View Full Version : Stolen / Fake credit cards

07-28-2004, 10:23 PM
Hi there,

Well, our orders are coming in more and more now it seems due to the fact that affiliates are starting to place our ads all over the place.

Our next problem is illegimate orders. I've received about 3 in the last few days that are suspect, and I'm not certain what to do.

Here are the details of my setup:

User enters credit card info on our page. We send encrypted data to processor, get validation, and then confirm the order. Money is withdrawn from card at end of day.

I have access to all the billing information, including the credit card information.

I do not have AVS (address verification service) but I don't think that makes too much of a difference since it seems many of these people have the billing information of the credit card owner.

My question is, if I have the credit card number and expiration date, what can I do to find out the owner's real name and phone number? How could I contact them to confirm the order?

The only method I'm using right now is to request the buyer fax me a photocopy of their drivers license and credit card, but I'm certain many legitimate customers won't want to do this, or don't have the means of doing it (especially just for some shirts).

I haven't called VISA yet but I don't think they'll be able to provide me with much.

Any info or help on this would be great. The main questions are:

1. If a transaction is suspect, how do I confirm with 100% certainty that it is legitimate or illegitimate?

2. What are some ways of spotting if a transaction is illegitimate?


07-28-2004, 10:53 PM
Aren't you capturing the phone number? Call them.

Also turn avs on. It will quickly take care of those lazy ****sters, or if you are mailing a product, someone who uses a CC outside of their area.

One of the best checks you can do on your side is - capture every attempt for an ip. Often ****sters will have numerous cards and keep trying until they get a working card, if you capture each attempt it is pretty easy to see the same person is trying a CC from TX and CA.

Also compare the IP address of the person to the location of the card holder.

For hosting, we end up phone verifying about 50% of our orders.


07-28-2004, 11:30 PM
Great thoughts from our resident "Dr. Anti-abuse" :) aka Chet

I LOVE IP capture as you can see in our posts -----> :)

A few more to tickle your fancy:

1. You need a "Cert" as in https and they are dirt cheap like:


This makes your honest buyers feel nice and safe and may prevent others from doing not so nice things. I would never buy from a non "Cert" page.

Red flags:

Free email address
Large orders like 10 ts
Certain countries. Especially those where you can't get written proof of delivry plus the leading havens for ****sters. See this for a start:

See: http://www.groundbreak.com/cgi-bin/demo/htaccess/htaccess.cgi

Your type of T is absolutely guaranteed to attract many more ****sters than a T with a Rubber Duck :) Thats not a reflection of either you or your prodcuct please. :) It's just a cultural kind of thing so please, no flameola :)

You can bet your very last dollar that some of your affiliates will and or have tried to cheat you. Make sure your delay in payment covers the chargeback issue as best you can. Like perhaps 60 days.

Edit: Summary for hard goods sales on the net which is a bit different in perhaps one respect than selling "soft" like adverts or hosting but maybe not :) Assume every sale is fraudelent in nature and watch your affiliates VERY closely to minamize your risk/loss.


07-29-2004, 12:41 AM
One more idea. Are you requesting & validating the CCV number?

Lots of sites are starting to request this number and most larger payment processing services can validate it:


07-29-2004, 01:34 AM
Thanks for all the responses. In no particular order:

1. I am definitely requesting the CCV number. Unfortunately, some cards will pass even if the *** number is false, based on the specific bank that issued it (according to my processor)

2. Upon more research I found out that I can't enable AVS with my current processor because I want my store name to show up on the credit card statement. Apparently with that setup, AVS conflicts with it.

3. For phone verification, do you just call the number they provided with the order? What if the illegitimate person answers and confirms? I want to be able to call the owner of the credit card. Or shoul dyou assume that if the phone number works, the credit card is valid?

4. The processing is all done securely... I'm not afraid of a breech in that. i'm only concerned about fake credit cards or illegitimate ones.

5. Ip logging... what is the main point of that? To link multiple accounts together? What is the actual algorithm you would use for tracking? Keep track of all accounts that source from the same IP?


07-29-2004, 02:29 AM
We call the phone number on the order. Have never had the ****ster use their own number, though they could or fake one through a loop (are the kids still doing that?).

IP logging does a few things, lets you know where they are contacting you from (run a tracert or check on sites like dnsstuff.com), it also allows you to see orders in groups. Normally when someone tries to charge, if the charge fails, it might be a legit reason. A typo, etc. When they resubmit, most systems will just update the order record, ours creates a new record so we can compare the two entries. Sometimes changes across the country are valid, a student trying their home and school address, but others change their names, their country etc.

Another thing most people overlook. Beware of paypal. While we accept it, i treat it with the same issues as a CC. One of our sites sells vanity email addresses, you get 130 domains, we had a rash of ****sters trying to use our service as a launching pad. So after shutting down all but one, i watched one.

They would get the email account, create a paypal acccount with a stolen credit card. If one got flagged, they would move to a different domain. So merchants would accept paypal like cash, and then paypal i imagine would come back months later and refute the charge. ( i contacted each merchant by email and phone and told them to ignore the order, most already were going to since the mailing address was indonesia).


07-29-2004, 02:32 AM
Also, as steve pointed out - the order too good to be true normally is. ****sters rarely buy the cheapest of anything, or just one.

And don't believe any one test if it doesn't feel right. The ****mers on our system were sophisticated and used proxies or zombies near where the card holder lived to try and emulate being the card holder.


07-29-2004, 04:31 AM
Great post.. thanks for the info.

So there are a collection of flags that indicate that an order is or may be suspect. Gotcha.

