PDA

View Full Version : The danger of credit card fraud


demae
09-17-2002, 06:57 PM
A guy whom I've worked for in the past got majorly burned by credit card fraud recently. It makes one think.

I've never been very superstitious, but last Friday the 13th was one of the
worst days of my life. I was getting ready to wire funds from my business
account to e-Bullion to cover the August payout when I noticed that a large
sum of money had been deducted from the account by my credit card processor.

They told me that it was for charge backs due to stolen credit cards. What
that means is that people had their credit card numbers stolen and they were
used to purchase upgrades at BuildReferrals and their credit card company
then demanded the funds back. My credit card processor then deducts that
money from my account, along with a huge charge back fee of $20.00 per per
transaction.

After some research I found that 91 accounts using over 100 stolen credit
cards had been created at BuildReferrals starting early August all with 1 to
5 Premier and SeeYouAgain upgrades each. Obviously this was to take
advantage of the fact that we started to pay renewal earnings for Premier
and SeeYouAgain last month. The cheater would make $20.00 per $39.90
transaction.

Five upgrades is the max he could do since we have a $200.00 max limit per
credit card per month and each upgrade was $39.90. However, between
refunding the charges, normal processing fees for the charges and charge
back fees, an enormous amount of money will be deducted from my business
account over the next few weeks.

In addition, due to the high number of charge backs and us being on thin
ground to begin with as an MLM company, I was told our credit card
processing would be terminated due to excessive risk.

Instead of continuing to collect money until processing is terminated, I
have cancelled our processing and stopped all recurring payments effective
immediately. If you had a monthly subscription to the Advantage it has been
cancelled and you will never be billed again.

The person who created these accounts used a static IP so at least we were
able to get some info on him. His IP is 212.80.166.163 and traces back to
Madrid Spain. I cannot say that this is the person responsible for this
credit card fraud, but I can tell you it was his IP and that it is a static
IP. That IP was also used to create 25 bogus e-Bullion accounts.

We are working with e-Bullion to try and get as much information as we can
about this person and will turn it all over to the fraud departments at
Visa, MasterCard, Amex and Discover for prosecution.

Those of you who have been here from the beginning know that we upgraded and
improved the site almost on a weekly basis for nearly 2 years. That kind of
programming does not come cheap and has cost me all of my savings, caused me
to max out all of my credit cards and continually use all of the earnings I
received from the companies we list.

There were always bugs to fix or new things I wanted to add. I was happy
spending all I had because I knew one day when it was all done I would be
able to keep the $5,000 - $7,000 that I spent each month on programming and
would be able to start to profit from the company I had put my heart and
soul into for 2 years.

That time was finally here, all bugs were worked out and all upgrades were
completed with the HTML addition to the Autoresponder and Tell-a-Friend
feature. That's when I realized that I did not need the extra money from
Premier and SeeYouAgain renewals and decided to give that money back to the
Members last month. I also decided to make all the earnings retro active
because I would now be making plenty of money and wanted to say thank you.

So I finally took Matt Haggstrom, our full time programmer off full time pay
and told my wife for the one thousandth time that next month we would
actually have some money to start paying off our credit card bills.

Now that is all gone. Not only will I be broke, but I will have to borrow
money from my family to cover BuildReferrals expenses this month since I
will not be collecting any more payments. And after paying on time and in
full for nearly 2 years I will have to end with a black mark on my
reputation. I will not be able to pay August's earnings or any future
earnings.

So what does this mean for BuildReferrals? Well, I'm not about to cheat my
Members out of the upgrades they purchased, or all the time they have spent
advertising and supporting BuildReferrals. I will continue to run
BuildReferrals with some major changes:

1) BuildReferrals will now be 100% free. All current and new Members will
receive all of the Advantage and Premier features absolutely free. This
means no matter what upgrade you purchased, you get that upgrade, forever,
along with all our other upgrades.

* Those who paid for SeeYouAgain upgrades will continue to keep the
SeeYouAgain Shortcut for 1 year, which is what you purchased. But no further
SeeYouAgain Memberships will be given out.

* Advantage Plus Members will continue to receive all of your Advantage Plus
features, no one else will get those features and no other Advantage Plus
Memberships will be created. This means you all will continue to share the
extra traffic we provide which is over 1 million unique hits so far. By
making BuildReferrals free, your traffic should increase greatly from now
on. You will also be the only ones who can create the stars for the programs
you like the best. Basically you will get everything you had without having
to pay the monthly Advantage Membership to keep it.

2) I'm going to have to remove the popup feature. I will need to keep the
revenue from a popup and from a few mailings a month to be able to pay the
remaining operating expenses. I will use my earnings from the programs we
list to cover any additional monthly expenses.


All of these changes should be completed by Wednesday morning. I know that
this explanation will not be enough for many of you who had payments coming.
I know that many of you will now consider me just as bad as any internet
****mer out there because I was not able to pay you or continue with the
payout structure you had joined under.

I can only ask that you try to understand that I did not choose this. We
were the target of credit card fraud that will cost me most of the money
needed to pay earnings and has also cost us our ability to process credit
card payments. This means I cannot pay nor collect money. As a result the
program has to end or change. So I'm changing it.

However, all excuses aside, the reason you are not being paid and the reason
BuildReferrals has to change is because I was not a better business man. I
knew that we had much higher Premier and SeeYouAgain earnings in August and
September but I thought that was because of the announcement that we were
paying renewal earnings. I even mentioned it in last Thursdays update.

Maybe if I had been a bit more attentive I would have been able to catch
this much sooner, as I did a few months ago. Many of you will remember that
we had a cheater from Romania who created multiple accounts and we had to
re-run the payment script reducing many Members earnings.

Those accounts were created with much less attention and easily discovered.
After we banned the IP for his country, we didn't have any problems in
future payouts and I guess I let my guard down.

These new accounts were created from a different country with much more
diligence and all information in their BuildReferrals account matched with
the information they entered for the credit card payments. He even entered
birth dates in many of the BuildReferrals accounts he created. The only link
was the IP address which my programmer was able to discover, albeit much to
late.

I know that 90% of you will actually be happy with this change, since that
is the percentage of our Membership that are free Members. But for those
Members who were owed earnings and those who are in anyway upset over this
change, I offer my sincerest apologies. I can only hope that you can forgive
the mistakes I have made and can enjoy all the features BuildReferrals has
to offer free of charge from now on.

As I was raised to always find the good in the bad, we can now all look
forward to many new Members since all our features are now free. This will
mean lots of new referrals as all Members will now be able to join our fee
based programs like PlayCheckDirect and CASHevolution that were previously
only available to upgraded Members. All Members will also be able to join
CommissionJunction and our two casino programs, CasinoCoins and ReferBack.

With a lot of work, some luck, and support from you, I hope that we can turn
what would normally be a deadly blow, into the catalyst that launches
BuildReferrals' Membership size into the millions meaning increased revenue
generating referrals for all of you.

I would like to take a minute to thank my entire staff. Both of my
programmers, Matt Haggstrom and Joshua Chamas have agreed to work free of
charge from now on to fix any bugs that may come up with our current
programming. In addition, Bonnie Edgecomb, Nils-Helge Garli and Alissa
Johnson have all agreed to continue working their long hours for free as
well. I can't thank the BuildReferrals Team enough. Without their gracious
support, we would not have been able to continue.

I would also like to offer my email address, ceo@buildreferrals.com for all
those who are angry about these changes and non payment. I may not respond
to each one, but I promise to read them all in their entirety no matter how
harsh they may be. I know it will probably make many of you feel better to
be able to make your feelings known to the person responsible.


Sincerely,

<name snipped at author's request>

OC
09-17-2002, 09:07 PM
:eek: Wow.

Czar
09-18-2002, 01:19 AM
Two weeks ago, someone booked a popunder campaign with me and submitted payment in full ($US6000) in advance using 2CheckOut.com.

The charge was processed successfully, suggesting that the card user knew that this card had a high level of balance availability, but triggered a few warning signs - particularly differences between the billing address and member address. Also, the buyer submitted bogus company details and a URL hosted on a free server.

Fortunately, both I and the staff over at 2CheckOut were able to flag the order shortly before it went live, and it was indeed found to be fraudulent.

