Velocity Credit Card Hacks
Velocity Credit Card Hacks are a little hard to explain and can really screw up your business if you're not paying attention.
First things first, what is a Velocity Hack? A Velocity Hack is when someone with stolen credit cards decides to use your online storefront to test multiple cards to see if they're good, and can therefore resell them on the black market or use them for fraudulent purchases elsewhere. You can easily tell this type of fraud versus normal credit card fraud because the goal is not to receive the merchandise they order from your site, often times they order things that don't make sense, such as 50 of the same item that someone would only ever buy 1 of, or the address may go to nowhere or be from a part of the world you don't or can't sell to.
Second, many merchants may not realize until it's too late how these annoying hacks/attacks can hurt them, because if they catch the order and don't ship it, they're not out the merchandise. However you're being billed for every attempted authorization via your payment gateway/merchant account. So these attacks can really add up. In most cases it's small, the fraudster may run dozens or even a few hundred cards to find a few good ones. At those levels it's mostly an annoyance, even if you're paying $.25 per failed authorization, the total damage is likely under $50 to you the merchant. However sometimes they'll use a script and run thousands of cards against your gateway and then the damage to your business can be serious.
What can you do as a merchant to protect yourself?
Start by checking with your Payment Gateway to find out if they offer controls to limit the number of cards tried from the same IP in a given amount of time, or the number of transactions total for a given amount of time. Some gateways may charge $5 or $10 a month for this service but it's well worth it.
Once you've enable any controls available to protect yourself, there are still a few more often overlooked steps to consider until the attack is over:
Work with your WebHost or Shopping Cart provider to block IP's from the fraudster. Use the date/time stamp from the order and they can look in the log files and block that IP. You can also use tools like this: www.proxyserverprivacy.com to find out IP's for whole regions and block them too. Be careful about this and make sure you update your list often if you're going to block whole regions as this list can change and IP's can be reassigned. You don't want to be blocking legitimate traffic.
Depending on your daily volume, choose to switch to a Simple Validation or Offline Validation mode. The vast majority of online merchants are doing less than 100 transactions a day and if you're in the middle of fending off a heavy consistent attack, switching to this mode is usually overlooked but can be very effective. This allows 100% of your orders to complete as long as it passes a simple Mod10 check on the credit card, and then you run them manually via your gateway before shipment. This may seem like a lot of work but you only have to do it for a few hours to a few days. It won't take long for the fraudster to realize every single card is approving and that they're no longer learning which cards are good. Once they get bored with your site and find a new one, you can go back to your normal processing method.
Finally to protect yourself from excessive Chargeback fees (on top of the failed authorization fees) make sure you Void any of these transactions that go through on the same day they came in, this way they never actually settle to the cardholders account and there's nothing for them to chargeback. Failing to do this can take a $25 - $50 problem and turn it into a $500 problem.
It's easy for us all (me included) to sit around and complain about the state of the credit card industry and how it's unjust that they actually profit from this kind of fraud. In the end though, that's just a fact of life, hopefully the tools to protect from this kind of fraud and eliminate any profit from this part of the system will be become widely available but in the meantime you need to take matters into your own hands and protect your business.
This post is filed under Navigating eBusiness and has the following keyword tags: e-commerce, shopping cart, credit card fraud.
3 Comments
Armando Roggio says:
Rick, great post. I learned a lot.
Alex Mulin says:
Some shopping carts offer "Stop list module allows disabling shop usage from specific IP" feature which looks to be just 100% useful against this kind of attacks.
Novusweb says:
Great article. We've had an occasional person test to see if a card is valid. We catch it by looking at every delivery address that comes through. If the shipping address is different than the billing, we look more closely. Once, we had an order for 3 of an item no one orders more than 1 of. The shipping address was a trailer park about 500 miles from the billing address. We called the cardholder and confirmed they did not place the order, then turned it over to the Secret Service.
Some thieves do a ploy to ship to an address, wait for UPS to show up, then steal the item. They will pay someone to watch for the delivery. We've had a couple of these attempts over the past 5 years. Generally for products that would re-sell well on eBay. The Secret Service staked out one once and apprehended the waiting patsy (a person the actual thief will pay to snatch the drop shipment). We've learned that any shipments to apartments different from the billing address are very suspect, as these are easy places for a thief to watch and steal once UPS leaves the package.
We also ALWAYS ship with signature required unless the buyer has specifically declined it (and we only allow declines on the phone).
Yes, it all takes a little bit of extra work, but no more than a brick-and-mortar might take to deter shoplifters or other thieves.
