Things You Can Do To Prevent Credit Card Fraud

Recently I’ve run into a couple issues with stolen credit cards being used on my site.  There are a lot of things you can do to prevent it in the first place, for example only allowing the billing/shipping address to match.  Unfortunately this is an unreasonable thing to do as many people order things and have them shipped to friends/family as gifts, work, etc.  It most likely wouldn’t be worth the money lost in having this policy.

While there is unfortunately no fool proof method, there’s quite a bit of research you can do, especially for US orders.  Here’s some of the stuff I’ve done, please feel free to comment with further ideas or anything else that you may do.

  • Make sure the AVS code is a match.  You can see what all the codes mean here.  I can’t think of any instance other than human error why the AVS code should not match.  For those that don’t know generally having the AVS code helps prove that the customer has the actual card in-hand.
  • If a billing/shipping address are a match I feel that you are pretty safe to ship an order without worrying about fraud.
  • Call the customer if you have any concerns.  While somebody using a stolen credit card may lie on the phone, you may be able to catch something.  Sometimes they even use the billing phone #, so you’ll end up calling the actual person that owns the stolen credit card and you’ll find out right away when they have no idea that something was ordered from you.
  • Google the e-mail address with quotes around it.  Something may turn up that shows you it’s the person that actually ordered.
  • Google the billing and shipping address and see what comes up.  Street view on Google Maps is a great feature.  While it may seem somewhat shallow, when you have a billing address which shows some sort of nice huge house, and a shipping address that shows a crappy looking house…that should raise a flag.
  • Google the name with quotes around it.  You may have to add the state or city name into the query if it’s a common name.
  • Search the name and e-mail address on sites like Facebook, LinkedIn, MySpace, etc.
  • If the e-mail is something that looks like a screenname, Google that portion.  For example if an order is placed under something like mrpowerman2738@yahoo.com, search “mrpowerman2738″.  They may use this name on things like forums or anything else that may help link the order validity.
  • Use a site like IP-Lookup to get information on the IP.  This can help make sure that the billing or shipping location is the same as the IP.  Have an order going to Nebraska, but the IP is from Croatia?  That’s a red flag to do some research before sending out an order.
  • Use WhitePages.com to check up on the address and phone number to see if customer data matches.  You can use WhitePages.ca for Canadian customers.  White Pages allows you to do reverse phone and address searches for free, which can be very helpful.
  • Sometimes you end up calling a mail forwarding company that international customers use to forward shipments to their country.  This is fairly common from what we’ve seen, but also has a potential for fraud. You can speak with the company and have them either look up the suite # or the name and verify that the information is correct.  Sometimes you can even make sure the last 4 digits of the credit card match when they opened up the freight forwarding account.  Companies like Bongo do a security check before accepting customers to open an account with them, so they can verify the validity of an order.

Of course none of the above can guarantee you won’t have issues, but if something seems fishy you’ll at least have some steps you can take to help verify an order.  Generally if something seems too fishy, I’ll contact the customer and tell them we’ll need another form of payment like a wire transfer.  You take the risk of losing a sale by doing this, but you also stop the potential for sending out an order and not getting it back while losing the money on a chargeback.  Just explain to the customer that you’ve had problems with credit card fraud and because of certain reasons their order raised a flag.  Alternatively I’ve even had customers scan in their drivers license with the billing address.

I’m sure there may be some better methods out there, so I’d love to hear your feedback.  How does a company like Amazon help defeat fraudulent orders when they do so many transactions per day?

My next post will be about what happens if the product has already been shipped and you find out it was ordered with a stolen credit card.  What can you do about it?  Stay tuned!

  • http://www.adam-mcfarland.net Adam

    Great post Dave. I’ll add another tool that we’ll be implementing soon: BadCustomer ( http://www.badcustomer.com/ ). They have a huge database of customers who have been blacklisted by retailers for fraud. Even if you don’t automate it like we’re trying to do, you can still check suspicious orders on their website. There’s also the advantage of scaring some people away by showing some sort of message that you report fraudulent chargebacks.

  • http://www.davepit.com/who-is-david-pitlyuk David Pitlyuk

    Oh interesting concept on BadCustomer. I would have three concerns integrating that into a cart.

    1) You have to send your customer data (including card information) through the API. Not that big of a deal but there is a security risk there. You will also need to modify your privacy policy accordingly.

    2) It’s a bit stand-offish when you see this integrated into a card. As a customer it almost seems like you’re already blaming me even though I haven’t done anything wrong. They use big red graphics that say bad customer. This probably makes you lose some customers, would have to test conversion differences.

    3) The concept behind it is somewhat of a turnoff in the mindset that I have to pay $99 to take my name off the list if I’m on there. Sort of crosses some what is right what wrong concerns….but I do understand they need to make money somehow.

    On BadCustomer they also mention a couple services that may be worth looking into (I haven’t had time yet):

    http://www.verifi.com
    http://www.vindicia.com/

  • http://www.adam-mcfarland.net Adam

    Good points Dave.

    We haven’t started the project yet, but when we do I think we’ll have to think hard about all of that before getting started. My preference would be to only show the graphics/warning to customers who fail some other test…maybe their IP is from a different region than their billing or shipping address, or we’ve marked them as suspicious in the past, something like that.

    And the $99 concept doesn’t rub me well either. I’d rather they be a service company (charge for integrations and support) and keep the rest free.

  • Mitch

    Nice post, actually blocking whole countries is not a bad idea also… Nice tip about checking the IP, I also use http://ip-address-lookup-v4.com to correlate the data of ip-lookup.net in case their RIPE db hasn’t been updated

  • kleinerbär

    Hi, I found your article very good. Actually, Amazon are pretty bad at dealing with fraud, especially when it comes to social engineering. For a couple of months I red an article how someone orders a Kindle to the victim’s address and after that managed to purchase another one and redirect the order to his address simply by chatting with their Customer service.. Also, another option to check up on the phone number is ShowMeLocal. Yellowpages is a good alternative too.