If either of us did not catch things on time, the order may have started to propagate, in which case I'd be left out-of-pocket by having to pay publishers for impressions delivered and would have little-to-no recourse in terms of seeking retribution and/or damages without investing heavily on tracking this creep down.

Bottom line: It certainly is painful footing the bill for chargebacks and affiliate expenses related to fraud, but in an environment where the seller rarely sees the buyer, it's even easier to lose one's shirt by delivering goods of substantial value in response to an order that may at first seem legitimate. This risk is increased by the fact that many online sellers offer rapid turn-around and/or promotions such as free shipping in order to remain competitive.

I guess I can understand now why many banks still balk at providing merchant accounts, business loans and other high-risk products to dotcommers. This is all the more unfortunate when such privileges are revoked, taking away one's core channel of cash flow, as was the case with <the poster above>

OC
09-18-2002, 10:06 AM
Could this have been prevented if he would have inspected international orders more closely?

Czar
09-18-2002, 10:33 AM
Yes.

I'd suggest that the issue could have been all but eliminated were he using appropriate fraud detection systems and/or employing the use of a third-party processor.

It may not have stopped the rogue members from gaining access to the system, and may have still resulted in his footing the bill in regards to the chargebacks/refunds, but the affiliate bounties could have been reversed and the seriousness of the issue detected at an early stage if the merchant was more responsible.

Still, you do have to feel for the guy on some level. Instances of online credit card fraud do seem to be increasing in frequency, and it can eat into the profits of net merchants, even when detected at an early stage.

<edit>
I just stumbled across an interesting article (http://www.msnbc.com/news/807675.asp?0si=-) that may point to a larger problem that could put some smaller merchants and processors out of service via a form of 'collateral damage' that makes up a greater fraud effort. Definitely worth a read if you accept or use CCs online.
</edit>

suresk
09-19-2002, 12:39 AM
Kinda scary how quickly stuff like that can ruin a business. Just today I was reading a few articles in Time about fraud. Indonesia is a hotbed of CC fraud - they estimated something like 30% of the orders that come from there are fraudulent. They also mentioned some things some merchants are doing to combat it. It isn't online now, but I think it'll be in the archives in a week or so.

What struck me the most was how casual the people who stole CC's and used them were about it. I mean, they are causing financial harm, sometimes destroying businesses people have worked years on, and some of them do it for fun. It makes you not want to allow any overseas orders, but luckily I don't incur much of a loss when my stuff is bought using stolen CC's, although it is a pain (I've had dozens of attempts to use stolen CC's, only one or two have gone though).

Kathy
09-19-2002, 11:00 AM
Wow on that business loss for credit card fraud. I'm sorry it happened to this guy. :( Its very scary!

However, I have to say there are things every merchant must do to protect themselves from fraud.

There are some ways that the merchant account company I use provides me with tools to check on charges I receive through my online store. I use them. I verify the billing info/street address/zip code to make sure it matches the customer info. If it doesn't, I tell them "no-go". Am I losing out on money/purchases? I don't think so.

In the 3 years I've accepted credit cards through my merchant account, (I hand enter each one myself and do not go through a gateway) I have had only one charge back...and it was sending merchandise to Greece. ALarms should have gone off...but my error caused my only "chargeback" in 3 years.

My daughter works for a powerseller on ebay who sells expensive equipment online. They hand enter through their merchant account terminal all cc info...but even before they do, they use the tools, calling on the phone to verify, using the merchant account website to verify the billing address. They will ONLY ship to the billing credit card address. ANd when in doubt, they get the phone number of the credit card "owner" and call them on the phone, tracking them down to make sure they know about the transaction...and only shipping to their address.

If they wanted the equipment to go to another location, the customer has to make separate shipping arrangments because this ebay powerseller will only ship to the credit card shipping address (verified by the merchant account/bank info)

Chargebacks for him? Nope. They spend alot of time to make sure that their 2,000 charges or more with each transaction isn't fraudulent as best as they can.

Merchants have an obligation to double check, making sure that they are taking care of the responsibility of "taking" credit cards online or over the phone.

