Dealing With Credit Card Fraud
As I mentioned in my last post, fraudsters love websites that accept credit cards. What’s surprising is just how fast new sites get targeted. What to do when your weeks-old site gets discovered by bad seeds?
-
Don’t panic. Everyone who accepts credit cards faces this growing pain at some point. My best guess is that fraudsters search for keywords like “credit card” and make note of all the new sites they find. Well-designed sites are often easy to script, so the time between discovery and exploitation may be small. Our site was live for a handful of months before we started seeing fraud. A non-profit I know created a donation page and started seeing fraudulent donations within weeks.
-
Use your intuition. When we first noticed fraud, we contacted our payment gateway and asked for advice. Their response? “If it looks like fraud to you, it probably is.” That didn’t seem too helpful at the time but, stepping back, the message was clear: all services are different and you know your service well. True enough: we first suspected fraud when the ratio of $15/month to $8/month subscribers changed dramatically overnight.
-
Use your data. The ratio change alerted us to a potential issue. But it was all the other information we kept, like timestamps and request IP addresses for form submissions, that helped us find a common thread. Keep as much data as you can within the bounds of your privacy policy; it costs nothing and will help you connect the dots when the time comes.
-
Train yourself. Fraud will always require some amount of manual intervention on your part. Our initial investigation uncovered two quite different categories of bad behavior; this convinced us that we’d been targeted by multiple fraudsters. We decided to train ourselves by shutting down a handful of accounts that we were on the fence about and waiting for the angry replies. With a couple of exceptions, those replies never came. This was good feedback for our fraud detection wetware.
-
Detect and prevent scripting. To be profitable, fraudsters need volume. They are highly likely to script your site. Scripted account creation is usually detectable once you’ve seen enough of it.
-
Scripts are likely to move quickly. A normal user might take thirty minutes to create a new account, poke around, and decide to add a credit card. Scripts will do it in minutes. Shutting down accounts that move too fast is an effective strategy for preventing scripting.
-
Scripts are likely to fill out all form fields. Take advantage of this by adding invisible “honeypot” fields to your forms. Legitimate users will never see these, but scripts will happily provide a value. Honeypot fields are most effective when they’re given common names like
email
; name your real fields something else. -
Scripts are likely to produce a common sequence of clicks and form submissions. If your legitimate users are unlikely to follow the same sequence, it should be easy to detect and disable scripting. Keep a per-account state machine around and shut down accounts that reach known bad states. In our case, we have both a web site and client applications; our state machine ties events from both together. It’s not as sophisticated as it sounds, but it is effective.
-
Scripts aren’t human. When all else fails, there’s always the CAPTCHA hammer. Nobody loves CAPTCHAs, but with a little love they can be made effective and not too insulting. I still see CAPTCHAs as an option of last resort.
-
-
Detect and prevent botnets. Our first round of fraud was clearly from a botnet: no two fraudulent accounts were created with the same IP address. The set of bogus IP addresses spanned the globe. A quick trip to Google showed us that the majority of these addresses were known bad. As it turns out, Project Honeypot offers an HTTP Blacklist API that provides structured information about IP addresses. Plugins exist for most popular web frameworks; for instance, the Django HTTP:BL middleware is straightforward and well-maintained.
-
Use fraud detection services. There are plenty out there; they run the gamut.
-
Most modern payment gateways offer Address Verification Service (AVS) and Card Verification Value (CVV). While you should definitely use these services, they are actually quite basic. AVS generally only looks at postal codes and causes headaches for customers who have recently moved. Worse, stolen credit cards are often sold along with their associated postal codes. CVV is generally only available for North American credit cards. In addition, because the PCI DSS prevents storing CVV codes, charges made through credit card “vault” services will never include CVV. In general, if you use a vault, you need to make at least one non-vault charge in order to test CVV. Not all payment gateways support this.
-
A variety of third parties offer unique fraud detection services that are worth investigating. At the high end, Verisign and RSA both offer neural-net realtime risk assessment services for online transactions. At a much lower price point, MaxMind’s minFraud service is interesting. In addition to credit card details, minFraud takes IP address, email domain, and timestamps into consideration.
-
-
Investigate your current accounts. Chances are good that by the time you detect fraud on your website, it’s already quite old. When you discover fraud, it’s worth doing a manual review of all recent accounts to make sure there’s nothing suspicious.
-
Keep your eyes open. Encountering fraud forced us to build new tools to log potential fraudulent conditions and to email those logs to us once a day. This forces us to pay attention. To reduce time-to-action, we built internal administrative pages with easy-to-use tools to help us investigate and respond to potential fraud. Our daily emails link directly to these tools, further reducing friction. We fully expect to see credit card fraud again on our system; we think that, with these tools, we’ll be ready to stamp it down when the time comes.