So criminals can guess a valid CC/CVC/Zip in 6 seconds, and merchants that get nothing but green lights across the board from their credit card processor will be left holding the bag when the card holder disputes the charge.
Merchants doing everything they can need better protection from this crap.
I designed the fraud prevention for a major ecommerce site(PCI Level 1). We used to get hit with lots of card testing including bot nets. They are easily mitigated. First thing is detune your error messages. Combine all the errors into one generic message. This includes AVS, CVN, and Expiration. I've see so many sites return the raw message back from the processor.
We also actively black holed large blocks IP addresses including TOR exit nodes and open proxies. Before all the privacy people make comments. We're a store. If you show up wearing a ski mask we aren't going to sell to you.
Sometimes we go on the offense and detect the patterns/attributes for the botnets that allowed us distinguish them from real traffic. We didn't block them, we fed them bad data. That made them go away fast.
Most important take away: Mitigating fraud will lead to higher auth success rates as you build up the reputation on your MID(Merchant ID). Its not only important in preventing chargebacks but increasing revenue.
Its opposite in my experience. Detuning error messaging will increase abandonment as users wont know how to recover from errors (Eg invalid CVV) - thereby decreasing revenue. Its especially true where something like 3D secure is in use and failure messages varied.
Ive also never seen risk based authentication based on MID in place at issuers (Im in SEA it could be different in more developed markets). Rather they have blanket bans on MID or categories of MID with high fraud-to-sales ratios. Payments processors and acquirers have fraud detection systems, but they will score not actively decline.
So while someone abusing your service may land you in hot water, reducing their ability doesn't necessarily mean a higher authorization rate for regular transactions.
Regarding error messages: At a previous gig, we had to aggressively and repeatedly fight the business side who thought that vague credit card error messages were a large source of user confusion. Eventually, we won but it was certainly an eye-opening moment for the developers involved to even have to fight that battle.
I've had the same argument many times over error messages for login and forgot password flows. Being security conscious is a way of thinking that many people aren't really capable of and an even greater number have problem maintaining consistently. It's so ingrained in product managers to make their software as friendly as possible that they forget that sometimes their users don't have similarly noble intentions. This is also why social engineering is so successful. When it's your job to be helpful, it's very difficult to be strategically unhelpful when necessary.
Score your users based on attributes like whats in cart, IP reputation, browser/os, pages visited, source,3rd party fraud detecton providers etc. Score should reflect how likely the user is genuine or not. For well scoring users which should be 90% of your traffic, provide them with detailed messages.
I wish sites like newegg would treat customs with successful transactions as safe. I've had many times where they've outright canned an important order for really no reason. Trying to get them to accept it is a whole other hassle.
I have been. Despite it sometimes costing more I buy all my drives from other vendors. Mostly been amazon recently. They're cool with taking my huge orders.
There are tradeoffs, you have to balance security with usability. Generic payments failure messages are responsible for a lot of frustration in users, especially users who are paying online for the first time and have to go through complicated payments processes like 3D secure.
As a programmer, I get it, but as a user there's been a few times where I fat-fingered a number or an address and the payment failed - it was then a minor PITA to figure out exactly what I got wrong.
The merchant is not just left holding the bag. The merchant has to buy the bag...and it is not a cheap paper or plastic bad. It is a fancy, expensive, designer bag. When a charge is disputed, the merchant pays a fee of typically $15-30, regardless of who wins the dispute.
In other words, there are two possible outcomes to a dispute:
1. Merchant loses. Merchant refunds in full that amount of the charge plus $15-30 for the charge back processing fee.
2. Merchant wins. Merchants gets to keep the amount of the charge, but still must pay the $15-30 charge back processing fee.
From the merchant point of view, the credit card system is very annoying in that regard. If anything happens that requires that someone gets screwed, that someone will be the merchant.
The banks will not allow themselves to be screwed, because they run the system.
The credit card holder is a direct client of the banks, and the banks protect them to keep them happy.
The merchant account provider, which is where the credit card companies actually send the money for the merchant's sales, and is the entity that the credit card companies turn directly to in the case of chargebacks or fraud, protects itself by holding back part of the money it owes the merchant. The merchant account provider ends up holding a buffer of sometimes tens of thousands of dollars of the merchant's sales.
Worse, the merchant does not appear to be able to really know when payment from a credit card is actually final. According to nearly everything I can find on the net and in credit card company documentation, the limit on how old a charge can be charged back is 6 months or 1 year.
I know that is wrong because at a company whose payment handling software I maintain, we got a charge back on a transaction that was several months past a year old.
Another thing I saw that I would have thought impossible had I not actually saw it, was we had a customer who bought a subscription to a monthly service. The initial purchase went through fine (transaction comes back approved, and a day or two later shows up as settled and paid). The renewal next month went through, and so on, for the next six months or so.
Then we got a notice that the last several of these had not actually went through. The issuing bank had told the credit card processor that the transaction was approved, but we were told it was really declined, and no money was actually transferred.
> Worse, the merchant does not appear to be able to really know when payment from a credit card is actually final.
This is why I find it strange when people wring their hands over Bitcoin's 10 minute settlement window... Credit card transactions are regularly open for weeks if not months!
From the consumer perspective CC transactions are effectively instant, at least for the strip transaction. Even introducing the short delay that the chips involve has been very unpopular. (Why they went with chip+sig is clearly some form of non-security motivation.)
