CartMetrix - Do you know yours?

« Quick and Dirty MySQL Backup Script | Home | Zencart Inventory Report Update v0.9.2 »

3/15/2007

Combating Card Fraud (or at least slow it down)

I have a major client whose Authorize.net gateway account gets hit sometimes hundreds of times a day with charge attempts. Most are posted by an automated script from IPs coming out of Indonesia or Eastern Europe in an attempt to find a valid credit card number and security code. Fortunately, it hasn’t cost the client any money directly yet. Out of the thousands of attempts in the last few months only a couple of charges actually captured funds from the stolen card information. All of these were promptly cancelled after review.

In discussions with this client, we came up with the following options. They are listed in order of ease to implement and least impact on legitimate customers.

  1. Require only a billing address and plainly state all orders are only shipped to billing address
  2. Require card billing address and shipping address to be in same country or deny the order before going to authorize
  3. Require all international orders to be Paypal so they can’t automate the whole process (or maybe allow orders from countries with low fraud percentage to use a credit card directly and all others Paypal)
  4. Automatically log user out after X failed attempts
  5. Automatically block the IP address after X failed attempts for a time period between a few hours to a day or two
  6. Match customer’s IP address to billing / shipping country before going to authorize

My thinking is the better methods would include ways of slowing down the requests so that automated script kiddie tools would constantly fail while legitimate users that are just having problems would not be completely prevented from checking out. I also think a more robust system would utilize several layers of protection (same as a multi-layered approach to server security is better in the long run than putting all of your eggs in the single proverbial basket).

Over the course of the next few weeks I will implement some of these options and dream up more if necessary. Stay tuned for updates.

Should your site be experiencing similar issues, contact me to discuss options.

Note

Maxmind supplies a free IP to country database in CSV format along with their commercial IP database products.

Popularity: 20%

Share This

» date: 15-Mar-07 12:35:45 CDT
» cat: Ecommerce, Security
» popularity: 20%
» actions: comments + respond + trackback + feed + email article
» pages: linking posts
» previous: Quick and Dirty MySQL Backup Script
» next: Zencart Inventory Report Update v0.9.2

Trackback:

Related Posts

One Response to “Combating Card Fraud (or at least slow it down)”

  1. Zencart Hack - Logout Customer Automatically After X Failed Payment Attempts - damonparker.org said:
    June 22nd, 2007 at 2:32 pm

    […] security code combinations to find the few in the batch that will actually work. I have discussed credit card slamming here and over at the ZenCart forums several times in the […]

Post your opinion

Verification Image

Please type the letters you see in the picture.

Subscribe without commenting


damonparker.org is proudly powered by WordPress
Entries (RSS) and Comments (RSS).

copyright © 2002-2008 damonparker.org. all rights reserved.

Close
E-mail It