Battling the hassles of credit card and online fraud is not easy. Especially if you run a download platform like tradebit.
We face that burden every day and in hope to help one or the other fellow sysadmin in the never ending fight against crooks, script kiddies and credit card fraudsters, I would like to post some details on the technology I have implemented.
First of all: I strongly recommend Blocked.com – they offer a great “out-of-the-box” PHP script to help you (disclosure: links are affiliate links) – But that is not all…
The implementation of the script into your process is the key to lower the fraud rates significantly. Also the unstoppable rise of IPv6 poses a problem for the stressed website developer already and will become more important over the years.
So lets dive into the cornerstone topics:
a) IP based protection
With the increasing number of IPv6 based visitors to your website, you probably need 2 different methods to check for suspicious activity. We combine the ProjectHoneypot with the results of Blocked.com to pre-filter the usual suspects. On top of that we also do our own IP2Location service and try to figure out, from which country the user visits us. We need that to determine distribution rights anyhow.
b) Browser footprints
This is a bit more tricky and time consuming, because techniques to determine a browser footprint like “Pantopticlick” gather installed fonts, browser version, installed add-ons, operating system, etc. That takes some time (like 1-2 seconds) and that extra time can easily destroy your conversion rate. The best practice to do that is via AJAX asynchronously in the background while your potential buyer comes closer to the check-out page.
c) Behavioral filtering
This is the most complex and best approach to filter potential credit card fraud and attacks to your online estate. Complex, because it strongly depends on the kind of shop or service you are offering. For us the goal is to prevent the “carding” fraud: many credit cards are checked, if they are still valid by buying $1 goods. For tangible goods: I would rather access a country database for credit cards – each credit card has a built-in BIN (bank identification number). If you customer orders something to Malaysia but is located in US, a flag should be raised by your system. The rest is up to your imagination.
All in all: Preventing fraud is not just blocking fraudulent credit cards, but also preventing being gamed in other forms and with other methods. Blocked.com is your first stop to build up an infrastructure to support that.