Reprinted from: WISCO Computing Credit Card Fraud Prevention
----------------------------------------------------------------ADDRESS VERIFICATION SYSTEM (AVS):AVS is only available for the U.S. and partially available in four European countries. In the US, AVS checks if the cardholder's address and zip code matches the information at the card-issuing bank. AVS only uses the zip code and numeric portion of the billing street address.
There are many reasons why AVS may fail (recent address change, AVS computers down, etc.). If the address verification fails on any level, the merchant may decline the transaction.
If the AVS fails for any reason, the merchant should contact the customer for additional information (for example, the name of the issuing bank, the bank's toll-free telephone number, etc.).
If your current system of authorization approval can not provide AVS, then you can get address verification from the card holder's issuing bank for MasterCard and VISA. Discover and American Express purchases can be verified by calling them directly. Only American Express can verify all international credit cards. When you call, have your merchant number, your phone number, the customer's full name, address, and phone number ready. If you call MasterCard/Visa directly regarding a purchase, they can provide you with the issuing bank's phone number (foreign and domestic). It is up to the merchant to make the phone call to the issuing bank. With today's cheap phone rates from calling cards, and using the Internet to place phone calls, there is no excuse for not checking for possible fraud.
American Express 1-800-528-5200
Discover Card 1-800-347-2000
Visa/MasterCard 1-800-228-1122
Once a fraudster has a legitimate customer name and the stolen credit card number, they can use the Internet to look up their victim's telephone number, address, and zip code. This allows a software purchase to pass AVS, and the fraudster can download the software before the fraud is reported. With orders that are shipped, the thief can provide the correct billing address for AVS approval, but request a different ship to address.
CARD VERIFICATION METHODS (CVM):Card Verification Methods (VISA = CVV2, MasterCard = CVC2, and American Express = CID use a security code of 3 or 4 extra digits imprinted on the card, but not embedded or encrypted in the magnetic stripe. This verification code does not appear on credit card receipts. Since most fraudulent transactions result from stolen card numbers rather than the actual theft of the card, a customer that supplies this number is much more likely to be in possession of the credit card. VISA claims that the use of AVS with CVV2 validation for card-not-present transactions can reduce chargebacks by as much as 26%.
Merchants that accept Internet, mail-order, and telephone orders must be prepared to request the verification code when the cardholder is not present to help validate a transaction.
Even if a merchant cannot confirm the CVV2 number, they can still ask for it, or provide a space for the number on their web order form. If the crook does not have the number, they could look somewhere else to commit their fraud. The merchant is not allowed to store the CVM numbers. The merchant should never keep the customer's credit card "on file". Each transaction should be treated as a new order. We've all seen too many reports of computer files being compromised by hackers.
DIFFERENT BILL AND SHIP TO ADDRESSES:Use Google to search for the numeric street address, street name, and zip code. The web site at
http://www.anywho.com integrates telephone numbers, maps, and email addresses. Check for bogus billing addresses like 123 Main Street. Use resources like
http://maps.yahoo.com to see if the address can be verified. If the billing and shipping addresses are different, request telephone numbers for both addresses. You can also establish a company policy and charge an extra fee to recover your costs to require a delivery signature (UPS, Federal Express, post office) if the billing and shipping addresses are different. You could require advance payment with a cashiers check or money order when different ship to and bill to addresses are used.
Be careful of remailing services, such as Mailboxes, etc. Remailing services can remail your packages to overseas destinations.
REVERSE IP ADDRESS CHECKS:A unique IP (Internet Protocol) address is issued by an Internet Service Provider every time a user is logged on to the Internet. Your server logs can be analyzed to match information on order forms. On your order forms, add a tracking code with a hidden field called the Environment Report field. The syntax used by the different form handlers (FormMail, sendmail, blat.exe, etc,) varies. One example is . The IP information will be included when the order is submitted.
Check if the IP address matches the email address and physical billing address of the customer. The IP address identifies the location of the server where the order was placed. Numerical IP addresses can be checked through programs such as WsPing32. The IP address database is constantly being updated, so it is sometimes incomplete and inaccurate. Matches may not occur if the card holder is traveling, or using a business card from a company branch located in a different city or country. The merchant should be concerned if a server address is located in one country, and the card holder's address is in another country. Check if the billing address, for example,
findme@aol.com, matches the IP address from the block of IP numbers owned by AOL. If the fraudster is using an AOL address, the merchant can call the fraud department at AOL directly at 1-800-265-8003
There is a high correlation between IP addresses labeled as spam sources and credit card fraud.
The web site
http://www.all-nettools.com/ can be used to check IP addresses. SmartWhois finds information about an IP address or hostname, including country, state or province, city, name of the network provider, administrator, etc. Traceroute determines the path between your website and the person placing the order. It matches each machine along the path to a destination host and displays the corresponding name and IP address for that hop.
ANONYMOUS AND OPEN PROXY IP ADDRESSES:Unfortunately, IP addresses can also be forged. These forged IP addresses hide the true location of the fraudster. Organized credit card fraud rings often use anonymous proxies. When a computer is infected by a virus, it can be used by spammers and credit card thieves to place fraudulent orders. A legitimate order could come from from an infected computer. The IP address sent by the infected computer can be an open proxy IP address instead of their real IP address. The customer can visit the web site
http://www.all-nettools.com or
www.openrbl.org to check if the IP address their computer is sending to the Internet is an open proxy IP address.