The solution to bitcoin, ironically, would be bitcoin+signature. The signature is forming a contract, a promise to pay. This is different from waiting for /an/ actual payment to clear.
From my limited use of Bitcoin, the merchants only required the transaction to be broadcast They didn't care if it had 0 or 1 or 100 confirmations. They only cared that it was broadcast. Which makes sense. Considering they all apparently only did 4 Bitcoin transactions a month if not less. (2 cafes and a pub)
This is completely different to how online stores have processed my Bitcoin. Usually waiting for 1-2 confirmations before shipping (Trezor is my example here)
But I can buy a coffee with my credit card without having to wait weeks or months to get it. This works because people have faith in the system, faith which in turn is built on identity information and legal systems. You could probably achieve the same thing on top of Bitcoin, but at that point why bother with Bitcoin (and the cost is nontrivial)?
Transaction processors also face fines if the dispute percentage is too high. They don't have forbidden business lists just because they don't like pornography or sex toys. They can also be defrauded by merchants too: Make a fake business, make some fake purchases to yourself and after you get your money, disappear. Then a financial institution is the one holding the bag.
That said, it's absolutely true that an online merchant needs protection from fraud, way past what anyone that isn't Amazon-sized can do on their own. There's third parties that do check prior to any processor. You can also rely on a processor that does more checking, or allows the merchant to made adjustments based on the level of risk they want.
> They don't have forbidden business lists just because they don't like pornography or sex toys.
Those are "high-risk" mainly because of "reputational risk", not because of chargebacks. Which I imagine is code for Visa or the banks thinking "If too many people with traditional morals get into political office, they'll start cracking down on us if we do business with the sex toy companies." https://en.wikipedia.org/wiki/Operation_Choke_Point
There's also some bad history with old porn sites, since they used 0-days to install dialers on people's computers to rack up tons of money when they used their dialup to connect to the internet. Hence the old "I think my computer has a virus", "Quit browsing those weird porn sites" retort you may have heard. They did other shady things which got Visa in a bit of trouble. It doesn't happen much anymore, but I suspect the organizational scars remain.
You've insinuated that pornography or sex toys are often "forbidden" because they have a high chargeback rate. But if you have 0 chargebacks after a few years, you still won't be able to negotiate a lower rate or to use a service like Paypal or Stripe. Because chargebacks aren't the reason.
Visa and MasterCard charge you $500/year each as an extra fee too, so I suspect the Stripes and Paypals of the world can't combine them into their aggregate account. A fee like that would seem to preclude even a specialized aggregate account, without a special agreement with Visa.
Also, if chargebacks were the issue, I would expect companies that only take debit cards to be in a different risk category than those that take credit cards. Debit cards have reduced fraud protection, so a Paypal or Stripe's underwriting should be more lenient for them. But I've never heard of Stripe letting you sell porn or of Visa waiving the fee if you only take debit cards. It could just be uncommon though.
Plus, I believe both Paypal and Stripe ban selling porn even using e-checks, which is more evidence against chargebacks being the issue. There shouldn't be any restrictions on the ACH system, and even if there usually were somebody could set up a state credit union in Oregon or similar to handle it.
> Those are "high-risk" mainly because of "reputational risk", not because of chargebacks.
This may be partially true, but I'd imagine they still see a higher rate of chargebacks. "What's this on the credit card bill, honey?" "Porn?! Someone must have hacked my intertubes!"
It does, but the only allowable reason is "not authorized". Of course, for this type of fraud, that's the reason that matters.
Thought it worth mentioning though, because in the CC world, a lot of the fraud is return fraud. Like "Item Not Received" or "Not as Described" being used when they aren't true.
I wonder how much of "Item Not Received" is due to poor transport security, like delivering the item to someone's 'property' but just leaving it outside, unattended and unsecured.
That's part of it. The chargeback system is a complete joke, however. I had one guy that I was very suspicious about, so I hired a PI to see if the item was visible in his small business, and take a picture.
The tracking number showed the item delivered to the person, signed for with an known employee's name. I submitted this, as well as a picture of the item in the guy's shop. I still lost the chargeback. Got my revenge in the end though...see below.
A tip for anyone that's has a particular chargeback where they know they were screwed. If the issuing bank has any presence in your state...sue the cardholder's bank (or perhaps Visa/MC/AMEX) in small claims. In my case, Chase settled for the amount I sued for, which I made sure was on the high side. They don't like to spend money on corporate lawyers going to small claims.
First off, what a jerk, glad you got your money back. Second though, too bad you can't sue for damages in time wasted stressing out about this and having to file a lawsuit + likely do some research. Hopefully it was at least a few grand to make it worth your time. Hopefully also you appealed the first chargeback decision, which I'm guessing took at least a month or two.
Some people just seemingly think of creative ways to screw other people for fun, or because they figure no one will stop them.
Well, in most small claims court cases they can't send a lawyer, and have to send an employee who is unfamiliar with the case, which for a company like Chase may mean flying in an employee and putting them up for a night or two.
Fun aside. In the UK the Bacs system (similar to ACH) has no time limit on chargebacks (called indemnity claims). So you could do an indemnity claim there 10 years after the debit.
Kogan charge your card a slightly lower random amount than the transaction total and ask you to verify the exact figure before they will fulfill the order. Simple and clever.
Merchant gets charge backs, and back when I used to run a small online business, these were $25 a pop. Any kind of "online protection tools" would reduce the fraud by a bit , but nothing eliminates it.
Merchants doing everything they can need better protection from this crap.