I think even for advertising, this is important. Getting address info from the "customer" and then calling the bank of the credit card to double check on the cards billing info may take lots more time but it is cheaper in the long run. CHargeback fees can ruin a company in short time.

demae
09-19-2002, 03:21 PM
I verify the billing info/street address/zip code to make sure it matches the customer info. If it doesn't, I tell them "no-go". Am I losing out on money/purchases? I don't think so.

I don't know about you, but I know for sure that, some merchants have lost out on business from me because of that. Occasionally, I buy a computer part on the internet. I use the listings at http://www.pricewatch.com/ to see which online store has the part I want for the cheapest overall (including shipping) price.

Normally, the store that has the cheapest price gets my business. But, I frequently have orders shipped to my mother's work address instead of my home, because at my mother's workplace there will always be someone there to take the order (whereas at home, I'm out on two days of the week).

If the merchant won't ship to an alternate address, and there's another one just $2 more expensive that will, that more expensive merchant gets my business.

I do think the technological state of online payments is pretty primitive. The problem with credit card numbers is that you need to give it out in order to enable one transaction to the merchant, but doing so will enable any transaction to be billed to that credit card. Calling the customer on the phone (I'm not home sometimes, and I don't like to answer the phone because the vast majority of calls are telemarketers) or making them fax a photocopy of their ID and credit card (I don't have a fax machine or scanner) works, but is obtrusive to the customer's convenience. Some more robust scheme involving e.g. public key cryptography or Kerberos-like tickets would be much more secure and user-friendly. The theory on how to implement this has been well-studied. Unfortunately, the reality is that such secure payment processing systems are not widely available, so we can't use them in practice.

suresk
09-19-2002, 03:34 PM
Manually reviewing each lead helps a lot. I do this with mine too, and haven't had many problems. Just a few months ago, some guy from Wisconsin bought one of my products. Only problem was, he was using a Polish ISP (Based on the IP address). I called his phone number, and not only had he not ordered my product, he didn't even have a computer! I was able to void the sale before funds were even captured.

Unfortunately, not all companies can do this. One thing Amazon.Com and a few others are doing looks promising though. Instead of shipping overseas packages to someone's door, they ship them to Mailboxes, etc. or something like that. Then the person who ordered gets an email to come pick it up, and they have to bring 2 forms of ID + the actual card they used to order the package with. Although I'm sure there is a bit higher cost involved, it is one way to deal with the problem.

Steve_S
09-19-2002, 04:42 PM
What a neat thread :)

Story 1: A surfer ordered 40 mugs from my Cafepress store. Repeat, 40 mugs. Natch they never shiped or consumated the sale.

Lesson: Unusally large orders are ALWAYS a red flag.

Story 2: About 3 years ago I had a branded software/hardware store where I was an affiliate. Don't remeber the company name as they are out of business. I DO REMEMBER that not a week went by that an order was rejected for either fraud or over the limit. This program actually let me look at some of the data.

Lesson: Free email address are ALWAYS a red flag. Hint: visit the site to see what kind of email it is.

Tip: some credit card companies are starting to issue one time only charge cards via Visa and Mastercard. I believe City does this and it's a valuable way for consumers to protect themselves.

Question/Comment: Do any of the gateway services or 3rd party scripts let me ban a given free email domain (hot mail.com), email address (ducky@duck pond. com), and country?

When I say ban I mean the order is rejected and never goes through. Send them to a polite Sorry page and thats the end of the deal.

Kathy
09-19-2002, 05:04 PM
Originally posted by Steve_S

Question/Comment: Do any of the gateway services or 3rd party scripts let me ban a given free email domain (hot mail.com), email address (ducky@duck pond. com), and country?

When I say ban I mean the order is rejected and never goes through. Send them to a polite Sorry page and thats the end of the deal.

Steve, I can't comment on gateways since I process the credit cards myself, but I did want to comment about "banned" email addresses or "banned countries".

With the kind of set up my store has, the email address isn't so important. I'm selling merchandise and a bit of advertising. The advertising I'm doing it via phone with real companies and only a bit through email. Or we start with some email exchanges and when we get down to business we use the phone to discuss, following up with email to seal the deal.