INTERNATIONAL ORDERS:The merchant must weigh the financial benefits of accepting international orders against the possibility of fraud. Merchants who always refuse any foreign orders could be missing potential good sales. The merchant also needs to perform their checks before orders are shipped. It is very difficult to apprehend fraudsters or retrieve goods after they have left the country.
Some countries have very bad reputations for fraud. Your bank or credit card processor can provide a list of high-risk countries. Different sources will likely have different lists of high-risk countries. High risk countries include developing nations like Indonesia, Malaysia, Benin, Nigeria, Pakistan, Israel, Egypt, and Eastern European countries. Placing an international phone call to the issuing bank may make sense for large orders.
Another strategy to use with international orders is to ask the customer to contact you by phone or email for shipping costs. A fraudster may consider this too much contact, and decide to go elsewhere.
Yellow and white page telephone directories for 30 countries can be located
http://www.anywho.com/international.html Net2Phone allows anyone to call any phone in the world from their Internet connection at a fraction of the cost of a conventional long-distance distance phone call. Non-US business can use Net2Phone to verify US purchases. There are also many phone calling cards that offer extremely low rates for overseas calls. Contacting your foreign customers, and the card issuing banks is not that expensive, compared to the financial risks of delivering a fraudulent order. When contacting the card-issuing bank, keep a record of the name of the person you talked to.
CHECKING TELEPHONE NUMBERS:The web site at
http://www.freeality.com/finde.htm and
http://www.theultimates.com/ provides plenty of tools to match the telephone area code to a postal zip code, reverse telephone directories, search for email addresses, maps, directions, etc. The web site at
http://www.anywho.com integrates telephone numbers, maps, and email addresses. The web site
http://nt.jcsm.com/ziproundacx.asp also provides zip code and telephone area code matching. Any telephone book is out of date as soon as it is sent to the printer. The Baby Bells update as many as 500,000 records every day.
For under $10, the merchant can purchase a Rand McNally book each year titled the ZIP Code Finder, which includes telephone area code maps and ZIP codes for more than 120,000 places. You can also purchase a set of CD-ROMS which have address and telephone numbers. Use caller-ID to match names and telephone numbers. The merchant can call directory assistance to determine if the number on the order phone matches their number.
CALLING THE CUSTOMER:Calling customers is not only an excellent way to detect fraud, but it can also be a valuable part of your customer service. The telephone call also gives the merchant the opportunity to welcome the customer, answer their questions, and build a solid relationship.
Sometimes the fraudster will submit the actual phone number of the person whose card was stolen. If the card holder did not authorize the charge, suggest that they call their credit card company to report their card as stolen.
I have personally called telephone numbers on the same day I received approved orders from registration services, and been told that the telephone number had been disconnected, or the number had been changed. This certainly sent up some red flags for filling an order that was approved by a registration service.
WEB SITE INFORMATION:If your order form includes places to enter the CVV2 verification code imprinted on the credit card, the name of the card-issuing bank, and the bank's toll-free telephone number printed on the card, and the customer's telephone number and email address, your additional verification can be quicker, and you may scare potential fraudsters away. Indicate incomplete information will delay their order. State you may need to contact the customer if there are any problems with their order. A fraudster will not reveal their telephone number as he/she can be traced, and the number would most likely not match one of the on-line phone directories.
Signs and camera in brick and mortar stores help prevent shoplifting to some degree. Place prominent warnings on your site indicating that all orders are screened for fraud before processing. Web page graphics are available from
www.merchant911.org to use on your site.
State on your website that you have anti-fraud safeguards in place, and will pursue prosecution for all fraudulent orders. Indicate that you will report all fraud to the FBI Internet Fraud Complaint Center at
http://www.ic3.gov/ Even though federal investigators usually pursue larger fraud cases, knowledge of smaller frauds can reveal patterns to possibly break up larger fraud rings.
PROCESSING ORDERS:The merchant should have a policy of not shipping any order until the charge can be verified by their additional checks. The merchant can send an immediate email confirmation of the order, and explain additional checks are being performed to reduce fraudulent orders. The additional checks may take 30 minutes, or can take days if telephone and email exchanges are necessary. The processing delay may cause the fraudster to go elsewhere. Many fraudsters want instant gratification, and wish to remain anonymous, so they will not reply to your emails requesting additional information. These extra steps create an extra step for the customer and merchant, so it can also lead to lost sales.
Possibly establish a "holdover policy" for large orders. The dollar amount of the large order can vary depending if the order is domestic or international. Most credit card thefts are reported within 24 hours. Even after a phony card number is discovered by a retailer, it can take up to 24 hours for that number to be included in the databases that card processors use.
Fraudsters need to have their transactions approved, and take delivery of the goods before the fraud is discovered. Be wary of orders with immediate or overnight delivery. Crooks don't care about the increased costs, since they aren't planning on paying for it anyway. If the order is being shipped overnight, require a delivery signature (UPS, Federal Express, post office). The fraudster may be using an innocent person's house as a drop-off point.
I just listed 10 of the main ones.
Click here to read full article...
Author
