[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <f81ebf110909212229n737c1700l2b13899fdef8e2a8@mail.gmail.com>
Date: Tue, 22 Sep 2009 01:29:01 -0400
From: Andrew Haninger <ahaning@...dspring.com>
To: Steven Anders <anderstev@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Chargebacks and credit card frauds
On Tue, Sep 22, 2009 at 12:26 AM, Steven Anders <anderstev@...il.com> wrote:
> I am now tasked with improving our backend checks to make sure we don't have
> any more fraudulent order, and would appreciate any pointer or insights into
> this matter. Any theories, insights, or information would be very useful.
I have three ideas. Two are quite complicated and the other a little
simpler. None are fraud-proof. Some may be impractical if your work is
being done "after the fact".
1) Have a robot call or text the customer a CAPTCHA-type string to
enter into a website.
Workaround: Register a cell phone or VoIP number in the victim's area
code and take the call. You could possibly require a hard-wire
landline, but those are becoming so uncommon that it would create
trouble for many of your customers. And then there are those darned
dialup users.
Perhaps do this only after a first "offense". Though, I'm guessing
fraudsters only use the accounts once and then avoid them.
2) Have a Flash or Java applet check for common remote desktop servers
running on the ordering PC.
Workaround: Disguise the server software as something harmless, if it
isn't already.
3) Check to see if the order was placed outside normal waking hours or
during normal working hours.
Workaround: Not hard to work around, but might hassle the criminals.
Andy
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists