I'm surprised the part on combatting friendly fraud (4.2) didn't include a part about contacting the customer directly, most likely via phone. If you are in an industry where this occurs more often, you might even want to invest in telephone authentication. While it won't stop the friendly fraud, it will be a deterrent.
Anyways, contacting the customer can usually get things resolved as well, even if they went straight for the chargeback.
Never underestimate human contact. You might be surprised why they went with a chargeback. Some just thing it's the way to get a refund for something that was wrong. Yes, sometimes the person is just being a douche, in which case you can assure the person that you thank them for reporting the case, and that you will be following up by filing a police report. When they realize what information you have available, some are quick to want to work something out, usually that involves calling the bank in a 3 way conference call and canceling the charge back.
It won't always work, but the nature of chargebacks means every little bit helps.
Again, this also depends on the nature of the industry you are in.
(balanced employee) This is absolutely true, the additional snarl here is that Balanced works directly with the company/marketplace that the customer is interfacing with.
Our policy, as much as possible, is to defers to that company with regards to customer contact because we don't want to interfere with that customer relationship/experience. We support their customer support, we don't supplant it.
3DS, while effective, is not a bullet proof solution. Requiring 3DS transactions will impact sales, and can impact them enough that it's better to not use it. I always recommended a scoring approach (reach a certain threshold, and we require 3DS).
Even still 3DS only affects the initial transaction. Any recurring payment won't benefit from the 3DS transactions. There are ways to encourage 3DS use (discounted membership fees if one performs a 3DS transaction), but outside of games like that, 3DS only affects the transaction it's made with.
Phone verification will not stop the worst of the fraud. Do not underestimate how well some people lie. It will deter the small time criminals, but not professional.
(balanced employee) You are 100% on the money. Customer support part of user experience is largely controlled by the marketplace. We would be happy to provide any guidance in this regard.
My personal views are my own and NOT Balanced on this topic. I agree, I think bitcoin is a great solution -- for some things. More and more I feel that it's the right strategy going forward.
Not stopped, but it would decrease fraud, as the fraction of payments made in bitcoins is guaranteed to be impossible to charge back.
As this fraction increases, fraud is reduced further and further.
It would be interesting to have a payment platform that evaluates the trustworthiness of a customer right before payment (based on factors such as customer history, shipping address matching the billing address...), and force those deemed "risky" to pay in Bitcoins. It could even handle CC authorization failures: "credit card declined? No problem, pay in Bitcoins instead."
Wouldn't the fraction of people paying with Bitcoin be a subset of the people that didn't commit fraud with credit cards? You're just moving a very small number of honest buyers from credit cards to Bitcoin.
You not going to have a person not defraud you because you provided the option of Bitcoins. If you have transaction that you deem risky, require a bank transfer, that will make it easier for the criminals to go commit fraud somewhere else.
Cash has no chargebacks, which is why merchants will often offer a small discount for using cash (or charge a .50 fee) when using a credit card. Bitcoin is just like cash, but digital. Some merchants even offer discounts for customers who use bitcoins since the risk is mitigated, as with physical cash.
Based on the comments above (http://news.ycombinator.com/item?id=5259876), it seems like Bitcoin is just allowing merchants to kick the chargeback risk down the road to the Bitcoin exchanges.
> Not stopped, but it would decrease fraud, as the fraction of payments made in bitcoins is guaranteed to be impossible to charge back.
I doubt it. Most fraudsters are trying to convert someone else's credit into cash by buying goods they can sell. If you have a bitcoin, you pretty much already have cash - just use one of the exchanges.
Yes, if a bitcoin exchange accepted credit cards, they'd be on the hook for any chargebacks. Hence why most of the existing exchanges want a bank transfer instead.
In theory, a bitcoin exchange should have a near-perfect defense against chargebacks for faulty or missing products or similar, by showing via the public block chain that they delivered the purchased product as requested. However, there's no defense against chargebacks claiming that the cardholder didn't make the purchase (stolen card number, etc).
What if the buyer does a reversal of the bank transfer -- usually possible up to 60 days afterward. (I swear I'm not trolling. I'm new to bitcoin exchanges)
ACH transfers are reversible and a few bitcoin exchanges have been bitten by them since most have/do take dwolla, which is a nice service for ACH transfers.
Bank wire transfers, though, are unable to be reversed. Its a pity that most US banks charge for them.
