credit card fraud

I run a charity website and am getting a blitz of donation attempts. It looks like they were trying a list of  names and credit card numbers that they had - but they must have been old because only 1 out of hundreds suceeded.  They tried to donate $1 with different names and credit card numbers on each attempts, but all from the ip address 113.161.94.67 which appears to be from vietnam.   I permanently banned that IP address from all of my websites. I am also going to limit bad attempts and increase the minimum donation to $2.. Is there anything else I should do?

On Thu, Aug 23, 2012 at 9:25 AM, Al Musella, DPM <musella@virtualtrials.com>wrote: >   I permanently banned that IP address from all of my websites. > I am also going to limit bad attempts and increase the minimum donation to > $2.. Is there anything else I should do? > If you haven't already, you might want to consider adding some CAPTCHA to the form to at least slow them down. It may also be worthwhile to consider the impact this could have with your payment processor. They will see all these fraudulent attempts and may or may not care about it. It might be worth reaching out to them to pro-actively alert them. Even the $1 successes were probably fraudulent and they will be forced to charge those cards back. -Cameron -- Cameron Childress -- p:   678.637.5072 im: cameroncf facebook <http://www.facebook.com/cameroncf>; | twitter<http://twitter.com/cameronc>; | google+ <https://profiles.google.com/u/0/117829379451708140985>;

you can also enable 3D secure, which adds an extra level of security. even if someone has gotten someones creditcard and CV2 number, it is unlikely they also have their 3dsecure login as well, unless they garnered the card from a hacked PC with a keylogger trojan. You copuld also use somehting like  http://www.maxmind.com/ , On Thu, Aug 23, 2012 at 2:25 PM, Al Musella, DPM <musella@virtualtrials.com>wrote: ----- Excess quoted text cut - see Original Post for more -----

I run several non-profit association websites, and about 2 years ago we got hit with a similar blitz on our donation forms.  We were able to minimize the number of fraudulent donations by doing the following: 1) Put into place the CV2 field, and make it required.     2) Put in Captcha 3) Make sure your forms function within the context of a user session, and when the order is submitted to the payment gateway (PayPal/Authorize.net), set the authorization code as a session variable.  Then, check for the existence of that session variable.  If it exists, do not allow the user to re-submit their order.   This, more than anything else, helped to cut down the number of incidences we were seeing. 4) Consider putting into place a minimum donation of a higher amount (say, $5).   It's a pretty common occurrence for donation forms to be used as a testing ground for stolen cards, because a small charge of $1 is less likely to be noticed than a larger card.  Once a fraudster figures out which stolen cards still work, they can then move on to eCommerce sites and use the good cards to make larger purchases.   5) Banning a specific IP address won't do much to stop someone from using your site as a test-bed.  They'll just set up another server at a different IP address, or use a proxy to mask their true location.   If you know that you're not likely to receive legitimate donations from certain countries (like Vietnam), you can ban the range of IP addresses associated with that country, but people will still be able to find ways around those bans.   It sucks that charity sites would be targeted as a test bed for checking stolen cards, but they often represent low-hanging fruit to a fraudster.  If your organization is working towards PCI compliance (as we did), this type of activity can really put a ding in your efforts, but it's not too difficult to remedy the problem.   It would also be a courtesy to get a report of the people whose cards were stolen (you can get that info from your payment gateway), and either ask your gateway to inform them, or let them know yourself.  Much better to do that than wait for the flood of calls that will happen once people see those $1 charges from your organization on their statements, which are immediately followed by a $1000 charge to Best Buy.  They might wrongly suspect that your organization was somehow responsible for the card being stolen, and you definitely don't want that. Hope that helps, Michael you can also enable 3D secure, which adds an extra level of security. even if someone has gotten someones creditcard and CV2 number, it is unlikely they also have their 3dsecure login as well, unless they garnered the card from a hacked PC with a keylogger trojan. You copuld also use somehting like  http://www.maxmind.com/ , On Thu, Aug 23, 2012 at 2:25 PM, Al Musella, DPM <musella@virtualtrials.com>wrote: ----- Excess quoted text cut - see Original Post for more -----

There's of course always CFFormProtect (http://cfformprotect.riaforge.com/) - has worked for me for years and years. Great to stop bots, works 99,99% of the time. And it is unobtrusive for the end user. Sebastiaan On 08/23/2012 04:10 PM, Patti, Michael wrote: ----- Excess quoted text cut - see Original Post for more -----

And accessible. I'm in the processing of switching all of my forms on our site to use CFFormProtect. Captcha was in place when I took over a few years ago, so I never paid it much attention, until a few weeks ago when we got an email from a constituent that let us know he couldn't submit feedback on one of our projects because the letters and numbers on the form couldn't be detected by his screen reading software. Debbie There's of course always CFFormProtect (http://cfformprotect.riaforge.com/) - has worked for me for years and years. Great to stop bots, works 99,99% of the time. And it is unobtrusive for the end user. Sebastiaan

Al, How about use a geo location library to get the country? If it isn't USA or Canada (or if it's just Vietnam) don't send it to the payment processor and always return denied? On Thu, Aug 23, 2012 at 9:25 AM, Al Musella, DPM <musella@virtualtrials.com>wrote: ----- Excess quoted text cut - see Original Post for more -----

http://www.maxmind.com/app/ccfd_features this is a pretty good service and very affordable. You might be able to hit them up for a free account if you are a non profit. easy to integrate as well. Byron Mann Lead Engineer and Architect Hostmysite.com On Aug 23, 2012 9:27 AM, "Al Musella, DPM" <musella@virtualtrials.com> wrote: ----- Excess quoted text cut - see Original Post for more -----

On Thu, Aug 23, 2012 at 4:54 PM, Byr > http://www.maxmind.com/app/ccfd_features > > this is a pretty good service and very affordable. You might be able to hit > them up for a free account if you are a non profit. This is also built into Authorize.net as well. It?s an option something like an extra 10 or 15 a month.

