If you are accepting online orders and would like to greatly reduce your exposure to credit card fraud and check fraud, implementing protective measures can reduce online fraud by approximately 80%. If you would like to have access to more tools and techniques to further reduce and automate this fraud prevention, please consider becoming a member of AntiFraud.Com
The Internet is the perfect environment for every crook, thief, and pickpocket to ply their trade with almost complete anonymity. Being in the online software business, I have seen a tremendous increase in fraudulent purchases made with stolen credit card information. In many cases, the thief has more complete and current information about the actual cardholder than the credit card company. In some cases, credit card numbers that receive an approval number turn out to be totally fictitious numbers -- based on the algorithm used to produce authentic numbers.
I recently formed an alliance with a large merchant account provider specializing in providing credit card merchant accounts for Internet and Home-Based businesses. Through working closely with the credit card companies and other online merchants, I know the bottom line is this: You, as a merchant, are the one who is going to get stiffed! The cardholder is not responsible for more than $50 of fraudulent purchases. The issuing bank of a stolen credit card really doesn't care because they will simply charge the merchant back for any fraudulent purchases, plus a $10-$15 charge back fee. In fact, the issuing banks actually make $50 on these situations. They get the $50 from the cardholder, then they charge back each and every merchant for all the fraudulent charges.
So why is this situation getting so bad? Technology! Yes, the very same technology that allows us to have a profitable online business also allows others to rip us off. The advent of free, web-based, non-ISP e-mail addresses such as @hotmail.com, @usa.net, @juno.com and the hundreds of e-mail forwarding addresses afford a credit card thief a perfect veil to hide behind. The free e-mail addresses can't be traced back to the real owner;it usually takes a court order to get an e-mail forwarding service to disclose customer information. For those of us in the software, subscription or membership business, the e-mail address is the only point of contact we have. That address is where our products are shipped.
To make matters worse, there are now underground software programs available that can generate an unlimited number of mathmaticaly valid, yet fictitious credit card numbers. Combine that with complete anonymity and it spells big trouble for any business conducting online commerce. In addition, there are newsgroups out there that actually post stolen credit card data. So someone picks your pocket now and ten minutes later all your data is available world-wide.
So, what can you, as a merchant, do to protect yourself -- short of not accepting online credit card orders? Over the last few month, my company has had to establish certain procedures for all online orders:
1. No order is accepted unless complete information is provided including full address and phone numbers.
2. We no longer accept any order originating from a free, web-based, or e-mail forwarding address -- the customer must provide an ISP or domain based address: one that can be traced back to a "real" person.
3. Since the list of these types of e-mail addresses is growing daily, we check every e-mail address by going to a browser and putting a www in front of the domain. Try this with joesmith@cyberdude.com -- you will see that www.cyberdude.com puts you on I-names' (150+ free e-mail domains) homepage. We don't accept orders unless the e-mail/domain is a legitimate website or ISP -- something that can provide definitive identification of the e-mail address in question. This method is not fool-proof. When in doubt, go to step number 4.
4. If in doubt, we call the phone number listed on the order. We have alerted many cardholders that their card information was being used by making this phone call. On the other hand, the party on the other end may have never heard of the "customer." This results in a call to the issuing bank of the credit card to alert their fraud department.
5. We use the HTTP_USER_AGENT and REMOTE_ADDR code on all our order forms. This line works with most form handlers such as FormMail, cgiemail and others. The exact syntax varies with the form handler, but it provides information about the computer used to send the order, including the IP address. The IP address can then be traced to its owner -- usually an ISP. You can then contact the ISP System Administrator and inform them of the illegal activity. Members of AntiFraud.com are provided an automatied way to do this. Check the documentation for your particular form handler or cgi script for implementation of this input field.
6. Virtual Checks -- we receive a great number of orders via online virtual checks. While this has greatly increased our sales, the same cautions prevail. Having been burnt a few times, we now call the account holder's bank and verify the account number, account holder's name and current funds to clear the check before processing the order.
The Internet is the perfect environment for every crook, thief, and pickpocket to ply their trade with almost complete anonymity. Being in the online software business, I have seen a tremendous increase in fraudulent purchases made with stolen credit card information. In many cases, the thief has more complete and current information about the actual cardholder than the credit card company. In some cases, credit card numbers that receive an approval number turn out to be totally fictitious numbers -- based on the algorithm used to produce authentic numbers.I recently formed an alliance with a large merchant account provider specializing in providing credit card merchant accounts for Internet and Home-Based businesses. Through working closely with the credit card companies and other online merchants, I know the bottom line is this: You, as a merchant, are the one who is going to get stiffed! The cardholder is not responsible for more than $50 of fraudulent purchases. The issuing bank of a stolen credit card really doesn't care because they will simply charge the merchant back for any fraudulent purchases, plus a $10-$15 charge back fee. In fact, the issuing banks actually make $50 on these situations. They get the $50 from the cardholder, then they charge back each and every merchant for all the fraudulent charges.
So why is this situation getting so bad? Technology! Yes, the very same technology that allows us to have a profitable online business also allows others to rip us off. The advent of free, web-based, non-ISP e-mail addresses such as @hotmail.com, @usa.net, @juno.com and the hundreds of e-mail forwarding addresses afford a credit card thief a perfect veil to hide behind. The free e-mail addresses can't be traced back to the real owner;it usually takes a court order to get an e-mail forwarding service to disclose customer information. For those of us in the software, subscription or membership business, the e-mail address is the only point of contact we have. That address is where our products are shipped.
To make matters worse, there are now underground software programs available that can generate an unlimited number of mathmaticaly valid, yet fictitious credit card numbers. Combine that with complete anonymity and it spells big trouble for any business conducting online commerce. In addition, there are newsgroups out there that actually post stolen credit card data. So someone picks your pocket now and ten minutes later all your data is available world-wide.
So, what can you, as a merchant, do to protect yourself -- short of not accepting online credit card orders? Over the last few month, my company has had to establish certain procedures for all online orders:
1. No order is accepted unless complete information is provided including full address and phone numbers.
2. We no longer accept any order originating from a free, web-based, or e-mail forwarding address -- the customer must provide an ISP or domain based address: one that can be traced back to a "real" person.
3. Since the list of these types of e-mail addresses is growing daily, we check every e-mail address by going to a browser and putting a www in front of the domain. Try this with joesmith@cyberdude.com -- you will see that www.cyberdude.com puts you on I-names' (150+ free e-mail domains) homepage. We don't accept orders unless the e-mail/domain is a legitimate website or ISP -- something that can provide definitive identification of the e-mail address in question. This method is not fool-proof. When in doubt, go to step number 4.
4. If in doubt, we call the phone number listed on the order. We have alerted many cardholders that their card information was being used by making this phone call. On the other hand, the party on the other end may have never heard of the "customer." This results in a call to the issuing bank of the credit card to alert their fraud department.
5. We use the HTTP_USER_AGENT and REMOTE_ADDR code on all our order forms. This line works with most form handlers such as FormMail, cgiemail and others. The exact syntax varies with the form handler, but it provides information about the computer used to send the order, including the IP address. The IP address can then be traced to its owner -- usually an ISP. You can then contact the ISP System Administrator and inform them of the illegal activity. Members of AntiFraud.com are provided an automatied way to do this. Check the documentation for your particular form handler or cgi script for implementation of this input field.
6. Virtual Checks -- we receive a great number of orders via online virtual checks. While this has greatly increased our sales, the same cautions prevail. Having been burnt a few times, we now call the account holder's bank and verify the account number, account holder's name and current funds to clear the check before processing the order.
No comments:
Post a Comment