| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4AB8A54F.2030301@propergander.org.uk> Date: Tue, 22 Sep 2009 11:22:07 +0100 From: mrx <mrx@...pergander.org.uk> To: full-disclosure@...ts.grok.org.uk Subject: Re: Chargebacks and credit card frauds Steven Anders wrote: > Hi everyone, > > I work as an engineer at an online company that sells online > subscription service for online tool. We accept orders online using > credit cards numbers and we use Authorize.net to process credit card > payments. > > Our standard operating procedure for online orders are: normal checks > are check for billing address and IP address , - we make sure the > billing address is a match and the IP address geo location is good > (meaning, it is pretty close to the billing city or state). We use a > service called MaxMind and we check to make sure that the IP address > geo location is in proximity to the billing address. From our > experience, another big red flag is if the IP is from a proxy server, > or from web hosting company (could be SSH tunnelling), or outside USA > ( Russia, Estonia, China, etc ) > > If these checks throw a red flag, we will call the person to confirm > the order. With this process, we pretty much has very low fraud rate. > > Lately, in past couple months, we've been receiving a lot of orders > that bypass all these checks without any glitch. The AVS (Address > verification service pass) checks for the billing addresses and the IP > addresses are good (in proximity to the billing address). The IP > addresses are near the billing addresses (for example: billing address > is Chicago, IL and the IP address is > Evanston, IL - a couple miles from Chicago). > > Only a few weeks later, we have an influx of chargebacks and phone > calls from the original owners of the credit cards, since these people > never ordered it - and they are all fraudulent orders. The only > similar patterns in all these orders is that: > 1) they use free email accounts (from Yahoo , Hotmail, etc) . > 2) All the IPs are from ISPs such as Sbcglobal, Comcast, Cox > Communications, etc . > > My big question is: I know there are all kinds of ways people could > obtain stolen credit card numbers, and their billing addresses, and so > forth. > > But. I was wondering: > > 1. how do they place the orders using all the legit IPs - since all > the IPs are from Sbcglobal , Cox communications, and all the other > major ISPs near the billing addresses. Could it be that they actually > took control of the PCs and then steal the credit card, and then place > the order remotely from the controlled PC? > > 2. Any insights on how these fraudsters obtain the stolen credit card > numbers? > > I am now tasked with improving our backend checks to make sure we > don't have any more fraudulent order, and would appreciate any pointer > or insights into this matter. Any theories, insights, or information > would be very useful. > > Thank you all for your time in advance. > steve Send a hard copy authorisation code to access the online tool to the registered physical address of the card holder. Debit the card the moment the customer logs in/uses the tool with the supplied auth code. However this obviously removes any instant access to the tool, and incurs extra overheads. As such may have an adverse effect on your business model. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists