This is a short overview of steps that you can take as a merchant to reduce credit card fraud.
It is most applicable to e-commerce sites delivering goods digitally, however these steps can
also be applied to other types of credit card sales over the Internet.
There are two general approaches available. You can use software programs to automatically detect
and screen through all of your transactions or you can manually check each transaction for possible fraud.
Neither approach is perfect when used by itself. The automatic approach can sometimes flag or impede
legitimate sales. While performing the manual checks for all transactions is ideal, there is a trade-off
in merchant time and hassle, long-distance bills, and customer inconvenience.
MaxMind's minFraud enables you to combine both
automatic and manual checks. MaxMind's service allows you to screen transactions automatically
so that you can pay attention only to the transactions that are flagged as potentially fraudulent
by the system. With this service, your business will save money and time, increase productivity,
and maintain a high security guard against fraud.
Learn more about the various automated and manual checks you can perform
to help reduce credit card fraud.
- Automated Checks:
- Manual Checks:
- Related Information:
Automated Checks available from minFraud
IP Address Location
A potential risk of fraud can result from a discrepancy between a person's claimed location
and the location of the computer he is making the transaction from. MaxMind services can
authenticate the transaction by matching up the billing address of the card holder with their
actual physical location, determined by examining their IP address*. Of course, the person
could simply be travelling or using a business card issued to a company branch in a different city or even country.
E-mail Domain
Many fraudsters use a free e-mail provider such as hotmail.com to remain anonymous. Of course
many legitimate clients use free e-mail as well. For business to
business transactions, we recommend checking out the domain by typing "http://www." and the
domain name into your browser and looking to see if the website looks like a legitimate business.
For consumer purchases, of course this doesn't apply.
Anonymous and Open Proxies
One of the ways fraudsters evade attempts to track them down is to use an Anonymous
or Open Proxy. These proxies hide the true location of the client, like a ski mask would hide identity
of a bank robber in the real world. We have noticed a high number (around 26%) of our fraudulent
purchases come from Open Proxies, and it is known that organized credit card fraud
rings use Open Proxies.
On the other hand, legitimate orders do come from Open Proxies - usually these are orders where the user's computer has been
unknowingly infected by a virus that allows spammers and credit card hackers to hijack their computer.
In our experience about 4% of legitimate purchases come from Open Proxies, due to the widespread propagation of
computer viruses. Our suggestion is to contact the customer to obtain more information. You can refer them
to openrbl.org if they would like verification that their IP address is
listed on Open Proxy lists.
In addition to reporting Anonymous and Open Proxies, our minFraud service returns
whether the IP address belongs to a reported spam source. We have received a couple of fraudulent
orders from IP Addresses labeled as spam sources, and we block these because it is likely that spammers
participate in credit card fraud.
Bank Identification Number Check
Many international credit cards don't support address verification. Checking the Bank Identification
Number (BIN) provides a way to see if the issuing bank for the credit card is in the same country
as where the card holder is resident. Note that
legitimate users sometimes do use a credit card from another country.
You can also ask the customer to provide the bank name and customer
service phone number as listed on the credit card. This information
can then be verified against the MaxMind database to see if it matches
the information we have on record for the BIN. This provides an
additional layer of protection by verifying that the user has physical
possession of the credit card unless a fraudster found
this information by accessing a compromised BIN name and phone number
list.
Manual Checks
Telephone Card Holder
This is one of the best ways of verifying whether the card holder authorized the purchase, the trade-off being
that it is more time-consuming for you, the merchant. The way that it works is that you request
the phone number as listed on the credit card account on your order form. You then validate this number
by calling your merchant provider and/or the issuing bank for the credit card. Once you have
obtained the valid card holder's number, you then call it and ask if they authorized the transaction.
If they are the owner of the credit and didn't authorize the transaction, suggest that they call their
credit card company and report the card as stolen. Generally we recommend doing this for high value
transactions or when the automated checks return a high fraud score. MaxMind's
Telephone Verification service can automate the verification process.
Fax Authorization with Signature
This is another way of verifying the card holder, the trade-off being that it makes the customer
do more work. The customer fills out an authorization form you provide [sample],
and then faxes it back to you with a signature and copies of the front and back of the credit card. For digital delivered goods,
this is the best way to protect against "friendly" chargebacks, namely when the authorized card holder denies
that they authorized the transaction.
Related Information
A note about PayPal
Many merchants who accept credit cards also accept PayPal. In general we are as careful accepting
PayPal payments as we are with credit card payments. You can get chargebacks with PayPal, and
furthermore, many PayPal accounts have been hijacked, and we have had at least one payment
from a hijacked account reversed. Fortunately we had noticed that they used the same IP address
as a fraudulent credit card purchase, so we contacted the PayPal account holder and notified
that his account was hijacked. Generally PayPal accounts that have a hotmail or other free e-mail address
are risky, since often people will use the same password for both their hotmail and PayPal
accounts, so the hijacker will have access to both the PayPal account and their e-mail.
Footnotes
* For transparent proxies, you should obtain the IP address behind the proxy
by examining the HTTP headers HTTP_X_FORWARDED_FOR and HTTP_CLIENT_IP.
Our minFraud service supports passing these values using the forwardedIP input field.
Last Updated: Jan 28th, 2005
Please send any feedback to support@maxmind.com
|
