Wednesday, August 22, 2012

Credit Card Numbers Fun

Since a new school year is upon us, I thought I'd share some interesting credit card facts so that you can get your math brain going.


Luhn formula



A credit card number must be from 13 to 16 digits long. The last digit of the number is also known as the “check digit”. This number is calculated from the Luhn formula (a.k.a Modulus 10) from the other numbers.
  1. Start with card number
  2. Drop the last number (check number)
  3. Double every other number in the string
  4. Sum all numbers
  5. Multiply by 9
  6. The last digit of the result is the check number
I know, that's a lot of steps right? Good thing we have the algorithm built-it to gateways and payment terminals!

 Ready for more numbers?

Credit Card Validity



 Here is another algorithm used to determine the validity of a credit card.
  1. Take the credit card number
  2. Double every other digit from right to left starting from the second to last number (meaning, exclude the check digit)
  3. Sum up all the double digit numbers (i.e. 14 becomes 1+4) to make single digit numbers
  4. Add all the numbers up, including the unaffected numbers from the original
  5. If the result if divisible by 10, then the credit card number is valid
Try it at home with your credit card numbers!

Beyond Validation



 As mentioned above, a credit card number has 13 to 16 digits.  The first 6 digits of the the number is the Issuer Identification Number (IIN) or sometimes called Bank Identification Number are the first 6 digits of the credit card number.  The IIN no only tells you what kind of credit card it is (e.g. Visa, MasterCard, etc.), it also contains issuing bank information.  With an American Express card, you can even tell whether the card is a business or a personal card.

Using IIN to Prevent Fraud



 IIN can be used to prevent fraud.  For example, IIN from foreign countries deserve a closer look, especially in light of other transactional information, such as billing/shipping/ IP address.  Also, once you confirm a case of fraud, make sure to go back and look at similar transactions.  We recently came across a case where a merchant saw suspicious orders around the same time all with cards with the same IIN.

Posted by Anonymous at 3:36 PM
Labels: , , , ,

Wednesday, August 15, 2012

Are You Reviewing Too Many Orders?

"Are you manually reviewing over 20% of your incoming orders? "

That’s the question I ask whenever a merchant tells me that he doesn’t have a fraud problem. The answer, almost 100% of the time, is yes. 

"What percentage of those reviewed orders do you reject?"

If your answer is the same as the one I described above, then I apologize to be the bearer of bad news, but YOU have a fraud problem.

Manual Review: Unrecognized Consequence of Fraud

Many merchants associate fraud with fake credit cards and chargebacks. While those are obvious signs of fraud, too much manual review is an overlooked indicator that perhaps there is something simmering beneath the surface. If you are reviewing a large percentage of your orders, ask yourself why? If no fraud existed, then every order simply just needs to be processed and fulfilled, both can be done somewhat automatically. If you are not looking to catch potentially fraudulent transactions, what ARE you looking for?

Manual review has a big monetary impact. The time spent and resources required for manual review are often financial liabilities overlooked by merchants as costs of fraud. Many merchants spend a lot of time reviewing incoming orders. Sometimes they spend hours- often staffing the team with multiple people. According to the 2012 CyberSource Online Fraud survey, the biggest cost of dealing with fraud is the staffing cost for manual review. The largest team that I've ever heard has about 50 members. 

Adding Up the costs 

For small merchants, if a merchant is paying a customer service agent 2 hours a day to review orders, even at minimum wage, the merchant must pay close to $500/month*. This is money taken from profit, away from operating costs or away from your marketing spending.

