Professional Documents
Culture Documents
AndSolutions
Online payment fraud is rampant. Whether it is because
its easier to steal anonymously, or because tracking down
someone over the net and prosecuting them is difficult if
not impossible, online fraud hits everyone who takes
payments online.
The situation is even more problematic for digital products,
in which case credit-card companies or Paypal refuse to
provide any kind of seller protection. The reasoning behind
it is that digital product fraud does not result in actual
material loss, and its hard to prove delivery both are
false, but the situation stands as it is anyway.
As a marketplace for digital products, Binpress has been
hit by its share of online fraud. We used to accept both
Paypal and credit-card payments (through stripe), and
both have been abused in various ways.
Fraudmethods
Paypal
Paypal promotes itself as a more secure payment method
by removing the need to enter credit-card details online. In
reality, Paypal account credentials can be compromised
just as easily as credit-card details, and it still has the
vulnerability of credit-card payments (unless you disable
that feature).
Creditcardtransactions
Unauthorized transactions
An attacker will attempt to make an online payment by
getting a hold of credit-card information. The information
can start at only the card number, and extend to expiry
date, CVC and even address details.
Unfortunately, confirmation of credit-card details across
banks is very inconsistent. Some banks do not even check
the expiry date or the CVC security code (!), while others
might return a false positive (it wouldve been better if they
had returned not checked).
To make matters even worse, a bank might approve a
transaction even if some of the details were checked and
confirmed as incorrect. This attitude extends to some
payment gateways, which will leave the decision up to the
bank and will not deny a transaction if some of the security
checks are false. (We use Stripe by the way, which follows
this approach).
Chargebacks on legit transactionsSimilar to the Paypal
Fightingback
Recognizingfraudattempts
Before we can stop a fraud attempt, we must be able to
recognize it before we process a transaction.
There are some indicators which should be used to detect
frauds attempts, with multiple occurring at the same time
indicating a higher chance of fraud:
Client IP
ThecaseofPaypal
Weve mentioned one attack pattern that we havent fully
addressed yet usage of an hijacked Paypal account to
make a payment.
While the same indicators apply, we have an additional
option to confirm legit account ownership by verifying
the Paypal account Email address.
The Email address (and billing country used for one of the
indicators), can be obtained before confirming the
purchase via the GetExpressCheckoutDetails API
operation (assuming you use the API. If you use the Buy
Now buttons, you are out of luck).
This means implementing a process similar to the
following:
Buyersremorse
The trickiest type of fraud to handle. If possible, always try
to obtain proof that the user has made the transaction
himself. If you ship physical goods, obtain proof of
successful shipment.
For digital goods you can use try to ask for an
authorization Email or a declaration of purchase (using
digital signature services). Naturally, this process it not
appropriate for most websites, and in that case you will
most likely have to swallow the fraud as a loss.
Another factor is the originating country (if you serve an
international audience). High risk countries are more likely
to fall to this kind of fraud as well, which is one of the
reasons many services do not accept payments from such
countries.
Frauddetectionservices
If all of what Ive described so far sounds like a pain, its
because it is. If possible, I would suggest passing this
information to a proven fraud detection service, and rely
on their experience and expertise to increase your fraud
prevention success.
A fraud detection service might be provided by your
payment gateway. If not, or if you are not satisfied with it, I
personally recommend the Maxmind Minfraud service.
You might have noticed Ive mentioned 2 Maxmind
services here and its not by accident (and no, its not
because I was paid to promote them ).
Bagitandtagit
So there you have it a basic guide to knowing, detecting
and preventing the most common types of online fraud. If
you feel I missed something or have a question regarding
something I wrote, feel free to add your thoughts in the
comments.