Ask HN: Tips on preventing credit card fraud through Stripe?

7 points by Diamons ↗ HN
Long story short, I run an online selling platform like eBay. We take billing address, Cvc, expiration, use https but still got scammed. We basically hold onto the payment until the seller ships and forward them a cut but just got a call about an unauthorized debit purchase from a lady in Texas from our site.

Any suggestions ?

8 comments

[ 2.6 ms ] story [ 23.7 ms ] thread
Hmm I think in the prefrecences you can set it up to only charge if billing is same as shipping and all other data matches.

Your as protected as you can be at that point.

An easy to implement solution would be to use MaxMind's fraud API prior to capturing card data.

Although it's nowhere near fool proof it cuts out a good chunk of fraudulent orders. In our experience false positives have been very low (less than 2%) and detection has been fairly good (80%+)

I wouldn't deny orders completely based on MaxMind results, but if you have a human interpret the results / scoring or use it in conjunction with other methods, it's definitely a viable option.

Furthermore, you can use their call verification API, or even call card holders yourself whenever an order is placed to an alternate shipping address.

Fraud is just a fact of the business though, even with the best fraud detection and verification methods. Fraudulent orders may slip through, especially as you scale, and you should account for this as a cost of doing business.

What's the threshold (risk score) you use to consider a transaction as fraudulent?
Although we combine with internal scoring and manual review, as stated; If I was using MaxMind exclusively I'd consider 5.0 to 7.5 a good indicator of a possible fraudulent order.

This is based on their current riskScore system[1] (changing on January 1st, 2014) and 10 as an instant failure without review. Most orders will generate a non-0 score, however.

Another great tactic for preventing fraud is to never indicate an order has failed or a card hasn't been charged ('ghosting'), this is a tactic used heavily by Google for AdWords and other paid services.

Giving a clear indication of failure allows "carders" a way to easily figure out your detection algorithms by placing orders until one gets through, and share that information with others who will attempt to victimize your checkout process.

[1] http://www.maxmind.com/en/ccfd_formula

Any idea what the equivalent 'riskScore' would be? If we are starting using minfraud it doesn't make sense to use 'score'.

Thanks

riskScore is a combonation of hard coded scoring, along with what I'd equate to a bayesian filter.

In a way, riskScore simplifies the calculation, because it's a percentage instead of an arbitrary number. Depending on your business, I would consider starting at 30% for manual review, and 90%+ for auto refusal, making adjustments to the threshold from there.

Are you authorizing the card when you receive it? Stripe added a capture attribute to their api a few months ago allowing you to authorize a charge and then "capture" / charge the card when you ship the product.