Save Time, Save Money

Since time IS money, the sooner you recognize that too much time is going into preventing fraud, the earlier you can become armed with the proper mentality and approach to save that money. Review your order screening process with critical eyes, look for patterns. Are there things you always check when you review? When you train your staff, what do you tell them to look for? With those answers, try to see if you can automate part of the process to reduce the number of orders slated for review. For example:
  • If you always reject orders from foreign countries, set your system so that it automatically rejects orders coming from foreign IP addresses. 
                                                                        or 
  • If you always accept orders under $30, don't spare even a glance, have your system automatically route that to processing/fulfillment. 
Using tools to automatically accept good orders and reject obvious bad orders will save you time so that you can focus on those orders needing more detailed reviews.
Posted by Anonymous at 10:00 AM
Labels: , ,

Wednesday, August 8, 2012

3 Strategies to Outsmart Frausters

Last week I shared some tips on spotting card testing cases.  This week, I am sharing some basic strategies to combat this type of fraud.

Card testing is often more an annoyance than a headache as quick eyeballing can easily spot these fraudulent attempt (see sample fraud order from the last post). 
However, switching from an automated or semi-automated order processing system to one heavily reliant on manual review, (not to mention additional administration of canceling orders, factoring out these orders for sales statics and analysis) can escalate this minor annoyance to a major pain.  

Here are 3 strategies we've seen that hopefully can help you tackle this problem and minimize administrative issues.

1. IP Black List 


The easiest solution would be to block the recurring IP addresses where the card testing orders are coming from. However, this can be a tedious cat and mouse game since the fraudsters will just switch IPs.

You can also try blocking a range of IPs or IPs from specific high risk countries. There are free services you can use to obtain the range. Certain platforms also have features that allow you to customize the IP block list. For example, Yahoo Stores can the "IP Blocking" feature.

At this point, if you are lucky,the fraudsters will probably cease attack and go somewhere else. They might become sophisticated and use proxies or other methods to bypass your IP country block, but this road block will deter many unsophisticated fraudsters.

2. Automate Cancellation


Another strategy is to let the orders come in, automatically flag them for cancellation, and then cancel them. This way, the fraudster’s strategy won’t likely to change and then they become very predictable and thus more manageable. This strategy is sometimes preferred over #1 because it's like fighting in stealth mode! You can use this strategy to collect data to potentially flag future orders that might come in with similar credentials like email or phone number but this time with a normal looking order information. Any data you can get to build your own "fraud cases" would be extremely helpful.

3. Minimize Manual Review  


Some merchants have dealt with this nuisance the old fashion way- by throwing more hands at looking at orders. Some merchants spent up to 1/4 of their time reviewing orders! Although not as cost effective, manual review, at the end of the day, is still a must. 

The goal to setting up any effective and successful manual review protocol should be:
to minimize the number of orders to be reviewed as well as minimize the time spent on reviewing each order. This means implementing a filtering system to first weed out transactions that are obviously fake/fraudulent/bad, and then using the right tools to aid and expedite your review. For example, you can implement both #1 and #2 to automatically filter out fraudulent orders right away to reduce the number of total orders in the queue. You can then layout a systematic process to check for remaining factors.

Posted by at 10:00 AM
Labels: , , ,

Wednesday, August 1, 2012

5 Signs Your Store Is Suffering from Card Testing Fraud

In the last few months, we have seen a noticeable increase in unsophisticated form of credit card testing, especially with our Yahoo Store merchants. “Card testing" happens when fraudsters use online stores as testing grounds for the credit card information they have.  Usually, they don’t care about the actual goods or services being purchased during the transaction.  Their only goal is to “test” the cards to make sure they have not been blocked/canceled and the credit limits have not been reached.

For example, we came across different variations of the following:
Name:   weratawreta fsgsdfg
Address:  dfgsdfgs
              Miami, FL 33166
Email:   dfdsfsdf@yahoo.com
Name:      rtretertr trtrtrt
Address:  456 4ffdefs
               544
               los angeles, ca 90021
Email:    hgfdfgff@gmail.com
These two cases are SO obviously fraudulent because of the gibberish information they contain, they are easy to spot. However, sometimes card testing can be a little more sophisticated and not so out rightly fake.  Here are 5 other things that should help you determine whether you are under a card testing attack! 
Read more »
Posted by at 10:00 AM
Labels: , ,
Subscribe to: Posts (Atom)