Yeah, the US banking system is pretty pitiful in general. We (Balanced) are trying to make it a little bit better by making ACH faster and easier to integrate, but we can't do much about reversals. [shameless plug] Example, checkout our ACH payouts feature: blog.balancedpayments.com/announcing-balanced-payouts/
1) They have to explain to the credit card chargeback authority what a bitcoin is and why the entry in the block chain means they actually sent the coins.
2) Nothing to stop the Bitcoin buyer from just saying "I didn't do it" (Which is 'friendly fraud' in the article).
From my experience, reversing a chargeback is only possible in a minimum of cases when sending physical items, and even harder for digital goods that you can't just send again (Bitcoins vs an Ebook).
I would actually be interested in knowing how others deal with a certain type of fraud.
We currently have an issue where someone is using stolen credit cards to buy "digital goods".
We in the UK and Scandinavia, so we started out blocking purchases of digital goods from the UK. Fraud goes to zero right away.
The fraudsters moves to using stolen UK credit cards in Denmark, via a large number of Danish IPs, fine... We'll just require that the card is issued in the country where your IP indicates that you're located ( not 100% correct, but close enough ).
At this point fraud has been reduced to zero for a few weeks. The next we really where not expecting. The same pattern of buying starts showing up, seems like fraud and it turns out it is. We now see a stolen Danish credit cards.
At this point we're more or less reduced to having to approve every purchase manually. The only real solution currently is 3DSecure for MasterCard or Verified by VISA. These solutions are very American and not at all what European customers expect to see. Enabling 3DSecure scares of legitimate customers, but it's currently the only solution.
The article looks at high velocity, that does nothing in some cases, if people are out to scam you, they will appear as a new customer for a new IP, with a new card.
CSC are useless, these are stolen all the time.
AVS is supported by almost no one.
Looking a transaction amount compared to the mean doesn't really work when you mostly sell one product at a time.
Recently created accounts are actually a good indication of fraud, but mostly you have false positives.
Blocking high risk countries don't work for digital goods.
Large distance between IP and billing address, doesn't work well in smaller countries, but worth considering. Somewhat difficult to implement though.
High number of card from the same person... That never happens. Our legitimate customer are the only ones that might use different cards. In the case of fraud cards and accounts are often used only once.
It's not that the article is a bad write up, but non of the information will protect you against someone that wants to scam you. Physical products are easier to safe guard, because the bad guy will need to pick it up at some point, digital good is a lot harder to secure.
My company (Sift Science) uses machine learning to fight fraud, and we work with customers who sell digital goods. You're right that normal country blacklisting, IP blocking, AVS, CVV, etc. aren't terribly effective.
I think some effective techniques for digital goods are: 1) behavioral signals, such as how long the user spent browsing your site before making a purchase, 2) physical device -- have I seen activity from this particular machine before, even if they're going through a proxy to use a fresh IP? 3) e-mail address -- is it a legitimate domain? an obvious throw-away account?, 4) mismatch between IP and billing info (as you noted).
In general, fraudsters switch tactics with surprising frequency, so I'd highly recommend combining multiple types of data into a machine learning system that will adapt. Otherwise you're going to spend a lot of time tuning rules.
And if you're looking for help, feel free to send me an e-mail: brandon@siftscience.com. My company deals with fraud all the time. Even if we can't help, I'd be happy to point you to others who can.
Brandon's a great guy, very proactive and helpful. We didn't have quite enough volume yet (w/ Gittip) to use his services, but I have a positive opinion of him.
Preventing fraud is impossible, but you can minimize it to very low levels with a combination of filters, some of which you mentioned. This includes geo distance, public Email address, velocity, size of transaction and most important - proxy detection. The use of a public anonymous proxy is a very high indicator of fraud.
We use minfraud, a service that takes all of those parameters as input, and uses a huge database of previous fraud to return the probability the transaction is fraud. It has worked exceedingly well to prevent almost all fraud on our marketplace.
I was having huge problems with fraud on my website also. A lot of stolen credit cards being used from Vietnam.
Using Braintree as my processor, I send an authorization request for the card. If the auth is successful, I send the data over to MinFraud for a check. If the fraud value is < 25 then I submit the auth for settlement, otherwise it gets voided and the user gets a message that their purchase didn't pass our fraud check.
I also log all minChecks and I manually check any request that has a value > 10 or so just to make sure it looks legit.
The biggest change I had to make to support this is that I had to add Country, City, and Region (State) boxes to my payment form. So user's have to put in 3 more pieces of information that they didn't have to with a plain (a la Stripe Purchase button) payment form.
