Protecting a Members-Only Website from Credit Card Fraud

Online content sites are especially vulnerable to fraud. A hacker may use a stolen credit card number along with a phony name -- it may or may not be the real name of the card holder. Once a fraudster knows a valid credit card number, he can calculate the account number of several other valid credit card numbers issued by the same bank. It's pretty scary. Even though your card hasn't even been stolen, the number could still be used to purchase goods via the Internet since the processor only checks to see that a card is NOT on a list of stolen or overdrafted cards before authorizing a transaction.

To fully protect yourself, you ought to investigate the fraud detection service offered through most payment gateways using HNC Software's eFalcon service (www.efalcon.com). This typically costs $30 to $40 per month in addition to your gateway fees, but if your members-only content site handles a lot of transactions, it may pay for itself quickly.

Administrators of smaller sites will be wise to carefully examine each of the subscriptions and reverse any charges that look faulty. Since it's digital content, the fraud costs you in lost revenue, not lost merchandise. But if you pile up many chargebacks on your merchant account, you'll be paying a $15 to $25 chargeback fee for each incident, plus you risk losing your merchant account or paying a higher discount rate in the future.

Even though it's discriminatory, I believe it is a good idea to reject subscriptions from persons using a "free" e-mail address such as johndoe23@yahoo.com or crook51@hotmail.com. These free addresses are almost impossible to trace in case of fraud. AntiFraud.com (www.antifraud.com) has a list of more than 3,000 free e-mail address domains to check against at.

Any time a person logs onto the Internet his computer is assigned a unique IP address, a number such as 216.66.150.121. I capture the IP address of the purchaser, as well as a reverse domain look-up of that IP address. Then I compare the country of the domain with the subscriber's physical location and e-mail address.

Here's an example of a valid match:

Country: Canada
IP: 216.66.150.121
DOMAIN: bc-van-mut-a53-14-25.look.ca
Card: American Express
Authorization No: A 00 128572 N N

Notice that the country of the dial up domain matches the country the subscriber gives in his address. Below is an example of a recent fraudulent transaction:

Country: United States
IP: 202.95.156.6
DOMAIN: semar.yogya.pesat.net.id
Card: Visa
Authorization No: A 00 040018 081222587462284BBCFV 01 X X

Why would a subscriber in the US be getting Internet access from Indonesia? They wouldn't. This is a case of IP spoofing, using a vulnerable proxy server in Indonesia to mask one's true identity. I've learned to be especially wary of transactions originating in Eastern Europe. (More information in my article "How Cyber Thieves Hide Their Identity and How to Spot Them," WCT 10/15/00. www.wilsonweb.com/wct4/fraud-spoof.cfm )

Receiving an authorization number from your credit card processor doesn't mean as much as you might imagine. When the card holder notices fraudulent charges on his statement, he'll disclaim any knowledge of the transaction, and his bank will back him. The authorization number you get from the processor is meaningless so far as protecting you from fraud. You must learn to protect yourself.

When you spot a fraudulent transaction, void the transaction if it hasn't cleared yet. If it has, immediately credit the cardholder with the correct amount. This should protect you from chargeback fees down the line. Then disable the username and password associated with the transaction. If you've captured the IP address, there's a chance that the police can compare an ISP's member access logs with that IP number at the time of the fraudulent transaction. Let's stop these crooks if we can!