I run a small charity (providing instructive programming and social enterprise programs for at-risk youth) here in Toronto. In August, we setup our own credit card merchant account so that we can accept donations through the web, without the hassle, inconvenience and high-costs of Paypal. Everything has gone smoothly, but this evening I noticed that we’ve now somehow become a target of credit card thieves who are using our server to try and ‘verify’ which of their stolen cards are valid and have not yet been reported. Basically over the span of 48 hours, there were a large number of $1 transaction attempts, each with the same fake phone number (5555555), and same address, but different cards. Fortunately, all of the charges were declined so far, but I’m new to all this stuff and quite concerned that someone is trying to use our charity’s website for extremely nefarious purposes.
What, if any, steps can I take to prevent/mitigate this activity?
Can you have a script preprocess the card data where if the ph# is all of one number it holds it for manual review or if the donation is under $5.00 it holds it?
I run a web based business and I contract out my credit card handling to avoid this kind of problem. Constantly patching to keep up with security is a full time job and I don’t want the responsibility of directly handling credit card details myself. I pay a percentage but for that percentage I don’t have to worry about security, it’s not my responsibility and the credit card details never pass through my own server.
If I were you I’d consider approaching some ecommerce companies and seeing if they will do you steeply discounted rates as a charity.
Where did you come up with a merchant account cheaper than Paypal? I asked this because you may not have gotten a true merchant account. Some business will set up one merchant account, which is a process in itself and then sell their merchant ID to others to use. Which really shouldn’t be done, that way they seem to undercut Paypal.
I’m not saying this is the case with you, but it’s something to look for
Have you tried Google Checkout?
I just finished setting one up for someone tonight. Quite a quick process.
You could try an IP ban. Are you sure it isn’t kids just playing around? You can find formulas to verify credit cards on the web. In other words these algorithms will tell you if the credit card numbers check out to produce a workable CC#
Kids see this and think any number should work not realizeing most CC numbers cross check with things like zip code or numbers in the address or a Customer Identification Number on the back.
One thing you can do is set up your system to reject any transaction from a specific IP address after a threshold of attempts is met. 3, 5, 10 - whatever you need to convince yourself it’s not an actual donor who made a mistake and had to try and process their donation several times.
So say they’ve got 100 card numbers to test on your store, and 1 in 10 is a valid card. They try 5, and all 5 are rejected, coincidentally. Or 1 of them works and they buy a bunch of stuff instantly. Either way, after those first 5, your store rejects every attempt on the basis of the identity theft processing too many transactions. Except the thief won’t have any idea whether you’ve identified him by transaction volume and are rejecting anything he tries or if his card numbers are actually invalid. In the short term, you’ll give him a bunch of false negatives and in the longer term they’ll eventually realize your site is not a good place to test credit cards.
After evaluating a whole bunch of options, we decided on a company named Beanstream. They’re inexpensive, have very good customer-service and lots of techies available when needed. Google Checkout looked good too, but they don’t offer their service to Canadian corporations yet.
I like Fuzzy’s idea of blocking an IP after ‘x’ number of attempts, will look into it asap!
coremelt: We do contract out the cc processing, Beanstream gave us the option to use either a hosted or on-site solution, and we went with hosted, so the cards are definitely secure and patching and whatnot is managed by Beanstream.
**
MannyL:** I like your idea too, I will look into it.
Sounds like you’re all set but I’ll share my experience. I used to manage billing and payments for a large domain name registrar. We had a lot of problems with this because back in the 90’s we were one of the first ones to do real-time online authorizations, so the fraudsters used us to try out stolen card numbers so they could instantly find out what would work. A domain name was $35 for a year. Then the card owners would see the charge and put in for a chargeback. At that time, there were no three-digit numbers on the back of the card, so we as the merchant were liable for the chargebacks as a card-not-present transaction. After we adopted those codes, though, the association (Visa, etc.) considered the transaction equivalent to card-present and we were afforded much more protection, equivalent to getting a matching signature. We also started using a third-party fraud rating service with great success. They rate each transaction from 0-999 for likelihood of fraud, and we can choose whatever threshold we want for rejecting a transaction. They had some sort of neural network architecture where all the merchant transactions were fed into it for it to “learn” how to better detect fraud.
Just got off the phone with Beanstream and I’m pleased to report they were able to provide a ton of reassurance and security options.
It turns out they do have a threshold filtering system available, similar to what CookingWithGas mentioned. The system assesses risk based on things like “does the geolocation of the IP match the home-location of the credit card”. They can also filter out proxy servers, making it a real pain for the hacker to hide their IP using traditional methods.
If the situation escalates, we can also implement CVD checks and Verified by Visa (though IMHO its a bit of a pain for donors).
Plus, it turns out I can easily blacklist specific IPs as soon as I notice them
three cheers for Beanstream, and thanks for all the help everyone!
