Fraud Prevention

Effective Tools to Detect Stolen Credit Cards, Part 2 Of 3

Many online merchants are already on board with fraud-detection technology. To fill in the gaps, here is part two of a comprehensive list of fraud detection strategies. Previously we discussed authorization and address and credit card verification. Here are five more ways to catch fraudsters in the act.

Telephone verification

The telephone number can be used for several fraud checks. First, the area code can be cross-checked against the address, to see if the two match. “I use’s Reverse Lookup tool for that,” says Michelle Rahm, owner of the jewelry selling site “It’s free and easy.”

Phone numbers also can be used by merchant-initiated services such as VariLogiX, PhoneConfirm, StrikeIron and MaxMind to automatically place a call. The person on the other end of the line is given a 4-digit code and then must enter that code into the order form. The payment process can proceed if the correct code is entered. Fraudsters notified of this in advance are likely to ditch the order, rather than have a phone number traceable to them. One merchant using MaxMind said that this service lowered its fraud numbers to “virtually zero.” Cost is 5 to 20 cents per automated call.

Finally, a growing group of merchants are picking up the phone themselves, calling customers as a “customer service” before shipping out goods. It’s a move that both verifies that the number isn’t disconnected or changed (a big red flag if so) and that the person at the other end of the line wants your merchandise (a verification that bolsters a merchant’s case in the event of a chargeback).

“Before making the call, take a look at Google Streets or Google Maps,” says Ori Eisen, founder and chief innovation officer for Scottsdale, AZ-based 41st Parameter, a fraud detection service. “Ask the person to verify their address, and ensure that you have the nearby cross streets right. The real customer would know the nearest cross streets.”

Email verification

Merchants that require a customer’s email address on the order form can use this as a peek into the order’s legitimacy. Emails from free email service providers, like AOL and Yahoo, or nonexistent websites have a higher chance of being fraudulent, according to several sources. Merchants can type a given email address into Google to come up with associated names, as a side verification.

If the email address matches the card holder’s name, email a “thank you for your order.” This provides one more link in the paper trail and allows what could be the real-email user a chance contest a fraudulent purchase before it’s charged to their card.

IP geolocation

Using data from the customer’s Internet provider, this tool can identify the country, city or state where a customer actually placed the online order. Some can check to see if the IP (Internet protocol) address is a proxy, which merely shields the users real IP address.

Country-level tracking is available for free at, which provides IP matches as a downloadable sql file. provides city-specific results for as little as $49 per server. IP tracking codes also can be added in the hidden “Environmental Report” field of a merchant’s order forms. Form handlers such as FormMail, SendMail and Blat.exe each require different codes; ask for the respective one. Once coded, IP information will be included when each order is submitted.

“The geographic location of a proposed transaction can be a significant indicator of potential fraud, particularly when that location doesn’t match the address provided by the customer,” says Kerry Langstaff, vice president of marketing for Quova Inc., one of the many IP geolocation providers. She says that 68 percent of orders with registration addresses in one U.S. state with orders placed in another turn out to be fraudulent and that registration addresses from outside the U.S. represent nearly 50 percent of credit-card chargebacks.

Meanwhile, “IP geolocation matching is not going to stop a sophisticated thief, since he’s going to hook up with a proxy server in Ohio for an order in Ohio,” Clements says. “Now the companies providing those services are having to check for proxy servers.” Additionally, IP masking services-like that at for $34 per address-could hide potentially authentic customer’s IPs worried about privacy.

Device identification

Services like 41st Parameter will track down the computer source for each order, even going so far as identifying the time zone where an order was placed and the browser language setting on the ordering computer. “We saw attacks that tried to take $500,000 a day from one merchant with the shipment of 42-inch plasma TVs,”; says Eisen at 41st Parameter, which offers device tracking. “All the data looked perfect, until you looked at time zones and device IDs and browser language settings and realized they were all coming from the same computer. That could take a smaller merchant down.”

BIN country matching

The first six digits of a credit card number identify the issuing bank. Known as the issuer or bank identification number, IIN or BIN, the six numbers can be entered into free BIN lookup tools like that at or subscription tools like MaxMind’s minFraud to get the name of the bank and its location. Rule of thumb: If the bank is in one country, the order should be coming from the same. even offers BIN blocking, automatically blocking settlements based on BIN or country.

Stay tuned in the coming weeks for more real-time fraud detection and prevention strategies.

Jennifer D. Meacham
Jennifer D. Meacham
Bio   •   RSS Feed