1) Never use real time transactions (!)
2) Check order IP (whois, traceroute, http://111.111.111.111 - http proxy)
3) Check server-logs detais to see how did the customer find your site
4) Check whois of contact email domain (name@frauddomain.com), visit this domain - 95% of Indonesians register domain via Netsol for 2-10 years in advance and never upload home page and usually use Indonesian admin address
5) Create "how did you find us" field on your order form and compare results with server logs. Sometimes you'll get interesting results.
6) Create fake-plan with $900 annual charge with N-days trial
7) Store all fraud orders in one file to search and compare when you receive new order
8) Check whois of domain, that customer wants to host on your server
9) Visit this domain.

BTW, we have 1 chargeback for each 600 orders

10) ....

Thank you.It's useful for me:D

bull****

You dont have to be scared of doing live transactions. I have written fraud software for all my live signups and have reduced fraud dramatically.

I am talking - the highest fraud you can ever imagine 75% or so for a shell company.

We have dropped it to <5%

We check:

1. IP -vs- country
2. AVS
3. List of blackholed email addys
4. List of blackholed cards
5. Capture amount from local merchant to check response codes
6. MOD10 verify card
7. Proxy scan client
8. Cvv2 check against carders algorithm
9. Standard form validation

After all this - we finally pass the transaction to our merchant.

You DO NOT need to be scared of live transactions.

Originally posted by hosticle
bull****

You dont have to be scared of doing live transactions. I have written fraud software for all my live signups and have reduced fraud dramatically.

I am talking - the highest fraud you can ever imagine 75% or so for a shell company.

We have dropped it to <5%

We check:

1. IP -vs- country
2. AVS
3. List of blackholed email addys
4. List of blackholed cards
5. Capture amount from local merchant to check response codes
6. MOD10 verify card
7. Proxy scan client
8. Cvv2 check against carders algorithm
9. Standard form validation

After all this - we finally pass the transaction to our merchant.

You DO NOT need to be scared of live transactions.
I want to know more detail from point 2 to point 8.Can you tell me more?THX!

Originally posted by H2
1) Never use real time transactions (!)
2) Check order IP (whois, traceroute, http://111.111.111.111 - http proxy)
3) Check server-logs detais to see how did the customer find your site
4) Check whois of contact email domain (name@frauddomain.com), visit this domain - 95% of Indonesians register domain via Netsol for 2-10 years in advance and never upload home page and usually use Indonesian admin address
5) Create "how did you find us" field on your order form and compare results with server logs. Sometimes you'll get interesting results.
6) Create fake-plan with $900 annual charge with N-days trial
7) Store all fraud orders in one file to search and compare when you receive new order
8) Check whois of domain, that customer wants to host on your server
9) Visit this domain.

BTW, we have 1 chargeback for each 600 orders

10) ....
Can you tell me what do point 6 mean?

Can you tell me what do point 6 mean?
It's been written here many times that they tend to go for the most expensive plans available, so it's a good check.


Lats...

Originally posted by zhaozilong

I want to know more detail from point 2 to point 8.Can you tell me more?THX!

First I cannot go into too much detail as we are working on a production version of this software.

But to scratch the surface.

2. Verfify the address against the cardholder. For manual transactions banks sometimes call this a code 500

3. Create a list of email addresses you dont want to accept orders from and have your system block them

4. Compile a list of stolen credit cards. You can get help from other hosts to compile such a list. Currently we have close to a million.

5. Card pre-authorisation. You can actually capture an amount without charging the card. The balance will go off the card for up to 48 hours to ensure you will be able to charge it when required

6. MOD10 is the standard algorithm banks use to generate new cards

7. Ensure client is not running a proxy server to connect by connecting to certain ports

8. Carders use an algorithm to generate cvv2 numbers. As most banks dont actually store cvv2 number their rate of sucess is ~90% with a false cvv2 number.

Originally posted by hosticle


First I cannot go into too much detail as we are working on a production version of this software.
....


Some compamies have no access to real merchant accounts and use 2checkout, revecom etc....

5%? For example - 600x5%=30 orders! ;(

BTW, what do you think about order comes from 65.214.101.201, contact email max@rian97.com. This order is from Indonesia ;) ....., but IP and billing address is from the US.

Originally posted by Lats

... they tend to go for the most expensive plans available, so it's a good check.


10%-15% of *** order cheapest plan, but usually they are not too smart to *** us ;)

I just received 2 orders.They are our most expensive package.
The adress of client is in Australia but the email address is in Russia.
The order Ip is same as the address.
The credit card does not have problem.
Do you think this is a fraud order?

Originally posted by Lats

It's been written here many times that they tend to go for the most expensive plans available, so it's a good check.


Lats...
Do you mean if some body order this plan,it should be fraud order?

Originally posted by H2


Some compamies have no access to real merchant accounts and use 2checkout, revecom etc....

5%? For example - 600x5%=30 orders! ;(

BTW, what do you think about order comes from 65.214.101.201, contact email max@rian97.com. This order is from Indonesia ;) ....., but IP and billing address is from the US. Don't take it, seems too weird. Why would they order from Indonesia, but have an address in the US?

