lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 21 Sep 2009 21:26:04 -0700
From: Steven Anders <anderstev@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Chargebacks and credit card frauds

Hi everyone,

  I work as an engineer at an online company that sells online subscription
service for online tool. We accept orders online using credit cards numbers
and we use Authorize.net to process credit card payments.

Our standard operating procedure for online orders are: normal checks are
check for billing address and IP address ,  - we make sure the billing
address is a match and the IP address geo location is good (meaning, it is
pretty close to the billing city or state). We use a service called MaxMind
and we check to make sure that the IP address geo location is in proximity
to the billing address. From our experience, another big red flag is if the
IP is from a proxy server, or from web hosting company (could be SSH
tunnelling), or outside USA ( Russia, Estonia, China, etc )

 If these checks throw a red flag, we will call the person to confirm the
order. With this process, we pretty much has very low fraud rate.

  Lately, in past couple months, we've been receiving a lot of orders that
bypass all these checks without any glitch. The AVS (Address verification
service pass) checks for the billing addresses and the IP addresses are good
(in proximity to the billing address). The IP addresses are near the billing
addresses (for example: billing address is Chicago, IL and the IP address is

Evanston, IL - a couple miles from Chicago).

Only a few weeks later, we have an influx of chargebacks and phone calls
from the original owners of the credit cards, since these people never
ordered it - and they are all fraudulent orders.  The only similar patterns
in all these orders is that:
  1)  they use free email accounts (from Yahoo , Hotmail, etc) .
  2) All the IPs are from ISPs such as Sbcglobal, Comcast, Cox
Communications, etc .

  My big question is: I know there are all kinds of ways people could obtain
stolen credit card numbers, and their billing addresses, and so forth.

 But. I was wondering:

1. how do they place the orders using all the legit IPs - since all the IPs
are from Sbcglobal  , Cox communications,  and all the other major ISPs near
the billing addresses.  Could it be that they actually took control of the
PCs and then steal the credit card, and then place the order remotely from
the controlled PC?

2. Any insights on how these fraudsters obtain the stolen credit card
numbers?

I am now tasked with improving our backend checks to make sure we don't have
any more fraudulent order, and would appreciate any pointer or insights into
this matter. Any theories, insights, or information would be very useful.

Thank you all for your time in advance.
steve

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