[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Chargebacks and credit card frauds
- To: Steven Anders <anderstev@xxxxxxxxx>
- Subject: Re: [Full-disclosure] Chargebacks and credit card frauds
- From: T Biehn <tbiehn@xxxxxxxxx>
- Date: Tue, 22 Sep 2009 17:13:02 -0400
You could run IP against spam bl's, ISC lookup, dronebl, proxybl for flagging.
-Travis
On Tue, Sep 22, 2009 at 2:36 PM, Steven Anders <anderstev@xxxxxxxxx> wrote:
> Thanks Andrew for the suggestion.
> Yes, it does make sense to do all the checks you described. These days, as
> manual process, we just make a phone call and do a follow-up email.
> We ask for a copy of the credit card to be faxed and a proof of ID. Many
> times the fraudsters do a reply with very "bad English" - sometimes it is
> funny.
> And you're right - a lot of the orders are placed on non working hours.
>
>
> On Mon, Sep 21, 2009 at 10:29 PM, Andrew Haninger <ahaning@xxxxxxxxxxxxxx>
> wrote:
>>
>> On Tue, Sep 22, 2009 at 12:26 AM, Steven Anders <anderstev@xxxxxxxxx>
>> wrote:
>> > I am now tasked with improving our backend checks to make sure we don't
>> > have
>> > any more fraudulent order, and would appreciate any pointer or insights
>> > into
>> > this matter. Any theories, insights, or information would be very
>> > useful.
>> I have three ideas. Two are quite complicated and the other a little
>> simpler. None are fraud-proof. Some may be impractical if your work is
>> being done "after the fact".
>>
>> 1) Have a robot call or text the customer a CAPTCHA-type string to
>> enter into a website.
>>
>> Workaround: Register a cell phone or VoIP number in the victim's area
>> code and take the call. You could possibly require a hard-wire
>> landline, but those are becoming so uncommon that it would create
>> trouble for many of your customers. And then there are those darned
>> dialup users.
>>
>> Perhaps do this only after a first "offense". Though, I'm guessing
>> fraudsters only use the accounts once and then avoid them.
>>
>> 2) Have a Flash or Java applet check for common remote desktop servers
>> running on the ordering PC.
>>
>> Workaround: Disguise the server software as something harmless, if it
>> isn't already.
>>
>> 3) Check to see if the order was placed outside normal waking hours or
>> during normal working hours.
>>
>> Workaround: Not hard to work around, but might hassle the criminals.
>>
>> Andy
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C
http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
http://pastebin.com/f6fd606da
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/