50
51

What I learned about chargebacks after getting hit by massive credit card fraud (self.startups)

bemmu 投稿

I also published this post on my blog, it has pics too. I also cross-posted this to /r/entrepreneur.

 

One day I checked how many new subscribers our box had gained during my time away. Firstborn child, busy with learning infant care, so hadn't checked in a week.

 

Wow, a ton of new members are joining, hooray!

Seems they are all finding us through Google. We must have been mentioned in the media somewhere. Fantastic news! I went straight to Slack to brag about the great sales numbers.

Then I decided to look at the traffic in a bit more detail, to see where this sudden good luck was springing from.

Hmm, odd.

The conversion ratio for organic search traffic is unnaturally high. In other words, the number of people searching for Candy Japan on Google hadn't changed, but somehow the amount of orders coming in from search had massively increased.

Having a conversion ratio over 5% for one day is a statistical anomaly. Sustaining it for the better part of the week means that something strange is going on.

 

Could it be fraud?

I knew that there are people out there buying stuff with stolen credit cards. Hey I've seen Tom Hanks chase DiCaprio in Catch Me If You Can.

I was aware that a certain percentage of transactions is always fraudulent, but I had always assumed that these transactions would be mixed in with real ones. Hundred real orders there, then one fraud case dripping in here.

Since the level of fraud I had experienced so far was at an acceptable level, I assumed everything is OK.

 

Everything is not OK.

What I hadn't expected was having all of this fraud happen suddenly with such force.

While from Google Analytics I had noticed that a lot of sales had happened, it didn't reveal the severity of the issue. Looking at the list of transactions, I saw that thousands of payment attempts had been made with different cards during those 4 days. For each successful sale, the fraudsters had tried a dozen cards that had failed.

 

Easy money

I started reading a bit more about how this underworld works. Apparently these criminals are called "carders". The stolen cards originate from credit card security breaches, resulting in a big list of card numbers. These are later sold online in packs filtered to working card numbers only, which can be purchased for about $10 per valid card.

To be able to compile and sell these packs, the carders need to know which ones are valid. To do this, they will use an online store or service to place an order for the sole purpose of seeing if the charge goes through or not.

If a store ends up as such a checking endpoint, they will see a sudden influx of a lot of fake orders. That's what was happening to me (and recently also to jsbin).

Carder uses my store to test 10 cards before they find one that works. For each attempt I pay a 0.15€ transaction fee to my gateway and another $0.10 fee to subscription middleware Recurly. So even before a successful order comes in, I'm already out around three dollars.

Then they hit upon a card that works. Now the fee to charge that card is a bit higher, since money is actually moving. Our candy subscription is $25 / month, which costs me $1.76 in fees to charge (Recurly fee is $0.10 + 1.25%, gateway fee is 0.15€ + 2.75%).

Believing this to be a real transaction, I ship the product to them. Candy itself, shipping, labor etc. will cost something around $15. So now I'm out $19.76, but I received $25. What's the problem?

 

Chargeback

When the real owner of the card notices the surprising charge on their card, they will dispute it by contacting their bank or credit card company. The customer receives their money back, as they should.

The money I thought I had is taken from me and on top of that there is a 15€ chargeback fee. The end result is that I lost not only the transaction fees, but also the product and labor cost and on top of that get hit with an extra penalty.

As I wasn't set up to handle these fees, I had to spend weeks just to understand what all this means and to write a bunch of glue code to export the chargeback information and convert them from gateway internal IDs to the ones understood by the Recurly gateway. Then even more code to cancel and adjust all those subscriptions to avoid charging them again or shipping any more product.

For orders which I later noticed as very likely being fraudulent, I proactively refunded them, despite having already shipped many of those orders, leading to more losses.

Later on these shipments will likely return to sender, as the fraudsters very likely used false names and addresses, leading to more work still.

 

Conclusion

I lost weeks of productive time and thousands of dollars in money and product.

Currently I have credit cards disabled until I can integrate with a fraud detection system, which will likely lead to lost sales.

DiCaprio is cool, but I will be rooting for Tom Hanks next time.

 

Thanks for reading

If you thought this was interesting, I am writing an ebook on subscription boxes. Or if you'd like me to send you some candy, check out Candy Japan.

全 32 件のコメント
並べ替え:
ベスト
トップ新着論争中古い順Q&A

[–]c00yt825 9ポイント10ポイント  (0子コメント)

I'll soon he launching... Thanks for putting this on my radar.

Bets of luck with figuring out the trouble. Also, let me know if you found a good fraud detection system!

[–]blk_slp 4ポイント5ポイント  (0子コメント)

Yeah the carders are the worst. I worked in e-commerce for a small/medium sized gourmet food website and we got slaughtered by them daily. Sometimes it would get so bad that our gateway would shut down our account for an hour or so at a time which was devastating during the christmas season.

I did as much research as I could and we managed to hack together a couple tricks so they would at least move on to greener pastures. Some are looking for a response from your gateway. If you are telling them AVS mismatch or CVV mismatch it gives them part of the answer. While it sucked for our customers, we changed that to a default error response with no indication of what was the problem. The second thing was had the gateway setup for "$0 inquiries" with cards that accepted them. Our gateway processor didnt charge us to check AVS/CVV if the balance was 0. If the checks came back a match we would then process the transaction. It was still a pain in the ass but I think it got our website off the carders list because it basically stopped all that bullshit.

[–]Wannabe2good 3ポイント4ポイント  (5子コメント)

one reason I accept only PayPal is they tell me "confirmed" and "unconfirmed" for the shipping address and buyer's account. I learned to never ship to an "unconfirmed" account, instead, emailing or calling the new "customer". rarely do I get hit after years of using this PayPal warning method

[–]throwaway_holla 0ポイント1ポイント  (1子コメント)

Does Stripe do this?

[–]Wannabe2good 0ポイント1ポイント  (0子コメント)

no idea, but I've never heard it mentioned

[–]SgtPooki 1ポイント2ポイント  (2子コメント)

PAYPAL gets a bad rap but people don't realize that they do a ton of work protecting you, merchants and buyers, from these fraudulent charges.

Source: ex PAYPAL employee

[–]vswimv 1ポイント2ポイント  (0子コメント)

Paypal still sucks for a lot of reasons. However this is a good idea.

[–]ERAU -1ポイント0ポイント  (0子コメント)

So you're saying I'm getting what I'm paying for? I didn't even think about chargeback a but I use PayPal and sleep good at night.

[–]CellSeatStarting First Business 2ポイント3ポイント  (0子コメント)

Thanks for sharing your experience in the "big bad world" that many of us are about to get into!

[–]TotesMessenger 2ポイント3ポイント  (0子コメント)

I'm a bot, bleep, bloop. Someone has linked to this thread from another place on reddit:

If you follow any of the above links, please respect the rules of reddit and don't vote in the other threads. (Info / Contact)

[–]n0solace 1ポイント2ポイント  (0子コメント)

Credit card fraud is a huge problem, which is exactly what my start up is trying to combat. There are so many fraudsters out there and the banks always side with the card holder, never the merchant.

if anyone is interested here's the link to our site.

[–]amosschorr100-Upvote Club 0ポイント1ポイント  (1子コメント)

Wow that's terrible. Why do you think they picked you as their testing ground to determine if the cards worked?

[–]FanaHOVA 3ポイント4ポイント  (0子コメント)

It's about the amount of money you can spend without triggering an alert; same thing happened to JSBin

[–]laptop13 0ポイント1ポイント  (2子コメント)

Does your gateway or processor not have a volume check, where only so many attempts from the same IP are tried? I would think that the bank or gateway would have some fraud detection integrated already, it may just not be enabled. Then again I do not recognize either service you are using.

I hope you get things back rolling again. I wouldn't keep CC's off, just keep a watch on it and get some fraud detection integrated ASAP. Don't let this slow your business down.

[–]bemmu[S] 0ポイント1ポイント  (1子コメント)

Seems their accepted volume was 20, so I had up to 20 attempts in a row before they would start over with new name / address (probably IP as well).

[–]laptop13 3ポイント4ポイント  (0子コメント)

Can that be lowered? How many people try a CC 20 times? You enter the number wrong, once or twice, you switch CC's once maybe. Esp if you arent a big store where people absolutely need what they are buying. I would say 3-4 should be max. per IP. Hopefully they can help you set that up correctly.

[–]Dave3of5 0ポイント1ポイント  (0子コメント)

Hmmm, interesting. I'd like to here more about how people stop "carders" from using your website for fraud. Anyone on here have any real life experience?

[–]BigSlowTarget 0ポイント1ポイント  (0子コメント)

Odd it doesn't show up at /r/Entrepreneur and was not caught by our spam filter, autobot or in the queue.

[–]dadeg -2ポイント-1ポイント  (5子コメント)

Bitcoin doesn't have chargebacks.

[–]ThomasGullen 5ポイント6ポイント  (3子コメント)

Doesn't have many people using it either

[–]Justinjustus 0ポイント1ポイント  (0子コメント)

Well tbh there are quite a few of them. Buying cp and drugs on the dark web.

[–]MrProper -1ポイント0ポイント  (1子コメント)

I wonder why, maybe people like charge-backs more...

[–]SMc-Twelve 2ポイント3ポイント  (0子コメント)

Or, you know, maybe buyers don't like paying huge conversion fees, getting no buyer protection, not getting a free 30+ day loan, and/or not earning cash back?

[–]Justinjustus 1ポイント2ポイント  (0子コメント)

Which is one of the many, many reasons why people don't want to use Bitcoin.

[–]abolish_karma -1ポイント0ポイント  (6子コメント)

What are your thoughts about accepting bitcoin, after this experience?

What's the real cost of accepting credit cards as a % of transaction amount after including carder "attacks"?

[–]bemmu[S] 1ポイント2ポイント  (3子コメント)

I like bitcoin as an idea, but I'm not sure the adoption is there to go bitcoin-only. Hopefully the day will come when that is a realistic option.

[–]rnicoll 0ポイント1ポイント  (1子コメント)

Consider going hybrid with a payment processor for cryptocurrencies such as GoCoin, Coinbase or BitPay? We're in a painful bootstrap state where few people use Bitcoin because it's not widely accepted, so no-one accepts it because it's not widely used. Every new merchant is a step in the right direction.

Also if you can use it for business to business payments (and "close the loop" as it were), even better.

[–]Justinjustus 0ポイント1ポイント  (0子コメント)

Even if there would be tons if companies accepting Bitcoin then there still wouldn't be a Bitcoin economy. Because Bitcoiner's motto is to "hodl" and wait for the price to magically rise, then sell your coins for statist slave dollars to the next group of bagholders.

Bitcoiners are the reason Bitcoin will never take off. Besides tons of other reasons of course. But that alone is already enough for it to fail.

[–]Justinjustus -2ポイント-1ポイント  (1子コメント)

And get 1 customer a year. Stop spamming your pedo pesos.

[–]abolish_karma 1ポイント2ポイント  (0子コメント)

Nice. Never heard that one before.

For reference: how much do you take in non-cash annually? Dollar value or pedo peso equivalents.

[–]thetruckert -1ポイント0ポイント  (0子コメント)

I would suggest investing in a fraud prevention service like Sift Science to help catch fraudsters before they make the order.