Preventing online credit card fraud

P

In this post, I’ll go into detail on how to prevent online transaction card fraud by building a fingerprint of a user and doing some research (which any programmer can automate.) Some of these tips will be incredibly obvious, some of them won’t be so obvious. It’s a rather exhaustive and extensive process that can only be done manually if your transaction volume is low, but trivial to automate and analyze for any junior-level developer.

When you hit the research phase of the fingerprint, I’ll have a score associated with how severe it is. 1 is bad, 2 is very bad, 3 is very very bad, 4 is very very very bad, and 5 is cancel the transaction now.

Setting up your processor

For most optimal prevention, validate billing addresses within your processor, even if you don’t need to. If it hurts your conversion rate, figure out a way to make it not hurt your conversion rate (or, you know, do the math)

building a fingerprint

You may be thinking, “but they can clear the cookies”; try something like Treaty.io to get a device/cross-browser fingerprint and store that in your database. Treaty.io is very, very good; it’s not perfect, but it works, and it’s better than cookies. If you really care about preventing fraud, the level of effort to implement is worth it (not like it’s difficult, anyway.)

For each visit,

  • Log and store the initial referrer and every page that’s visited. Log and store the IP addresses (yes, multiple), and user agents (yes, multiple)
  • If the user is on an order process or checkout page, log and store what buttons they click and what inputs they click, along with an associated timestamp of when the click occurred. Hint:┬áCarders FLY through checkout forms because they’ve done it so much.
  • When the user enters data on your forms, log and store (on blur, for example) every email address, billing address, BIN of the card (first 6 digits), type (credit, debit), brand (AMEX, Visa); your processor’s API should be able to provide you this info. Log and store every change in billing address on form submit, too (because you validated them)
  • If you’re shipping a physical product, don’t ship to non-billing. If you insist on doing so, don’t ship to a different state of the billing address. But again, if you insist on doing so, make sure there are no other red flags.

 

The research

BINs

If you have multiple BINs, check them. If they’re different, that’s a bad sign. If they’re associated with different institutions, that’s a bad sign. (1)

If you have multiple BINs, if each card is a debit card and the BINs differ, that’s a bad sign. It’s unlikely that a person has multiple banks. (2)

Billing addresses

If you have multiple and they’re from different states, that’s quite a bad sign (3).

Check the address against something like Zillow. If one billing address is an apartment in Detroit, and the other is a house in Beverly Hills, that’s a red flag and you should immediately cancel that transaction. (5)

IP addresses

Check each IP against blacklists; Google it to see if there are any known proxy associated with it. If they’re blacklisted or are on Google for a proxy search result, that’s a very bad sign. (3)

Do a lookup on the IP, get the ASIN and see who it belongs to; if it’s from a hosting company or VPN, that’s a very bad sign. (3)

Perform geolocation (though not necessarily entirely accurate) against the request IP; see if it’s relative to the billing address you verified. The score of this depends on the nature of your business; if you’re selling a product that appeals to travellers, they might be traveling. (1.5)

The chances of a valid transaction having a desktop user agent and their request is coming from a mobile network (such as TMobile or Verizon or Sprint) is very, very rare and is a very, very bad sign. (4.25)

Email addresses

Check email addresses against blacklists (2), fraud reports (4). If they appear, that’s a bad sign.

Check email addresses against Facebook/Twitter/LinkedIn. If they don’t exist, that’s kind of a bad sign but ultimately depends on what you’re selling, really. (1, 2)

If it’s a very generic email (coolballer1@gmail.com), that’s a bad sign. (1.5, honestly)

Conclusion

It’s easy to just say don’t trust anyone. It’s also easy to say don’t accept anything but something like Bitcoin or cash equivalent. Obviously, in 2018, those aren’t options.

Patterns amongst carders exist, and they’re relatively trivial to detect if you’re keen on what their goals are and how they think. Creating such a fingerprint such as we did here is, at the very least, a great step in early detection of fraudulent transactions. Of course, patterns vary depending on who you’re selling to and what you’re selling, but this outline will serve as a blanket for 95% of outlets that accept credit/debit card transactions online.

By Josh