Anybody got any tips for spotting credit card frauds? I know of weird domain names and ips from some 3rd world countries. Anything else a person should look for?

Let me count the ways... our system does over a dozen checks, here are a few to get you started:

- .info, .edu, .tv domains
- proxy ports open on souce IP
- billing country doesn't match source IP country
- hotmail/yahoo email
- 4 AM signup

4am signup--thats classic

a few others

ordering the largest plan annually
bs zip codes and phone numbers

comments such as "thanks for the great service" etc
most folks wont put a comment


use cookies to track where they came from and ask on your order form who sent them, search engines banners etc

most frauders will put one source of referral but when you read the cookie its something different...

4am signup--thats classic

:) No customers from europe?

--------------------------------------------------------------------------------
4am signup--thats classic
--------------------------------------------------------------------------------



No customers from europe?


Our method is to do our dozen+ checks and assign point values. If it's a 4AM signup but everything else is cool, let it through. But if it's a 4AM signup for the $100/month plan and the domain is kaskatcha-ind.edu from an anonymous proxy IP in Texas and the contact email is h4x0r@yahoo.com and the billing address is in Spain, sirens and buzzers go off and a hard-drive melting surge of radioactive waste is blasted back to fraudster's computer. :kaioken:

Thanks everyone. You have been very helpfull. Anyone else?

Sometimes our frauds communicate with us prior to signing up. I've noticed that none of them sign their names at the bottom of the e-mail (gee, I wonder why?).

Also, frauds tend to sign up for the biggest plans and not care about saving money (obviously), so if you offer them a discount they often reply, "whatever, I just need more bandwidth."

Finally, they want everything NOW! If they sign up and then 10 minutes later send an unsigned e-mail saying "I SIGNED UP WHERE THE $%$%@ IS MY SITE!" then I would suspect fraud.

This, of course, is in addition to the above observations about the mismatched locations, certain countries, etc. But not the 4am signup. We have plenty of customers from Europe and Asia that are legit.

A few more tips:

The domain name is often a very good pointer. Would Mrs Smith sign up for: irc-godz.com (anything with irc in it is worth a warning).

If the IP resolves to a swedish/norwegian or danish address, feel quite certain it's ok (We scandinavians are honest people, he he).

If the IP does not reverse resolve, do this:

* do a traceroute. If it starts moving out of the country the customer claimed coming from - be alarmed.

* if the traceroute does not go all the way but dies on the way, do a number of pings of the IP. If it's >150-200ms average and you ping from US to a presumed US address, be alarmed, if it's >600ms, be very alarmed ;)

* if still uncertain - call the number the customer left you, it's worth it. If it's the number of someone who got their name stolen along with the card number, they often av very thinkful for being alerted.



/Alx Grepe
Alxhost.com

"* if still uncertain - call the number the customer left you, it's worth it. If it's the number of someone who got their name stolen along with the card number, they often av very thinkful for being alerted. "

I agree, innocent CC owners whos card have been stolen are very thankful that you have alerted them. I once altered a guy to the fact his CC was comprimised. He called back saying we were the first people to alert him out of the 120+ illegal transactions that had been done!

Once you have an IP / Free e-mail address / fake domain / real domain its always fun to scour the net and newsgroups for clues if you are pretty certain you have caught a fraudster. I once tracked one of the arse's down to a kid in San Fransisco. Knew which school he went to, where he hanged out on IRC [even spoke to him - of course he didn't know who I was;)], found all his websites etc. Of course I submitted this 18-page A4 file to the FBI 2 times about 5 months ago - suprise suprise nothing.

Points to Spot CC Fraud:
WHOIS the domain specified [different owner? recently registered? current nameservers? Fake Domain? Dodgy Domain e.g. n00b12.com]
TRACEROUTE IP [Different location to sign up, ping time etc.]
RECORD THE IP for future reference [got another dodgy sign up in the same block?]
CALL the phone number! [Say is that Mr. Peterson when Mr. Jones signed up - see how he corrects you].
E-MAIL ADDRESS is it a free e-mail?

I got so annoyed with CC fraud that I got one of our guys to program in PHP a freely accessable Fraudsters DB for live checking on your pages so you can see if anyone else has registered the IP as having been used by a fraudster. I saw yesterday someone else had a list of IPs for a htaccess file good work too:) Our system will have been fully tested by about mid-july 2002 and you will be able to just insert some PHP code into your pages to recieve and e-mail saying if the IP, Subnet, E-mail or domain has been used by a fraudster.

Regards,
Jon S.

We do call backs. We call back the person after an hour and make sure they have placed the order. If the phone number isn't valid then we do not allow the order.

Hi Guys,

Very interesting thread.
I would like to automate some of the fraud checks mentioned here.
I have 3 questions:

How do you find from which country is customer's IP?
How do you know if the order is coming from anonymous proxy?
Is there a way to automate these checks using a script?

Thanks for your help,
Peter

Originally posted by netsolutions
We do call backs. We call back the person after an hour and make sure they have placed the order. If the phone number isn't valid then we do not allow the order.

That is always a good idea, and something we do when an order seems even slightly suspect, or when an order comes in for a plan being paid annually.

Also I guess after a while you just get a feel for fraud, and spot it instantly.

The most annoying thing about the fraud orders are, if they get everything to look right and you do fill them...

I don't care much about the charge backs as it is not our money to keep but the spam!!! We've had people order it and within minutes bring down an entire mail server.

We moderate all of our accounts and call them each, even overseas. This has practically eliminated fraud. Plus we log their IP, tell them and show it to them on the sign up form.

I think magonafix's fraud tips are spot on. Fraud in the web hosting industry (and on the Internet in general) is rife and the sooner hosts take more 'care' in processing orders, the better we all will be off.

Ways to REDUCE cc fraud:

Don't list SSH or Telnet on your features page.
(But still provide it on request subject to vetting.
Most fraudsters are looking for shell accounts).

Make sure that customers know you are capturing their IP address.
http://www.hostroute.com/script_ip.html

Prevent the use of Hotmail and other free accounts.
(this forces them to provide another address which you can do a whois on and will usually trace back to a fraud rife country)
http://www.javascriptkit.com/script/script2/acheck2.shtml

Gordon

How do you find from which country is customer's IP?
How do you know if the order is coming from anonymous proxy?


Regards,
Peter

Go to www.samspade.org and download a copy of samspade for windows.
This will let you look up IP's

To find proxys you can take the ip like http://123.123.123.123:3128 or :8080 and see if there is anything there.

Gordon