However, that information has saved me from numerous frauds. Also, it appears that once the fraudsters determined that they couldn't use my site anymore, they've stopped trying.
I am VERY happy with their service and it's very inexpensive.
(I work for balanced, I wrote the blog and handle fraud)
I am sorry you had to deal with this.
Of course, we look at all other signals and of course we use machine learning. What I posted was partial information. the list by no means is complete. When dealing with opening up on fraud, you deal with two conflicting things - (1) If you open your algorithms/data and make it completely open source, the fraudsters have all the access as you do and (2) If you shut down all access and keep it closed, there's no exchange of information. Most payment processors opt for (2), we really wanted to strike a middle ground. If I can't expose the fact '@apple.com' email address is more trustworthy than a throwaway email address and regard this piece of information as the bed rock of fraud protection, I am nuts. Summary: you expose something, gain knowledge, hide the rest.
There are several more signals we look at when dealing with fraud (esp. digital goods). We have built a machine learning system that has learned (is learning) from our data. We also built visualization layers on top of that. Send us an email at support@balancedpayments.com and I will provide more information.
3DSecure for MasterCard or Verified by VISA. These solutions are very American and not at all what European customers expect to see.
I can't speak for Europe, but basically every site here in Sweden where I buy something with a card uses 3DSecure and VbV. The pick up over the past couple of years has been massive.
I'm interested in your view that 3DS and VbV are "very American and not at all what European customers expect to see".
Although generally payment methods are quite diverse across Europe, I'd say in places like here in the UK it is now fairly common to get the secondary confirmation prompts when purchasing on-line, certainly from smaller businesses. They also seem to be fairly smart about when they just let it go through without troubling the user these days, e.g., low value regular payments to the same vendor don't seem to ask me for any confirmation most of the time recently, but payments to new vendors often do.
Just out of intereste, what kind of digital product are you selling? I never thought fraud was a problem with digital products, because it is very easy to just go to the torrent sites and download it there...
Edit: to mean, who would bother to do payment fraud, when you can just download torrents.
Mostly keys for games, Xbox live points, stuff like that. Very attractive products, both for legitimate customers, but sadly also for criminals.
Torrents are useless for games that require constant network access, which is most new games. You can have the "stolen" keys blocked, but you still lose money.
Drop me an email, maybe we can trade notes. I have been dealing with this for almost a year at http://nextproof.com
We had really bad chargebacks and our underwriting merchant almost pulled our account. It took going back to some manual verification and other tricks to finally get it down. We've only had a dozen or so chargebacks in the last 6 months.
Balanced is burying the lede on this, the final table of correlations between payment information signal failures and incidence of fraud is pretty fascinating.
The merchant doesn't know what name is on the cards. It's still virtually guaranteed fraud when one person presents more than 2 or 3 cards on your site in a short period.
In theory, everything can be evaded. In practice, it won't be. If you run your transactions through something like MaxMind MinFraud with Device ID, you will know it's the same person, even if they clear cookies, switch proxies and re-register on your store between every card. It costs half a penny per transaction; anyone can afford basic risk scoring.
Most of the time that kind of tech isn't even necessary. The types of criminals most online stores deal with are not sophisticated; they're just people that paid $1/number for a list of phished credit cards on a black market forum who are going to enter them one-by-one on a few websites to see which haven't been reported stolen yet.
(I wrote the post)
Thanks! There are certain aspects of fraud which can be open and will definitely help the community of anti-fraudsters. This was our way of contributing something back.
That's super weird- I had my first chargeback today, from a customer who didn't even attempt to get in touch and ask for a refund... apparently this is quite common!
Not common, standard. Having the customer contact you isn't a frequent occurrence, depending on where you do business. The British do not wish to talk to you, they assume that you're the one trying to defraud them by default. Swedes will pretty much never do charge backs.
Anyways, contacting the customer can usually get things resolved as well, even if they went straight for the chargeback.
Never underestimate human contact. You might be surprised why they went with a chargeback. Some just thing it's the way to get a refund for something that was wrong. Yes, sometimes the person is just being a douche, in which case you can assure the person that you thank them for reporting the case, and that you will be following up by filing a police report. When they realize what information you have available, some are quick to want to work something out, usually that involves calling the bank in a 3 way conference call and canceling the charge back.
It won't always work, but the nature of chargebacks means every little bit helps.
Again, this also depends on the nature of the industry you are in.