I'm using Revecome right now and they have a system of catching fraudulent orders. However I'd like to implement my own way of catching them myself to further cut down on such illegitimate orders. What are some suggestions you guys can give?

For example, I get orders with e-mail addresses from yahoo.com and hotmail.com. Should I reject these orders or do a manual call to them? What if they're international? Should I still pony up the long distance and call up?

What I do is traceroute the IPs, and if they come up in a different location than the address on the credit card, I just refund the order. I also blocked a significant number of IPs from visiting my website using .htaccess (you can find the list posted here somewhere), because it seems as though 99% of fradulant orders come from Malaysia, Russia, Pakistan, etc.

When you say 99% of the fraudulent orders, do these people also do damage to systems like spam or try to gain root?

Also, where can I find a list of these IP ranges?

I wouldn't ban complete ip ranges. Some valuable customers are from countries which where discussed here as "only fraudulent orders".
Just use your common sense, check every order manually (IP, address) and phone the ones which look "fishy".

you do get a feel for them after a while. People who go out of their way to steal from others tend to have the same sort of mentality, and once to begin to recognize that it gets easier. A few slip through of course. A decent AVS and some checking into of orders is always recommended.

Greg Moore

Most of the cc fraud I've experienced comes from spammers and their ilk, not system crackers.

Revecom has about the strictest screening system around, including comparing the IP with the cc address. Their system is so strict, in fact, sometimes legitimate orders get declined. (They'll always do a "manual" check, however, when I question such declines.) Free email accounts are not always an indication of potential fraud, but it's a good to verify the order with the customer somehow, be it voice or email, if you're ever in doubt. Many times even the free email addresses they give aren't real.

Originally posted by CapnJacoby
Many times even the free email addresses they give aren't real.

Free e-mail accounts are always a funny one to deal with. Oddly some of our best customers have signed up using them, and are still with us, having never missed a payment.

Conversely we had a spammer sign up a week or so ago using a domain e-mail address (and was canned promptly within a few hours)

It's one of those things that often comes down to a judgement call.

Greg Moore

Originally posted by gabeosx
What I do is traceroute the IPs, and if they come up in a different location than the address on the credit card, I just refund the order. I also blocked a significant number of IPs from visiting my website using .htaccess (you can find the list posted here somewhere), because it seems as though 99% of fradulant orders come from Malaysia, Russia, Pakistan, etc.


I wouldn't completely ban certain IPs or countries - but we did take that list and make it so that people signing up, from that list, need to send in extra verification. We require a photo ID and a copy of their last credit card statement...with the address that matches their photo ID.

BTW - It's fairly easy to create a fake credit card to fax in (scan any ol' credit card and add the name and numbers of your choice, via Photoshop). However, it is a bit more time consuming to create a fake credit card statement. :)

--Tina

I have to admit that I don't fully understand why anyone would do this at all.

Since we sell an on-going service it makes no sense to go through all the trouble to rip off web hosts. It will take, max, a couple of weeks (and more like a few minutes) to realize an order is fraudulent, then they're kicked off. Now their site is down and they have to look for another host. Not worth it!

I can see ripping off mail-order companies (no, I totally don't agree or condone it; I'm just saying I can see the point). You get the product sometimes before they realize it's fraud. But it's not worth the few days hosting to do it, so I don't understand at all.

Lurleene, some do it for fun and some simply have sick minds - and of course there are spammers. If it would take 4 hours to detect him he probably could already have sent 100.000 emails....

They sign up with a host - immediately send out 100,000 spam mails...and then immediately move to another host. By the time the host starts getting spamcop reports and shuts them down...they're already gone and their site is up elsewhere.

--Tina

I started this thread a while back. Hope it helps.

http://webhostingtalk.com/showthread.php?threadid=22007

Has anyone tried this or is currently using this?? It looks pretty good but would like some info from a anyone that has or is using it before trying it out.

www.transact-secure.net

I just read through it again, and we still follow it.

I think it was Akashik that said it best; After a while you get a feel for it. It almost starts with the domain name on the order. After dealing with enough fraudulent orders, you can kinda of say "Hmm, that domain name is kinda funky" and take it from there.

I think the most important thing is to just call the phone # on the order if you suspect fraud. You'll know immediately if it is legit or not.

ive started asking my clients to fax a signed document to me...

We kind of feel "in the stone age" because we manually check and process every order we receive rather than letting a CC processing company take care of it for us. But you have to do what you have to do these days. Some customers complain for the time it takes for us to setup their account, but like we tell them it is the people that try to "get one over on us" that is slowing the process.

Originally posted by kunal
ive started asking my clients to fax a signed document to me...

For your software a good solution if you don't have thousands of customers. But for hosting this probably would not be suitable (except for expensive accounts and servers).

Originally posted by Walter


For your software a good solution if you don't have thousands of customers. But for hosting this probably would not be suitable (except for expensive accounts and servers).

you a point there....

Originally posted by Walter


For your software a good solution if you don't have thousands of customers. But for hosting this probably would not be suitable (except for expensive accounts and servers).

We are starting to do that if a customer wants shell access tot he server.... We require them to fax us a contract you can print via the web, and place their drivers license in a designated spot....

Yes, we also require them to fax us a copy of their drivers license. They could probably find a way around this method of authentication, but it would not be easy or inexpensive.

I doing this we know exactly who has SSH access to what box, just in case "problems" might occur.

You might also want to check the information for whatever domain they signup using vs. the information they put on, this would prolly be 50/50.... but could help. Someone needs to write a script to do pattern checking, aka check the domain vs the information they use, and check the ip range vs the information they use, etc. to then pull aside orders that don't match, etc.