FraudBase - A Fraud Database - Need Help!

webair-gene · #1 02-16-2005, 04:39 PM

I'm working on starting a site called FraudBase, basically it will be a $4.95 monthly subscription to a database of fraudulent customers.

It will work by companies submitting their fraudulent orders to the website and then everyone will have the ability to view the fraud database.

The database will contain the persons name, address, phone number, ip, and first four and last four digits of credit card, or paypal email address.

My first concern is the legality of having such database, as far as I know there is nothing illegal as long as we dont store the full card number and don't sell the people's information to other companies.

Secondly, I ask for assistance from some php developers who can assist with my project (hopefully for free).

and if this takes off I will be asking for beta testers who will have free accounts to the website.

Let me know what you think!

-- Moderators: If this is the wrong section I appologize, please delete/move as necessary --

David · #2 02-16-2005, 04:44 PM

Just how many laws are you looking to break? This sounds like it would about cover them all.

webair-gene · #3 02-16-2005, 04:46 PM

I'm trying to run this without breaking any laws, if you get what i'm saying.

Inthrive · #4 02-16-2005, 04:50 PM

Sounds like the DotFraud site, except they don't collect address, phone or credit card number.

webair-gene · #5 02-16-2005, 04:52 PM

I wasn't aware such a site exists.

Philipf · #6 02-16-2005, 05:03 PM

I also run a similar database, and have been for around 10months or so. The only legal information you can collect is email, name, domain and IP, but I would suggest you see a solicitor like I did.

IP address's are a waste of time, as 90% of the time, they are dynamic.

Dotfraud only has around 552 domains in the database though.

webair-gene · #7 02-16-2005, 05:29 PM

I see, thanks for the input.

Host Ultra · #8 02-17-2005, 09:37 PM

Fraud customer databases are a waste of time.

The chances are astronomical that two hosts using the same database will get the same fraud customer.

If its a stolen card your just blocking that innocent person who got his card stolen which will be exceeded its limit in a few minutes when the frauder is finished with it and posts its on an irc channel (this actually happens).

By the time you get the chargeback the frauder is already using a different card and ip.

To prevent fraud:
Call issuing bank to verify phone number customer gave you is the cardholders real number (or see if the number reverse lookups to AVS verified address on www.whitepages.com).
Call cardholder to verify order.

See:
www.cardcops.com
www.fraudgate.com

Corey Bryant · #9 02-18-2005, 09:26 AM

All it takes is one hosting company to put a legitimate name in there.

True - this is the internet and you might not be held responsible for other people's actions, but do you really want to chance it? Do you want to set a precedent? With the ever-changing laws on the internet, it is a difficult task.

For something like this - you need to hire an attorney. One that would be on retainer everytime you received a C&D letter. Plus, if you are hosting this yourself - what happens if the person emails your DC? The DC might decide to shut you down because they do not want to get involved.

And then honestly, I can see the hosting companies doing chargebacks to you because they get five fraudulent orders a month and they never saw one on your site.

serversphere · #10 02-19-2005, 10:31 AM

A few of us here discussed this idea previously and it never went anywhere because of all the reasons posted here plus the fact that the site would become a non-stop hack target. Good luck though!

MTSpace at WHT · #11 02-19-2005, 10:39 AM

Hi,

It's a nice idea, but, I don't think you'll ever take off with it.

Firstly, it is illegal to store users credit card (any number of digits from it), phone number or address.

Secondly, a web host could easily submit hundreds of false fraud orders.

Thrdly, the chance of the same fraud order coming accross two or more of the hosts subscribed is EXTREMELY slim unless you have XX,XXX figure of subscribers.

Fourthly, with the alternatives available, such as FraudGuardian, which do not rely on information provided by other hosts, but instead predict the probability of fraud, you'd probably have a hard time getting hosts to sign up, especially since you aren't (or haven't indicated) that you run a billing script, or have any links with one to develop a system to allow that billing script to allow your host to automatically check the database.

Hope this helps.

everity · #12 02-19-2005, 03:05 PM

We are being considered to develop an application like the one being discussed here, but for the travel industry. I have wanted to create one for the hosting industry for several years. I believe it is feasible, but it would have to be a lot less open than this. You can't just make a public database with personal information readily available to anyone willing to pay 5 bucks. Also, there is absolutely no way you can let the hosting company have the last word. The customer must always have the last word. It needs to be fully automated (to compensate for human emotions), and any host taking part must meet very strict guidelines, both technologically and relating to their conduct. (In other words, sorry resellers, but you probably wouldn't be able to meet all the requirements, though you could contact your host on a case-by-case basis if your host met the requirements and was a member.)

