[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Chargebacks and credit card frauds

To: Andrew Haninger <ahaning@xxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Chargebacks and credit card frauds
From: Steven Anders <anderstev@xxxxxxxxx>
Date: Tue, 22 Sep 2009 11:36:16 -0700

Thanks Andrew for the suggestion.
Yes, it does make sense to do all the checks you described. These days, as
manual process, we just make a phone call and do a follow-up email.
We ask for a copy of the credit card to be faxed and a proof of ID. Many
times the fraudsters do a reply with very "bad English"  - sometimes it is
funny.
And you're right - a lot of the orders are placed on non working hours.


On Mon, Sep 21, 2009 at 10:29 PM, Andrew Haninger <ahaning@xxxxxxxxxxxxxx>wrote:

> On Tue, Sep 22, 2009 at 12:26 AM, Steven Anders <anderstev@xxxxxxxxx>
> wrote:
> > I am now tasked with improving our backend checks to make sure we don't
> have
> > any more fraudulent order, and would appreciate any pointer or insights
> into
> > this matter. Any theories, insights, or information would be very useful.
> I have three ideas. Two are quite complicated and the other a little
> simpler. None are fraud-proof. Some may be impractical if your work is
> being done "after the fact".
>
> 1) Have a robot call or text the customer a CAPTCHA-type string to
> enter into a website.
>
> Workaround: Register a cell phone or VoIP number in the victim's area
> code and take the call. You could possibly require a hard-wire
> landline, but those are becoming so uncommon that it would create
> trouble for many of your customers. And then there are those darned
> dialup users.
>
> Perhaps do this only after a first "offense". Though, I'm guessing
> fraudsters only use the accounts once and then avoid them.
>
> 2) Have a Flash or Java applet check for common remote desktop servers
> running on the ordering PC.
>
> Workaround: Disguise the server software as something harmless, if it
> isn't already.
>
> 3) Check to see if the order was placed outside normal waking hours or
> during normal working hours.
>
> Workaround: Not hard to work around, but might hassle the criminals.
>
> Andy
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Chargebacks and credit card frauds
  - From: T Biehn

References:
- [Full-disclosure] Chargebacks and credit card frauds
  - From: Steven Anders
- Re: [Full-disclosure] Chargebacks and credit card frauds
  - From: Andrew Haninger

Prev by Date: [Full-disclosure] Dumb question: Is Windows box behind a router safe ?
Next by Date: [Full-disclosure] [ MDVSA-2009:242-1 ] dovecot
Previous by thread: Re: [Full-disclosure] Chargebacks and credit card frauds
Next by thread: Re: [Full-disclosure] Chargebacks and credit card frauds
Index(es):
- Date
- Thread