I subscribe to a number of newsletters on the internet and the following article by T.J. Walker (email: firstname.lastname@example.org) appeared in Issue #26 of the VirtualPROMOTE Gazette and is reproduced with permission.
To subscribe to the Gazette, visit http://www.virtualpromote.com/gazetteform.html
The VirtualPROMOTE Gazette is a publication of SmartDesk, Inc. and is edited by Jim Wilson.
AMCHO Computer Services Ltd.
Merchants Beware! Fraud is Rampant
The press is having a hay day with stories about Internet fraud. Newspapers, news shows and especially the Web related magazines love to share stories of how consumers are getting ripped off by Internet scams. To be sure, those scams exist and consumers must be cautious. However, there is a sinister flip side of this situation that has received little, if any press.
Unfortunately, the Internet is also the perfect environment for every crook, thief, and pickpocket to ply their trade with almost complete anonymity. Being in the online software business, I have seen a tremendous increase in fraudulent purchases made with stolen credit card information. In many cases, the thief has more complete and current information about the actual cardholder than the credit card company. In some cases, the credit card numbers provided pass through verification, are given an approval number and turn out to be totally fictitious numbers based on the algorithm used to produce authentic numbers.
I recently formed an alliance with a large merchant account provider specializing in providing credit card merchant accounts for Internet and Home-Based businesses. Through working closely with the credit card companies and other online merchants, I know the bottom line is this: You, as a merchant, are the one going to get it in the end (pun intended)! The cardholder is not responsible for more than $50 of fraudulent purchases. The issuing bank of a stolen credit card really doesn't care because they will simply charge the merchant back for any fraudulent purchases, plus a $10-$15 charge back fee. In fact, the issuing banks actually make $50 on these situations. They get the $50 from the cardholder (the cardholder's obligation), then they charge back each and every merchant for all the fraudulent charges.
So why is this situation getting so bad? Technology! Yes, the very same technology that allows us to have a profitable online business also allows those so inclined to rip us off. With the advent of free, web-based, non-ISP Email addresses such as @hotmail.com, @usa.net, @juno.com and the 150 or so new ones being offered by www.inames.com -- it affords a credit card thief a perfect veil to hide behind. These free Email addresses can't be traced back to the real owner. For those of us in the software business, the Email address is the only point of contact we have. That address is where our products are shipped.
To make matters worse, there are now software programs available that can generate an unlimited number of valid, yet fictitious credit card numbers. Combine that with complete anonymity and it spells big trouble for any business conducting online commerce. In addition, there are newsgroups out there that actually post stolen credit card data. So someone picks your pocket now and ten minutes later all your data is available world-wide.
So, what can you, as a merchant, do to protect yourself -- short of not accepting online credit card orders? Over the last month, my company has had to establish certain procedures for all online orders:
1. No credit card order is accepted unless complete information is provided including full address and phone numbers. 2. We no longer accept any order originating from a free, web-based Email address. The customer must provide an ISP or domain based address. One that can be traced back to a "real" person. 3. Since the list of free Email addresses is growing daily, we check every Email address by going to a browser and putting a www. in front of the domain. Try this with email@example.com. You will see that www.cyberdude.com puts you on I-names (150+ free Email domains) homepage. We don't accept orders unless the Email/domain is a legitimate website or ISP -- something that can provide definitive identification of the Email address in question. 4. If in doubt, we call the phone number listed on the order. We have alerted many cardholders that their card information was being used by making this phone call. On the other hand, the party on the other end may have never heard of the "customer." This results in a call to the issuing bank of the credit card to alert their fraud department. 5. We use the HTTP_USER_AGENT code on all our order forms. This line works with most form handlers such as FormMail, cgiemail and others. The exact syntax varies with the form handler, but it provides information on the computer used to send the order, including the IP address. This can sometimes be used to trace the origin of a fraudulent order. Check the documentation for your particular form handler or cgi script for implementation of this input field. 6. Virtual Checks -- we receive a great number of orders via online virtual checks. Having been burnt a few times, we now call the account holder's bank and verify the account number, account holder's name and current funds to clear the check before processing the order.
I am in the process of establishing a new domain at http://antifraud.com/. The sole purpose of this domain will be a front line of defence for online merchants. This site will have up to the minute lists of Email addresses used for fraudulent purchases and information provided by credit card processors and banks. If you would like additional information about either using this site or providing data for the site, please contact me.