Of course, it would help if laws could be changed to allow more information to be tracked. If someone could legally track all the relevant data and maintain strict access controls (which would be very expensive) I think it would be a huge benefit to hosting companies everywhere.

Over the last 4 years we have compiled a rather large database of customers that owe us money, have hurt our reputation, have hacked, spammed, etc. Most of this information is on a disk in a filing cabinet, but I would love nothing more than to publish this database online, and to let other companies use it so they can defend themselves, and so these crooks, at the very least, can no longer get services from reputable hosts.

I'm sure other hosts have information as well. If we could put it all together, and reference it in automated sign-up scripts, we could really solve a lot of problems.

I disagree that its impossible to track. These people have behavior characterisitics that could be used to identify them again and again. For example, similar sounding domains combined with an IP address that belongs to the same ISP, or a username that was used 3 years ago being used again.

The service could assign a fraud score to each new account based on the amount of similarities it finds in its database. An API call could atleast flag the new account for suspicion, and then the host could pay (possibly) for a report to access all relevant data and then make a decision whether or not to keep the account. (this part would be done by a person, most likely.)

Unfortunately, no one seems to be willing to represent our industry to get the laws changed, and no one seems willing to step up to the plate to create such a system.

But if one ever becomes available, eVerity would be willing to pay a lot more than $4.95 per month. Even if we had to pay $100 per month would still be well worth it for us.

Host Ultra · #13 02-19-2005, 04:28 PM

Legal problems could be solved by simply having the database/site on a server in a country which has no restrictions on what data you can store eg www.havenco.com though theres probably somewhere not so expensive.

MD5 sums of credit card numbers could be used which would allow you to check if a number is listed in the database without the database holding the actual cardnumber.

As for the site being hacked.
You simply have 2 servers, a storefront and a members only server. Only members would know the address of the members only server. Access could be firewalled to only allow IPs of members servers to access the database.

everity · #14 02-19-2005, 05:43 PM

All good ideas, but hosting in another country isn't very legitimate. I'm all for being 100% legal. We don't want to scare consumers away from using their credit cards, as that would be the end of our industry. We might as well just commit suicide. Anything that isn't 100% secure and that doesn't have the approval of the card associations just isn't going to fly.

Its not just about payment issues, we need protection against spammers etc. as well. I've heard that as little as 1 in 700 spammers even get investigated. That is INSANE!!!

With a good system 99% of them could atleast be investigated. and most of them can be fined, jailed, or atleast sent to bed without supper.

But yeah, back to payment issues. We need to do something that is agreeable to the major credit card associations. I don't think that is possible. They are a bigger hurdle than government. But if we leverage our strength, I'm sure we can work SOMETHING out, however little. (hint: the card associations are more worried about making money and protecting themselves than they are about protecting consumers, and they couldn't care less about protecting merchants. We need a little more defense against fraud than we have now.)

We need one organization, one BIG, powerful organization to represent our entire industry to government, to the card assocations, etc. Right now that is left up to the big companies like AOL, Yahoo, Microsoft, etc. The majority of us get no representation whatsoever. A good organization that truly represented our industry would pave the way for something like FraudBase, which would then make all of our lives so much easier.

Unfortunately, for now, I just don't see FraudBase as being useful considering all the limitations that will necessarily be placed on it.

dkitchen · #15 02-19-2005, 06:52 PM

Quote:

Originally posted by wanga

The database will contain the persons name, address, phone number, ip, and first four and last four digits of credit card, or paypal email address.

Address, phone number, IP, e-mail, etc. All useless, fraudsters make it all up. Plus half the time we don't get to see peoples CC numbers.

Quote:

My first concern is the legality of having such database, as far as I know there is nothing illegal as long as we dont store the full card number and don't sell the people's information to other companies.

Well you've just said you're charging $4.95/month for it, doesn't that count as selling...

Quote:

Secondly, I ask for assistance from some php developers who can assist with my project (hopefully for free).

You want people to help you for free so you can charge and make a profit out of it? Not going to happen ...