Protection Against Online Credit Card Fraud

Understanding the evil-minded users of your services protects you
from credit card abuse and other online fraud.

The forms of online fraud have grown as fast as the Web itself. More and
more parts of our lives take place on the Web — including ordering goods,
services and exchanging personal information. The opportunities for criminals
to make money illegally, fast and without getting caught have grown with
the market. This article shall tap into one of the many aspects of fraud:
credit card abuse.

There are many more aspects worth mentioning like identity theft, server hacking
for spam and more, which are connected but would be too much to cover.

Credit card abuse is a serious threat for every online merchant and has one
simple, major background: turning a stolen number into real cash for the criminal.
Depending on the contract a merchant has with the credit card processing company,
the cash for the criminal could ultimately come out of the pockets of the merchant.

Wikipedia has a very detailed article about the responsibilities of merchants
and credit card companies: http://en.wikipedia.org/wiki/Credit_card_fraud
which leads to a whole world of information.

The essence is: Studies from 2006 show a seven percent fraud rate for online transactions

PubCon Las Vegas

and even if you have a good contract with your credit card processor, high fraud
rates could get you in trouble — ultimately with Visa and MasterCard
which might ask or force the processors to end your contract.

In the past years — while running our download marketplace “tradebit.com” — we had
several attacks of criminals, who wanted to use our platform as a tool for their
criminal activity. As programmers we have worked hard to come up with an
additional layer of security and more indicators to recognize fraud. In the hope
that some of our ideas help others, we want to share them here. The ideas are
especially helpful for service (like hosting), software and membership sites.

We took the ideas of email spam filters and thought of indicators that would
“hand out points” for certain activity and raise a flag, once a transaction
receives enough points.

Here are some of them:

a) Repeated use of the same card within a short time frame

In a process called “Carding,” the criminal first tests the stolen card number
and if that transaction goes through, a second one is done quickly afterward to
get additional value for the stolen card.

b) Browser language and IP location

Credit card thieves use so called “Open Proxies,” servers which hide the original
IP number of the user so he can surf the Web without using his original location.

PubCon Las Vegas


To identify such usage, a combined set of data has to been built and used. On the
one hand you need a database of IPs and their assigned location. These databases
can be bought online (e.g. www.ip2location.com or www.maxmind.com) and work with
MySQL and PHP just fine and are fast. Additionally there are services for hackers out
there, which collect open proxies especially for fraud or hacking. It makes sense
to sign up to these services yourself and get a list of the actual open proxies,
like http://www.xroxy.com/proxylist.htm.

To bring that data together we have added a step in our basket process that
checks for the browser language, the location of the IP the user is on and also
if that IP number is already known as a proxy.

c) Browser Footprint

Any browser transmits certain information about itself to the site it is using.
This includes information like:

. Browser brand (like Chrome, IE, Firefox)
. Version
. Operating system
. Flash enabled
. JavaScript enabled
. Potential plug-ins
. Primary language, secondary language (if present)
. Resolution
. Etc.

This data can be consolidated into a single checksum which is amazingly diverse
among hundred thousands of users. For example: we have more than 150,000 unique visits
on Tradebit and see around 10,000 different browser checksums. That browser footprint
can be (and should be) used to gather additional information on transactions.

Test your browser footprint:
http://www.ampersand.com/blog/2010/01/28/yikes-my-browser-footprint-is-unique/

d) Same IP, different data

Even with a lot of sales, it is very unlikely that you will get a lot of transactions
from one single IP within 2 – 3 hours. If you have more than one transaction from a
single IP with different customer data, it is worthwhile to check out that transaction and
the IP it is coming from.

e) Project Honeypot and others

There are a few free services which help to monitor additional signals for fraud.
One of them is www.projecthoneypot.org – forum spammers and credit card fraudsters

Zappos CEO Tony Hsieh at PubCon


are partially using the same servers to drive their attacks. Project honeypot
offers a DNS service for reverse encoded IP numbers which you can query with
a specific domain, containing the IP and you get the fraud probability of that
IP as a nameserver answers back.

There are many more little things you can do to limit the attacks of criminals
on your services. The bad thing about some of these steps is the shift to
IPv6 in the upcoming months and most of the really cool tools will just stop
to work (like geo-location or proxy detection) and urgently need to be updated.

The big task for us webmasters and online merchants will be to make the Web
a safe and clean place together. In my opinion this can not be done by governments
or big brands like Google, Microsoft or PayPal. We all must do that together in
“networking style”: independently and decentralized. I hope this articles gives
you some good ideas how to prevent criminal activity on your sites!


Ralf Schwoebel is the founder and chief executive at Tradebit Inc. Read Ralf Schwoebel’s full PubCon speaker biography here.