The forms of online fraud have grown as fast as the Web itself. More and more parts of our lives take place on the Web — including ordering goods, services and exchanging personal information. The opportunities for criminals to make money illegally, fast and without getting caught have grown with the market. This article shall tap into one of the many aspects of fraud: credit card abuse.
There are many more aspects worth mentioning like identity theft, server hacking for spam and more, which are connected but would be too much to cover.
Credit card abuse is a serious threat for every online merchant and has one simple, major background: turning a stolen number into real cash for the criminal. Depending on the contract a merchant has with the credit card processing company, the cash for the criminal could ultimately come out of the pockets of the merchant.
Wikipedia has a very detailed article about the responsibilities of merchants and credit card companies: http://en.wikipedia.org/wiki/Credit_card_fraud which leads to a whole world of information.
The essence is: Studies from 2006 show a seven percent fraud rate for online transactions and even if you have a good contract with your credit card processor, high fraud rates could get you in trouble — ultimately with Visa and MasterCard which might ask or force the processors to end your contract.
In the past years — while running our download marketplace “tradebit.com” — we had several attacks of criminals, who wanted to use our platform as a tool for their criminal activity. As programmers we have worked hard to come up with an additional layer of security and more indicators to recognize fraud. In the hope that some of our ideas help others, we want to share them here. The ideas are especially helpful for service (like hosting), software and membership sites.
We took the ideas of email spam filters and thought of indicators that would “hand out points” for certain activity and raise a flag, once a transaction receives enough points.
Here are some of them:
a) Repeated use of the same card within a short time frame
In a process called “Carding,” the criminal first tests the stolen card number and if that transaction goes through, a second one is done quickly afterward to get additional value for the stolen card.
b) Browser language and IP location
Credit card thieves use so called “Open Proxies,” servers which hide the original IP number of the user so he can surf the Web without using his original location. To identify such usage, a combined set of data has to been built and used. On the one hand you need a database of IPs and their assigned location. These databases can be bought online (e.g. www.ip2location.com or www.maxmind.com) and work with MySQL and PHP just fine and are fast. Additionally there are services for hackers out there, which collect open proxies especially for fraud or hacking. It makes sense to sign up to these services yourself and get a list of the actual open proxies, like http://www.xroxy.com/proxylist.htm.
To bring that data together we have added a step in our basket process that checks for the browser language, the location of the IP the user is on and also if that IP number is already known as a proxy.
c) Browser Footprint
Any browser transmits certain information about itself to the site it is using. This includes information like:
This data can be consolidated into a single checksum which is amazingly diverse among hundred thousands of users. For example: we have more than 150,000 unique visits on Tradebit and see around 10,000 different browser checksums. That browser footprint can be (and should be) used to gather additional information on transactions.
Test your browser footprint: http://www.ampersand.com/blog/2010/01/28/yikes-my-browser-footprint-is-unique/
d) Same IP, different data
Even with a lot of sales, it is very unlikely that you will get a lot of transactions from one single IP within 2 – 3 hours. If you have more than one transaction from a single IP with different customer data, it is worthwhile to check out that transaction and the IP it is coming from.
e) Project Honeypot and others
There are a few free services which help to monitor additional signals for fraud. One of them is www.projecthoneypot.org – forum spammers and credit card fraudsters are partially using the same servers to drive their attacks. Project honeypot offers a DNS service for reverse encoded IP numbers which you can query with a specific domain, containing the IP and you get the fraud probability of that IP as a nameserver answers back.
There are many more little things you can do to limit the attacks of criminals on your services. The bad thing about some of these steps is the shift to IPv6 in the upcoming months and most of the really cool tools will just stop to work (like geo-location or proxy detection) and urgently need to be updated.
The big task for us webmasters and online merchants will be to make the Web a safe and clean place together. In my opinion this can not be done by governments or big brands like Google, Microsoft or PayPal. We all must do that together in “networking style”: independently and decentralized. I hope this articles gives you some good ideas how to prevent criminal activity on your sites!
Ralf Schwoebel is the founder and chief executive at Tradebit Inc. Read Ralf Schwoebel’s full PubCon speaker biography here.