I can see why non-free email is important for many online purchases/transactions...for advertising, affiliate programs that really don't exist and so on.

For me, I have banned countries. In fact, I flat out will not ship to any country with the exception of:

USA
Canada
UK
AUS

Why? I can't check on the validity of the CC in other countries. I can check on the these...and do. I just don't provide any other country as an option during my checkout process. So far, no one has complained... So I do ban countries. I'm not sure if gateways would do it for you...although you could ask.

I think gateways merely check: zipcode and sometimes street address. But mostly if the credit card is good, its a "go" as it has no way to double check the billing address with shipping unless I'm mistaken.

I use Wells Fargo merchant services and the rep who works with me to maintain my account told me I'm doing it the least expensive way for a merchant service (I like that) and the most secure since I can use the human factor to double check my charges.

Jack
09-19-2002, 05:29 PM
Regarding what Steve said on free E-Mail addresses: While I certainly agree that those who commit fraud will in most all cases use a free E-Mail address, so many people are using them now that it would probably not be best to deny simply on that. I did a quick scan of my customer's E-Mail addresses and it looks like around 5-10% use Hotmail, 10-15% use Yahoo, and about 5% or so use some other free E-Mail provider. Probably what would be best is to call up the customer if any part (including the E-Mail address) seems suspicious.

I've been lucky to have very little fraud. In fact, the majority of the chargebacks I have received have been simply because the customer did not recognize the name of my company on their credit card statement. However, I also am at a very low risk as the products I sell are not at all popular to steal, I have no form of an affiliate program, and I currently only accept orders from my home country, the US.

Steve_S
09-19-2002, 06:23 PM
Good points everyone.

I'm the very very first to admit that my view of free email addresses is "tainted" by my own experiences here in the "village' so please bare with me.

I'm curious as to those of you who sell "hard goods" like books, candy, and such. Do you offer a money back guarantee and make the buyer agree to this before they reach the CC page or do you deploy the "all sales are final. No refunds" and then require a signature as proof of delivry via FedEx, UPS, or other shippers? I'm sure you know where I'm headed with this question :) Or perhaps you have tried both and can share some stats on how this impacted your sales?

Kathy
09-19-2002, 07:24 PM
I sell hard goods directly to my customers (books, candy, t-shirts, mugs, etc) and have a return policy:
May I return the merchandise?

Merchandise may be returned to the ** store if you are not satisfied with your purchase with the exception of book returns. Shipping charges will not be refunded to you and a $5.00 re-stocking fee will be applied to the refund check. The ******* Store is not a large volume store, but we try very hard to please our customers/members. Please order carefully, reading all the details of each product before ordering. The ***** Store can not afford to absorb the costs of mistakes often. We rely on the merchandise sales profits to keep the website free to our visitors. Thank you for understanding! :-)

For return instructions, please email store@mydomain.com with your order number and merchandise concern.

Additionally, my merchant account folks at Wells Fargo require that my store is set up so that when they click "Submit" at the end of check out, they are agreeing that they understand the return policy. (Means no fighting if a customer complains that when they returned products costing XX dollars and I refund their account with XX minus shipping charges minus 5.00 restocking fee they can't complain. They knew it when they ordered it. I make sure they understand...Order carefully please.

Since I'm not a huge outfit like Wal-mart nor Amazon.com I simply can't take the hit on merchandise returns to refund shipping providing the customers with total refunds. My merchant account folks tell me this is fine as long as its clear to my customers during checkout (through my website).

P.S. ALthough I have all the bases covered for returns, I've had only two products returned to me in the last 3 years.

Edited to add:

I use USPS delivery confirmation that doesn't require a signature but does provide me with a tracking "delivered" confirmation for all packages. Because my products are not heavy, UPS isn't the cheapest. USPS is. I think if I had heavy merchandise then UPS would be the way to go.

demae
09-19-2002, 07:28 PM
****ing out your store's name doesn't actually help BTW, because the unique pattern of words in the policy on your website can be input into a search engine.

Kathy
09-19-2002, 07:31 PM
I'm sure if you wanted to find my store through a search engine you could track me down. No problem. But for the general public, I prefer to not use this forum for advertising :)

:angel: