| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4AB88389.1000600@uplinklounge.com> Date: Tue, 22 Sep 2009 03:58:01 -0400 From: Iadnah <iadnah@...inklounge.com> To: full-disclosure@...ts.grok.org.uk Subject: Re: Chargebacks and credit card frauds Ummm.... have you ever heard of a botnet? Steven Anders wrote: > Hi everyone, > > I work as an engineer at an online company that sells online > subscription service for online tool. We accept orders online using > credit cards numbers and we use Authorize.net to process credit card > payments. > > Our standard operating procedure for online orders are: normal checks > are check for billing address and IP address , - we make sure the > billing address is a match and the IP address geo location is good > (meaning, it is pretty close to the billing city or state). We use a > service called MaxMind and we check to make sure that the IP address > geo location is in proximity to the billing address. From our > experience, another big red flag is if the IP is from a proxy server, > or from web hosting company (could be SSH tunnelling), or outside USA > ( Russia, Estonia, China, etc ) > > If these checks throw a red flag, we will call the person to confirm > the order. With this process, we pretty much has very low fraud rate. > > Lately, in past couple months, we've been receiving a lot of orders > that bypass all these checks without any glitch. The AVS (Address > verification service pass) checks for the billing addresses and the IP > addresses are good (in proximity to the billing address). The IP > addresses are near the billing addresses (for example: billing address > is Chicago, IL and the IP address is > Evanston, IL - a couple miles from Chicago). > > Only a few weeks later, we have an influx of chargebacks and phone > calls from the original owners of the credit cards, since these people > never ordered it - and they are all fraudulent orders. The only > similar patterns in all these orders is that: > 1) they use free email accounts (from Yahoo , Hotmail, etc) . > 2) All the IPs are from ISPs such as Sbcglobal, Comcast, Cox > Communications, etc . > > My big question is: I know there are all kinds of ways people could > obtain stolen credit card numbers, and their billing addresses, and so > forth. > > But. I was wondering: > > 1. how do they place the orders using all the legit IPs - since all > the IPs are from Sbcglobal , Cox communications, and all the other > major ISPs near the billing addresses. Could it be that they actually > took control of the PCs and then steal the credit card, and then place > the order remotely from the controlled PC? > > 2. Any insights on how these fraudsters obtain the stolen credit card > numbers? > > I am now tasked with improving our backend checks to make sure we > don't have any more fraudulent order, and would appreciate any pointer > or insights into this matter. Any theories, insights, or information > would be very useful. > > Thank you all for your time in advance. > steve > > > ------------------------------------------------------------------------ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists