Comment by gregw2
2 years ago
Been there. It might be competitors. It might just be fraudsters looking to see what they can get for free from that otherwise useless stash of credit card numbers they stole or got on some forum from someone who did. Once your marketing hits the radar of one of these crews they will pass your service on to each other. As a merchant you need to develop your own fraud screening techniques or pay someone to do it.
(Pardon me if I am projecting from my past startup experience to yours in all my comments.)
I am not blaming the victim. But the industry is setup so the merchant is most responsible for detecting and dealing with fraud. And that is probably objectively not a bad call. You have all kinds of ways to detect who is doing this and ways to stop this. I hate this crime with a passion and cut it down from 5000/mo to 50/month at my first startup when it blew up on us. But it is true the credit card middlemen, having externalities the risk to you, don’t then innovate incremental tools for merchants that well. I was frustrated when I received fraudulent requests there was no third party I could report my suspicions of fraud to with a confidence rating (or check against other merchants suspicions). I did many years later see a service like that but now can’t find it.
I did just now find a pretty good list of merchant anti fraud tactics which had tricks nobody told me at the time but I had to figure out myself and were pretty successful: https://support.authorize.net/knowledgebase/Knowledgearticle...
Good luck. These guys are persistent. In my case most of them were coming from poor countries where a dollar of fraud is worth a lot more of their time than yours. Until you stop them cold, they will keep coming.
What was your most successful defence to these attacks?
No OP, but I had it happen to me and adding a "3DS" card verification to the checkout flow made the problem go away. The 3DS step is where they text the customer a number they have to type in to proceed.
It's a pain for the customer so I only do it on newish accounts, repeat customers don't get bothered.
This was LONG ago so some context is less relevant now and may not apply to others, but three of a dozen of our tactics turned the tide, the last being the best, but building on the others:
1) The basics: track all information entered in the signup process and display it in a signup email to our customer service/onboarding rep, along with whether and how often each piece of info was used (or was similar) in past locked/disabled-for-fraud accounts and have a human determine via eyeball if the composite picture looked like fraud. You’ll be surprised how often a customer saying his name was Ibrahim with a phone number in Egypt had a IP in Jordan and was using a credit card belonging to Sally Jones with a zip code in Kansas. Don’t automate fraud decision. Have a human in the loop. Know your customers with a human touch up front at signup. (“Do things that don’t scale” is the more recent mantra for this approach.) But never emit info so fraudsters couldn’t game the system beyond the binary of getting enabled/disabled, and even then don’t give them immediate feedback during/post signup to run permutations quickly. Have a human vet asychronously shortly post-signup as part of customer welcome/orientation call.
2) Silently partially disable international customers so they could sign up and give us info and do certain things but not really generate expensive transactions until a customer rep called and welcomed/vetted them and checked a box unrestricting them in our admin panel. (I say silently but if they actually got to the final step of a transaction, we did give them ways to reach out to us to get activated after talking to someone (which was manned 24x7). 99+% of the time, fraudsters never called/reached out.)
3) Most subtly, reps especially offshore ones from white label partners of ours were slow to use our ways to vet their (and thus our) customers even though their management was pushing our development team for more and more technical solutions to cut fraud. It was frustrating because I could see the fraud and it was a massive chunk of our partner’s revenue (1/3rd?) shortly out of the gate with us, but since they were a white label customer of ours I/we couldn’t exactly tell their lower level rep employees to get off their butts and take the fraud seriously (when even their management wasn’t getting through), nor did I want it to continue to harm their business because it would also harm ours.
Remembering the mantra “you can’t manage what you don’t measure”, I built an admin screen that their reps (and thus their bosses) could see that showed when each recent customer signed up and when they were cleared or locked out as fraud, how many minutes were between the two and who (which rep) locked/cleared the customer and how much was spent (lost) before the account was locked. The difference was profound. Fraud from the white label partner’s customers dropped practically overnight, from $5000 a month to under $50 just by adding a report that quietly made the humans in the loop accountable. I didn’t even have to tell the partner’s people what to do. I just made the outcomes measurable and visible and the problem took care of itself. It was a profound lesson for me early in my career. I wish that exact trick had been more useful for me since, but still — very eye opening. Chargebacks were never a problem for us again.