Warning: mktime() [function.mktime]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/New_York' for 'EDT/-4.0/DST' instead in /home/www/infinideas.com/blogs/n/wp-includes/functions.php on line 41
Warning: date() [function.date]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/New_York' for 'EDT/-4.0/DST' instead in /home/www/infinideas.com/blogs/n/wp-includes/functions.php on line 50
Warning: date() [function.date]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/New_York' for 'EDT/-4.0/DST' instead in /home/www/infinideas.com/blogs/n/wp-includes/functions.php on line 52
Warning: date() [function.date]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/New_York' for 'EDT/-4.0/DST' instead in /home/www/infinideas.com/blogs/n/wp-includes/functions.php on line 54
Warning: date() [function.date]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/New_York' for 'EDT/-4.0/DST' instead in /home/www/infinideas.com/blogs/n/wp-includes/functions.php on line 55
30 Oct 2008 02:40 pm
Zen and the art of Fighting Fraud
There’s really nothing Zen about fighting fraud on the Web. It’s a frustrating, draining, and painful experience.
At IdeaSIP, we’ve been fighting fraud from day one. We just didn’t realise it. It wasn’t until we had our premium (read: pay) services up and running that we discovered that some of our new users were simply waiting for the opportunity to hit us in our blind side. We took all the standard precautions — limiting credit card transactions to valid addresses and card verification numbers, relying on the credit processors to work their magic. We made it impossible to authorise a transaction based on an invalid billing address (you can actually allow invalid billing addresses, which I found amusing). We made it impossible to do this, that and the other — all within the limit our processing gateway would allow.
And our reward for our naiveté, was credit card fraud day in and day out. Almost all of it from Egypt or compromised machines in the Middle East in the beginning, but as we locked more and more of those machines out, it spread to compromised machines all over the world. You’ve no idea just how many poorly-secured computers there are in the world that can act as a proxy from which someone can attack or defraud you until you start getting hit by them. I could use a different hacked computer every hour for the rest of my life and never run out of them. Some of them are even left intentionally unsecured just to offer a haven for criminals.
Now don’t get me wrong. I’ve nothing against hackers. I grew up in amongst that sort of computer subculture element. I even attended a hacking party or two. But hackers are to these sorts of criminals as people who speed are to wanton mass-murderers. There’s certainly a potential for danger, but that’s not what it’s all about.
The people hitting us, though, were systematic and thorough and absolutely determined to commit fraud. Always using the credit card numbers or stolen Paypal accounts of unsuspecting people, and trying desperately to buy services from us, either for the purpose of actually having services, or just to test the validity of the stolen information they’d just likely purchased from a shady dealer on some hidden Internet chat channel. Rumour has it you can buy credit card numbers for less than $1USD, and full identities including social security numbers for around $3USD.
I spent a majority of my time, as I felt personally responsible for each and every fraudulent transaction, tracking down the people whose cards had been used, calling them up, and letting them know their cards were stolen. It was getting in the way of everything.
My posts here, of course, became sporadic at best, as I spent time and energy working out ways to thwart those who would see us bankrupt. I worked with law authorities in several countries. We even had a professional translator translate some of the postings that at least ONE of the fraudsters posted onto an Arabic web site, explaining how he was hacking into our site for the good of getting back at the US (we’re a Bahamas company, but apparently that doesn’t matter. I guess we’re ‘close’ to the US in geographic proximity).
We weren’t the only ones being hit, of course. I know personally at least a dozen other communications companies that were all hit by the same people (and still are).
I’d be up all night, checking logs and examining new sign-ups to the service to see if they fit a classic profile of our fraudulent users. It cut deeply into what little personal time I had left after devoting eighteen hours a day to the company.
I’d hound the developers to fix things, both on the payment processing side, and on our payment acceptance side. We spent countless hours debating different solutions to fight the problem, including commercial solutions, home-grown solutions, and mixes of the two….
And eventually, we came to one solid conclusion: In a world of virtual services, there really is no absolute way to fight fraud. To understand why, you have to understand how our businesses differ from those traditional businesses that deal with credit cards on a regular basis.