We handle credit card (and UK direct debit) fraud by assigning a fraud score to every single credit card submission. We generate the score at the time of purchase but using MaxMind and checking if the billing address of the credit cad matches the IP country, checking if the billing is one of the high fraud countries and a few other historical items (delivery addresses etc). If the total fraud score crosses a threshold the orders are put into a holding table and are reviewed by someone to determine if the orders do look dodgy. If they are false positives then we allow them to be processed, if not we reject the order. We do pre-authorisations on the card so we never store the CC information during the review process. Someone mentioned using 3D Secure and that has help us out a lot in reducing spam. We've seen it all from Vietnam to Ghana and even a few originating in the US with US credit cards but with shipping addresses in the far east or africa. We also block certain known IPs/cards/countries and display a message that there was a problem with the order, please call us to complete the purchase. Legit customers call, fraudsters don't! Our system works pretty well and doesn't rely on systems that may prevent legit people from submitting forms, which to be honest prevents bot spamming but doesn't help much with credit card/payment fraud. Best Regards, Donnie Bachan "Nitendo Vinces - By Striving You Shall Conquer" ====================================================================== The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. On Thu, Aug 23, 2012 at 10:00 PM, Casey Dougall - Uber Website Solutions < casey@uberwebsitesolutions.com> wrote: ----- Excess quoted text cut - see Original Post for more -----

----- Excess quoted text cut - see Original Post for more ----- I should point out, depending how intelligent and determined the attackers are the IP banning may only work temporarily. It is fairly easy to build database/code to dump new proxy ips into it daily (lists are not hard to find), and have your attack software randomly connection through them, downgrading and dumping the proxy ip after n number failures. If ip blocking is working, it probably means the person/group targeting you probably isn't very sophisticated. Some people that barely know what they're doing, copy-catting a get-rich-quick scheme others told them about. Consider yourself fortunate in that regard. Also, those kind of attackers usually use software that does a single direct post to an url, filling all urls it finds. It also has no sense of sessions, or cookies, etc. You can use all that against them. I find they occasionally do send a real live human to test things out though.

perhaps set it up so that after 5 bad tries, instead of just banning him (which displays a page that the website is experiancing problems), we just not send it to our processor, but jsut return a message that the transaction failed.  So they would keep trying but get bad information ----- Excess quoted text cut - see Original Post for more -----

>>Captcha was in place Everytime I see a capcha in a site I'm tempted to run away. It is so user unfriendly, it is insulting. I don't know how CFFormProtect works, but it is so easy to have an onsubmit Javascript procedure that will add some hidden field in the form which the action template can verify.

captcha can be very annoying when it is hard to read. cfformproetct uses several techniques to detect human input, not captcha On Thu, Aug 23, 2012 at 7:06 PM, <> wrote: ----- Excess quoted text cut - see Original Post for more -----

>>cfformproetct uses several techniques to detect human input, not captcha Are they invisible to the human ? Some forms ask me how much is 2+2, this is insulting as well ;-)

yes they are. It is built into Mangoblog too. On Thu, Aug 23, 2012 at 7:40 PM, <> wrote: ----- Excess quoted text cut - see Original Post for more -----

Did you bother to read where it was plainly stated, and I quote: And it is unobtrusive for the end user. Why don't you just download the project and give it a try rather than foaming at the mouth about how it insults you. On Thu, Aug 23, 2012 at 1:40 PM, <> wrote: ----- Excess quoted text cut - see Original Post for more -----

>>Why don't you just download the project and give it a try Because I've been using my own system since years ago. >>foaming at the mouth about how it insults you. You're insulting me ;-)

he does it to everyone, get used to it :-) On Thu, Aug 23, 2012 at 8:02 PM, <> wrote: ----- Excess quoted text cut - see Original Post for more -----

What I'd like to know is why does the CFTALK list let anyone post with no name and no email address?

>>why does the CFTALK list let anyone post with no name and no email address? Probably because the CF_talk list system does not recognize ISO-8859 encoded addresses.

Thanks for all of the tips. I deal with brain cancer patients...  adding in a captcha would make it too difficult.  We had this in place since 1996 and never had a problem until today. I am looking throguh the cfform protect documents and will probably implement that. Banning that IP address worked -  when I ban an ip, they get a message that the website has an internal error and to try again later.  No bad attempts were made in the hourse since I banned that one At 10:10 AM 8/23/2012, you wrote: ----- Excess quoted text cut - see Original Post for more -----

I though about that but I get donations from many countries... even places I never heard of.  I never got a donation from Vietnam but I did get a real one from nigeria! Luckily, we do not send out merchandise.. so there is no incentive for bad people to scam me...  who would go through all of that trouble to make a donation? They were just going through a list of credit cards to see which ones were still valid... I will change it so that no one person can make multiple donations from different names At 04:08 PM 8/23/2012, you wrote: ----- Excess quoted text cut - see Original Post for more -----