some of his ideas myself.
BTW, This is Hooper! ;)

I agree with new merchant but I won't let untruths go unanswered.

from your site...

Copyright© 2002 FakePayment911.info
Design by Kentucky Computing
Hosted by DC Service Network

The "Kentucky Computing" is linked to http://www.kentuckycomputing.com

From our userlist...
Joined: 06 May 2002
Total posts: 0
[0.00% of total / 0.00 posts per day]
Find all posts by kycomputing
Location: U.S.A.
Website: http://www.kentuckycomputing.com
Occupation: Founder & President
Interests:

Ok... not hosted... "Designed by"

The other two I will be happy to list if you like but I see no reason to drag them into this when all they were doing was discussing it on your board but they are also users of this forum.

My email did not accuse of you a copyright violation did it? The board post was also did not contain an accusation either and was 90% just telling you that you needed to be careful where you use Gary's deny list and why. Only the last two sentences said anything about your site at all and the first one was "I think it is great that a new anti-fraud site is coming online".

The legal issue response was prompted by your private email to me where it appeared that you did not think I had the first clue what I was talking about. I only do because we just went through a long battle and as I said in a prior post, I admit because of that we are probably hypersensitive on the issue.

As for your upstream, I assumed that email was going to you and first attempted to email you from the board and them send you a private message from the board. I did not go back to the 911 site and look for an email address there and in retrospect, I probably should have.

As a developer I am sure you are very conscious about your hard written content and you should be able to understand my suspicion. You have to admit that a registered member of one board designing a very similar site would probably make you a little uncomfortable as well.

Rather than just watch quietly I thought it was prudent to make you aware that we knew about the site just in case. We would rather not go through another lawsuit, our attorneys forced us into a cash settlement in the last one, we wanted it to go to court. The paperwork, publicly posted on the site in question would have been more valuable to us than the money.

If my suspicions were wrong then fine, I apologize. At the same time, if this whole ugly thing prevented us from having to deal with lawyers and spend money down the road, then I don't regret it. If you wish to discuss this further in email you are welcome to do so, I won't make this thread any longer than it already is.

Rick

:blush: Hi, Hooper

No wonder you know me so well. :D



:D Bailey

Don't respond Bailey. Leave it alone please.

Hey Rick,

Can you post how you do your processing? Don't think it will harm anything. We discussed it a while back and you gave me your transaction processing ideas. I have them someplace on the local disk here but would need your permission to post it anyhow.

We talked a while back via PM and email.

Thanks Rick

Rick> I appreciate your feedback.

I do think you're being a little sensitive though, as Luke didn't register at your forums until May 6th. He had completed the FP911 design back in April.

I promise if I'm going to steal content, it's going to be done much more creatively. ;)

Now back to business.

<Edit>
NewMerchant> sorry, my reply crossed with your post. ;) Golly we're all fast typists!
</Edit>


:D Bailey

Gordon does instant signups and auto processing on short term accounts and manually holds orders for long term accounts for checking out before he sends them through. He reports good success with this method and it makes sense, most fraud attempts we have received have been for the longest term we offer.

We process all orders manually but it is not primarily because of fraud. Very simply we are just stuck in the past and that was the only way to do it when we initially set up our merchant account.

Even if we were getting a brand new merchant account with a gateway for processing, we would not use it as we are a small company and it does not take much time to process our orders manually. A big company with a large volume of orders does not have that luxury, manually processing every order would probably cost them more than fraud.

CVV is worthless. I know a merchant is not supposed to collect it or store it but the fact is, merchants are doing it and it is being stolen. We have had a lot of merchants tell us they have received chargebacks on fraudulent orders that were verified via CVV. I have personally found lists of stolen cards four or five directories down in an unprotected web directory on a free hosting account. A couple times I have even seen these lists re-formatted into a well designed page for copy and pasting data from the stolen lists to some merchants order form!

These lists are obtained through other merchants insecure carts, they always contain the persons name, address, phone, card data and usually even products that were ordered. What is even scarier is the last one I found had CVV codes in it as well ! As more and more web merchants are collecting CVV data, it is being stored and stolen. Soon it will have no real value just as AVS now has no real value in protection for us.

The only *real* tools that we trust are mailserver and order IP lookups coupled with phone and/or fax verification. We require front and back faxed card and ID photocopies faxed to us on substantial International orders and all International hosting orders. It is only fair to say that we have lost clients because of this requirement but we just don't care. Our merchant account is more important to us than a few bucks profit.

Rick

I knew it was bad, but... un-freakin'-real.

What really amazes me is that merchants actually store this data online and furthermore in completely visible directories.

As a clicks-and-mortar retailer, I process about 3,000 CC tx's per year, but all records are kept on paper, and there are no duplicates -- everything gets criss-cross shredded. We process them through our little black CC terminal -- it's not done online -- so it's all done on our machine and kept on our private records. The records are kept under three levels of lock & key, and only I have the keys. ;) Nothing is kept online. I feel this is my responsibility, I guess.

Worse still are the customers who e-mail to complain that they can't check their order status or charge history online!!! They don't understand this would require us to manually enter transaction history into the site... whatamess... then I explain why, and it's like the light finally dawns... :eek: The level of cluelessness is amazing at times...

Anyways I appreciate the info and your observations on the reliability of CVV, I was hoping that it was more valuable than it is. :( I will still require it for transactions, but rely on the IP traces and corroborating info as I have in the past.

:D Bailey

Sounds like you are doing fine Bailey. As long as you are thinking security and being cautious, I think you'll be just fine.

To be honest, I expect the CC companies/merchant account providers to say enough is enough soon. Rules will probably change that make the way you and I do business obsolete. Just a guess but I think they will implement gateways that won't allow us to even see card data, much less store or process it.

The only part of that idea I can't picture is any of them actually accepting the responsibility for chargebacks.

Rick

Exactly. Give us the open end solution and make us responsible for the chargebacks. This is the only reason they haven't changed the policies already to where it more resembles a 3rd party solution. I can't for a minute picture them taking the responsibility for chargebacks. Heck, they make a killing off this. I think it's part of their business model. lol.

Originally posted by baileysemt123
I knew it was bad, but... un-freakin'-real.

What really amazes me is that merchants actually store this data online and furthermore in completely visible directories.



I did not mean merchants, when we get a fraud attempt I see what I can find on any servers referenced. Sometimes they use email address that are associated with free or paid hosted accounts and that is where I have found these lists of stolen card data.

You would be surprised at the number of merchants using carts who store their data in straight ascii. They think that because it is above their web root or in a .htaccess protected dir that it is safe. Anyone past the web/cgi 101 stage knows that on most shared servers, chroot is no obstical to server wide read access.

That's where criminals are getting this stuff, fresh, accurate card data free for the taking. I imagine some hack their way into an account and others just buy a cheap hosting account for valid access.

PGP is the answer but the sad part is, 90% of the people I have seen put carts on their virtual on our servers don't use it.

Rick

Rick writes:
>>>
PGP is the answer but the sad part is, 90% of the people I have seen put carts on their virtual on our servers don't use it.
>>>

That's why I'm looking for web hosts with PGP - GnuPGP formmail capibility.

Just a guess but I think they will implement gateways that won't allow us to even see card data, much less store or process it.

Actually, Authorize.net is already 1/2 way there. When a tx goes through, the record in my A-net account says "4100-xxxx-xxxx-1234" expiry 12/02 or whatever.

If I want to process a credit, I type it in as shown above, with the X's. They match it up to the card number in their system. So I only wind up with 8 of the 16 numbers, unless I capture the full card # separately and manually run it thru myself.

:D Bailey