The brick and mortar stores have it easy. Someone has to physically walk in with a credit card and swipe it there at the machines. They have to have picture ID that matches who they are, and when they walk out of the store, they walk out with merchandise. It’s all very clean. Sure, there’s identity theft that’s becoming rampant in the modern economy, but it takes a dedicated criminal to pull that off properly. You need to open up a credit account in someone’s name, which means you need information about the person, and IDs to prove you’re that person. This isn’t a job for the casual whim. It takes planning and time.
The Amazons of the world are a little easier to defraud, but it’s still not easy. You purchase an item from them, and they have to ship an item somewhere. At the end of the day, if you’re picking that item up, you run the risk of the police waiting for you at the destination once the fraud has been discovered. There’s still that physical exchange of merchandise being delivered to a fixed address that makes things more difficult overall.
Internet services, however, offer a service. We don’t send items in a box. There’s no tracking number. There’s no location to us other than an IP address — and those change all the time in this day and age. We never see you. You never see us. You give us virtual money using numbers and identification information, and we give you what amounts to credit for services. The services cost us money, so we have our own people to pay, but if the transaction turns out to be fraudulent, and we don’t catch it in time, that’s money to which we simply have to wave goodbye. Why? Because we’re not criminals. We actually have to pay our bills.
And so we rely on the validity of this exchange of digital information back and forth. Customers rely on us to provide them with services they can never touch. And we rely on customers we never see to pay us with money that is purely digital. It is an economy that is almost designed for fraud. And fraud is what happens — time and time again.
It was really only when we came to this acceptance — this almost Zen-like sense of understanding of the true nature of the business we run, that we were better-equipped to deal with the constant onslaught of fraud. We redesigned both our payment acceptance procedures and our methodology.
It makes it a bit more inconvenient to the potential user of IdeaSIP services. But in the end, I think users actually interested in IdeaSIP will see the value of jumping through the few extra hoops in order to be assured that we, as a company, will still be around for years to come. I only hope our users see it the same way.
I suppose only time will tell.
Warning: mktime() [function.mktime]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/New_York' for 'EDT/-4.0/DST' instead in /home/www/infinideas.com/blogs/n/wp-includes/functions.php on line 41
Warning: date() [function.date]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/New_York' for 'EDT/-4.0/DST' instead in /home/www/infinideas.com/blogs/n/wp-includes/functions.php on line 50
Warning: date() [function.date]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/New_York' for 'EDT/-4.0/DST' instead in /home/www/infinideas.com/blogs/n/wp-includes/functions.php on line 52
Warning: date() [function.date]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/New_York' for 'EDT/-4.0/DST' instead in /home/www/infinideas.com/blogs/n/wp-includes/functions.php on line 54
Warning: date() [function.date]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/New_York' for 'EDT/-4.0/DST' instead in /home/www/infinideas.com/blogs/n/wp-includes/functions.php on line 55
January 23rd, 2009 at
Warning: mktime() [function.mktime]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/New_York' for 'EDT/-4.0/DST' instead in /home/www/infinideas.com/blogs/n/wp-includes/functions.php on line 41
Warning: date() [function.date]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/New_York' for 'EDT/-4.0/DST' instead in /home/www/infinideas.com/blogs/n/wp-includes/functions.php on line 50
Warning: date() [function.date]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/New_York' for 'EDT/-4.0/DST' instead in /home/www/infinideas.com/blogs/n/wp-includes/functions.php on line 52
Warning: date() [function.date]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/New_York' for 'EDT/-4.0/DST' instead in /home/www/infinideas.com/blogs/n/wp-includes/functions.php on line 54
Warning: date() [function.date]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/New_York' for 'EDT/-4.0/DST' instead in /home/www/infinideas.com/blogs/n/wp-includes/functions.php on line 55
3:00 pm
This is an incredibly scary story! How do consumers and business people avoid using cards online. It’s so convenient! There doesn’t seem a chance these criminals will get caught because there are so many and from all over. It’s crazy. Thanks for sharing your story.