Ask HN: Tips on preventing credit card fraud through Stripe?
Long story short, I run an online selling platform like eBay. We take billing address, Cvc, expiration, use https but still got scammed. We basically hold onto the payment until the seller ships and forward them a cut but just got a call about an unauthorized debit purchase from a lady in Texas from our site.
Any suggestions ?
8 comments
[ 2.6 ms ] story [ 23.7 ms ] threadYour as protected as you can be at that point.
Although it's nowhere near fool proof it cuts out a good chunk of fraudulent orders. In our experience false positives have been very low (less than 2%) and detection has been fairly good (80%+)
I wouldn't deny orders completely based on MaxMind results, but if you have a human interpret the results / scoring or use it in conjunction with other methods, it's definitely a viable option.
Furthermore, you can use their call verification API, or even call card holders yourself whenever an order is placed to an alternate shipping address.
Fraud is just a fact of the business though, even with the best fraud detection and verification methods. Fraudulent orders may slip through, especially as you scale, and you should account for this as a cost of doing business.
This is based on their current riskScore system[1] (changing on January 1st, 2014) and 10 as an instant failure without review. Most orders will generate a non-0 score, however.
Another great tactic for preventing fraud is to never indicate an order has failed or a card hasn't been charged ('ghosting'), this is a tactic used heavily by Google for AdWords and other paid services.
Giving a clear indication of failure allows "carders" a way to easily figure out your detection algorithms by placing orders until one gets through, and share that information with others who will attempt to victimize your checkout process.
[1] http://www.maxmind.com/en/ccfd_formula
Thanks
In a way, riskScore simplifies the calculation, because it's a percentage instead of an arbitrary number. Depending on your business, I would consider starting at 30% for manual review, and 90%+ for auto refusal, making adjustments to the threshold from there.
A cruicial problem of running marketplaces is any pathway by which stolen CC numbers (readily available by the dozen for pennies) can be turned into cash will be heavily targeted by fraud. See discusson on this here: https://news.ycombinator.com/item?id=5091069 ,and esp the recommendation on getting a Fraud Guy.