So, i've got a few orders right now that I know are suspect and/or invalid. In fact, after i try calling one of the numbers tomorrow, I will know that they are all suspect with certainty.

Once i find that out, i want to aid the original credit card owner by notifying VISA somehow. How would I go about doing this?

After I do that, I should just refund that amount, i assume. And blacklist that card?

07-29-2004, 04:34 AM
Oh, one other question.

Even if I don't use a certain technology, i want to scare ****mers away from my site by indicating that I do.

What such technologies or company logos should I look into putting somewhere on the website? I know there is VISA Verify or something, but that puts expectations on the buyer.

In other words, I don't want any of those technologies to falsely change the expectations of safey for the legitimate buyer, but I want it to make the site seem safe from ****mers.

07-29-2004, 02:33 PM
I find this baffling.

First of all, you can't find a VISA phone number anywhere (with ease) where you can do an address verification.

Secondly, once you do get the number from calling some other number, they only operate within the US and any credit cards assigned outside the US do not get checked.

Thirdly, every bank I've contacted about it seems pretty uninterested in notifying their customers! That's insane! You would think they are more interested in cutting down on fraud than anyone, but there isn't an easy number to call for the banks, nor do they seem to want to contact their client.

One bank asked me to fax in a report of the fraud. Why would I spend time and money doing that? They should be greatful I'm reporting it to begin with.


Just for your info, the VISA card address verification number (AVS) is:

1 800 847 2271

You enter your customer's credit card number and bits of their information, then you can get forwarded directly to the bank of issuing. US customers only.

07-29-2004, 02:49 PM
Interesting and great stuff :) gang. The very essence of what we are about so congrats to all.

I may have not been clear enough with my comments and link about a "Cert" Sorry.

I went to your email and pw page and did not see a padlock in my browser nor the https

I went to register with all the other data and did not see it either.

I'm not the expert on Certs but it seems to me that if a user is sending this kind of data with the intention of either purchasing and or registering then each of those pages need to display a padlock in my browser and use https. Plus, you shoulld be able to display the Certs logo which enhances the experience.

I didn't go any deeper into your pages to see if in fact you do have a Cert properly installed and the padlock appears in my browser. Do you?

You are free to use any of this if you think it will help you give notice to the ****sters:

"Your email address and your data is confidential. We do not release this data to third parties unless you have commited a criminal act, violated our own Terms of Use (this entire document), or we recieve a court order. We have a long history of working with federal and state authorities.


07-29-2004, 03:07 PM
A stern warning is helpful, at least they know you are aware.

I will call the card holder, often they know (so how does the card get accepted by the processor??? you tell me). But I wouldn't bother with the charge cards themselves.

You are learning the big secret of credit cards. Visa, Mastercard, Discover, AMEX etc - don't care. They are not being generous when they refund to the consumer any fraudulent purchases, they can do that because they will simply file chargebacks against you to get back their money and then charge you $25 for doing it.

This is one reason I strongly suggest two bank accounts. One as the active clearing house for processors ACHs, paypal etc. And then another account which you transfer the money from the first account once it clears. This way if you ever have a dispute, they cannot freeze your main checking account. I once had to make payroll out of my personal savings because my business account was frozen over a CC issue.

Also, make sure you have all email alerts on, you want an email for every charge, also check your account regularly for anything fishy. Some of the sophisticated ****mers will try and bypass any checks you have.

Also if you use any service that allows you to put your process in test mode, check for that variable being passed, a poorly setup form could allow someone to have the address test=T (or whatever) and you will not receive the money but it will pass your test.

So I am sure you are scared out of your mind by now. Don't be. You are aware. Just keep on top of it and you will be fine, it is the people sleeping who get blind sided, those are what these people prey on.


07-29-2004, 06:06 PM
Steve> I secured only the checkout process because that is where real sensitive data is going. But I have now secured all the internal pages for users once they are logged in, just to provide that little padlock for their peace of mind. If you seem concerned about it, who knows who else is. I will very possibly use a permutation of that line in your post... it can't hurt!

chez> Nah, not scared... nothing scares me anymore. Just roadblocks that keep coming up... and it seems this one can't be automated away (which is my preferred method of maintenance).

I'm pretty disgusted with the apathy towards CC users though. I mean, having your card stolen and used is horrible. I feel like I'm the only one who is trying to help these poor people.

07-29-2004, 07:46 PM
I Share your pain. Believe me. :)

I forgot this:

Do NOT store the complete CC data on your server. Thats yet another invitation for someone to break in and grab the data. Sweep it down to your very secure local machine with local backups. Do this on a regular basis throught the day and dont tell us when :)

You should be able to automate this. Keep part of the data like the last 4 digits and only enough data to identify folks on the server.

I went poking around a bit and your cart is very neat.

I sure don't mean to harp but non geeky folks are accuately aware of the huge spike in idenity theft and philshing (?) email that ask for valuable data and then steals stuff. They get freaked so unfortunetly all of us must work exstra hard to protect them.

This form:


Your validating/requiring sensative data so IMHO it needs to be secure. Plus you can enhance your sales experience with this secure publicity and hand holding.

I'm not refering to the email address and password field but the other fields. All of which you require which is fine.


07-30-2004, 04:35 PM
Technical problem with that page and the login page though...

When you login via a secure connection, i want to forward you directly to the page you were viewing prior to logging in (for consistency in shopping)... but when i do this users get a "You are leaving a secure connection" warning.

They won't understand that this does not matter.

So I'm debating whether that is worse, or just forwarding them directly to their internal account page and foregoing the ease of shopping, or not having it secure.