lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <d6929c070909221136q581c6cd2n5d9240f1e097eabf@mail.gmail.com>
Date: Tue, 22 Sep 2009 11:36:16 -0700
From: Steven Anders <anderstev@...il.com>
To: Andrew Haninger <ahaning@...dspring.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Chargebacks and credit card frauds

Thanks Andrew for the suggestion.
Yes, it does make sense to do all the checks you described. These days, as
manual process, we just make a phone call and do a follow-up email.
We ask for a copy of the credit card to be faxed and a proof of ID. Many
times the fraudsters do a reply with very "bad English"  - sometimes it is
funny.
And you're right - a lot of the orders are placed on non working hours.


On Mon, Sep 21, 2009 at 10:29 PM, Andrew Haninger <ahaning@...dspring.com>wrote:

> On Tue, Sep 22, 2009 at 12:26 AM, Steven Anders <anderstev@...il.com>
> wrote:
> > I am now tasked with improving our backend checks to make sure we don't
> have
> > any more fraudulent order, and would appreciate any pointer or insights
> into
> > this matter. Any theories, insights, or information would be very useful.
> I have three ideas. Two are quite complicated and the other a little
> simpler. None are fraud-proof. Some may be impractical if your work is
> being done "after the fact".
>
> 1) Have a robot call or text the customer a CAPTCHA-type string to
> enter into a website.
>
> Workaround: Register a cell phone or VoIP number in the victim's area
> code and take the call. You could possibly require a hard-wire
> landline, but those are becoming so uncommon that it would create
> trouble for many of your customers. And then there are those darned
> dialup users.
>
> Perhaps do this only after a first "offense". Though, I'm guessing
> fraudsters only use the accounts once and then avoid them.
>
> 2) Have a Flash or Java applet check for common remote desktop servers
> running on the ordering PC.
>
> Workaround: Disguise the server software as something harmless, if it
> isn't already.
>
> 3) Check to see if the order was placed outside normal waking hours or
> during normal working hours.
>
> Workaround: Not hard to work around, but might hassle the criminals.
>
> Andy
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