Originally posted by zhaozilong
Do you mean if some body order this plan,it should be fraud order?
In the context of H2s' original tip of having a $900 plan as opposed to maybe his regular plans of $40 dollars ( I haven't looked ), it may be a good indication.


Lats...

Originally posted by iamdave
Don't take it, seems too weird. Why would they order from Indonesia, but have an address in the US?

;) yes, i know. It was an example for "hosticle" - everything looks fine (even US IPs), but we KNOW that they are from Indonesia (server logs, prev. visits, contact email addresses, duplicate orders with N-hours interval etc).

Originally posted by iamdave
Don't take it, seems too weird. Why would they order from Indonesia, but have an address in the US?

How would you tell them that tactfully? I mean, if you suspect fraud and don't want the client, in some cases there is still a chance it is legit. I can imagine really ticking off a legit customer by telling them they are fraudulent.

Originally posted by justageek


How would you tell them that tactfully? I mean, if you suspect fraud and don't want the client, in some cases there is still a chance it is legit. I can imagine really ticking off a legit customer by telling them they are fraudulent.

Simply tell the client that their order has triggered your automatic fraud detection system and you are simply contacting them to do an in-person verrification. If it related to their credit card avs/cvv2 it's nice to tell them that they may have had their card stollen/faked which makes them think you're looking out for them. The end goal of the conversation should be to explain that you're checking out what could be fraud to help them when in truth you're helping yourself.

Originally posted by justageek

How would you tell them that tactfully?

1) "Dear John, Sorry, but we cannot approve your order."

In 98% cases you will not receive a question "Could you please tell me why you can't approve my order?" ;)


2) "Dear John, to complete your order please send photocopy of front and back of your credit card + first page of passport or driving license to (your)-fax-number"

Rate is 99% ;)

Once we sent this message 5 times to one guy who tried to use different CCs + addressess + domain each day during one week.
Then he decided that this was our "standard" procedure :)

3) Just delete his trial authorization and do not answer.

Ok serious questions...
I am lookin to prevent as much as I can w fraud..
I already have the .htaccess blockin indonesia etc etc

My issue is I don't have the skill to write my own scripts
I also will (more than likely) be usin revecom as my CC processor!!! I would like to have some wayof doing:
1) Do the aboved mentioned things before orders goto revecom and use their auto setup option
2) Have some kinda alert w each and every order before anything is even charged ( i like that pre-auth part) then do my checking and if it all pass's then put order thru to revecom.

I also am not dedicated on using revecom.. if any other provider has something that will help me operate more efficently.

Originally posted by H2


;) yes, i know. It was an example for "hosticle" - everything looks fine (even US IPs), but we KNOW that they are from Indonesia (server logs, prev. visits, contact email addresses, duplicate orders with N-hours interval etc).

After running nmap on that IP it showed it had port 3128 open which looks to be a Socks proxy. In this case the fraud software would have rejected the order.

Originally posted by hosticle
After running nmap on that IP it showed it had port 3128 open which looks to be a Socks proxy. In this case the fraud software would have rejected the order.

hosticle,

Good tip ;) Waiting for your soft.

I just received 2 orders.They are our most expensive package.
The adress of client is in Australia but the email address is in Russia.
The order Ip is same as the address.
The credit card does not have problem.
Do you think this is a fraud order?

I didn't see an answer to this before -- slap me if I missed it -- but I would find this to be a highly suspicious order.

Zhao Zi Long, in this situation I would ask for a fax copy of the front and back of the credit card and a photo ID such as a driver's license.

Chances are overwhelming that you'd never hear from them again.

I'm fairly new at charging cc's through my merchant account (had it for 8 months or so) but I think once you start charging you develop a sense for what's screwy and what's not.

Here are some suspicious details I'd like to add to the original post:


Overorder and don't care (for example, fail to take advantage of your special offer)
Don't sign their name to any e-mail (just end with "thanks,")
Demand instant setup
IP traces to Indonesia, Russia, or Romania (and billing address is elsewhere)
The address/phone number is typed oddly, for example a US phone number being typed like xx-xxxx-xxxx, or the city is misspelled (Orlendo, Shanghi, etc.)

THX!
I have rejected their payment.My CC also think one client may have problem.
Thanks everybody.

How would you tell them that tactfully? I mean, if you suspect fraud and don't want the client, in some cases there is still a chance it is legit. I can imagine really ticking off a legit customer by telling them they are fraudulent.


That is the point when I throw the order to "voice confirmation." I call the phone number provided and leave a message if a get a voice mail. I then e-mail the orderer and say that I have attempted to call them and left a voice mail and request that they please give me a call back so I can proceed to process the order.

I usually voice verify and send them a letter with a code to verify, and if they don't verify in 4 days I refund and call authorities. It's happen 2 times alone.

You call the authorities?

What do you give them?

After running nmap on that IP it showed it had port 3128 open which looks to be a Socks proxy. In this case the fraud software would have rejected the order.
That is just a squid proxy server. I used to run one at home because its good for caching web sites and takes some of the load off my internet line. Its good for other things as well. Why would you reject an order based on this alone? Proxy servers are faily common.
Sadistikal

Some good tips here that I'm using already :)