| Products |
| Web How-To |
| Free Tools |
| FAQ |
| Contact Us |
| Our Clients |
You are here: Home > Articles > eCommerce Fraud Dectection
eCommerce Fraud Detection
For PayPal and other online transaction processors
You can't completely rely on PayPal and other eCommerce operators to protect you, the merchant, from the use of unauthorized credit cards, fraud, chargebacks and the subsequent theft of your product and services. Chargebacks can take several months to materialize and can involve potentially hundreds of dollars of chargeback fees, lost products, shipping charges, and materials.
Because of the potential high costs of fraudulent transactions, we suggest taking a pro-active approach to screening transactions before shipping or delivery of your electronic goods. An automated process to detect and require manual intervention - direct contact with the customer by phone or confirmed email address.
Warez and Copyright Violations/Pirating
Typically, stolen credit cards and unauthorized account accesses are not used to simply steal one copy of your digital goods for personal use, typically when fraud is used to acquire your products, they will end up on several warez sites with the most common culprits in Iran, Russia, and China.
Prevention and Countermeasures
We recommend placing technical detection tools to prevent fraudulent transactions before they happen (see below). In the event of possible fraud, we recommend regular websearches of your product name, and unique filenames and strings to detect posting of links to your software which will typically be posted on file download sites where you can file abuse/copyright violation complaints to have your pirated digital goods removed. Also include unique strings and watermarks in your code to allow web searches to locate posted copies of your code.
Always require shipping addresses and contact information, even for digital goods delivery.
We suggest a 10 point scoring calculation of the most common technical traits of credit card fraud using PayPal:
| Technical Trait | Reason | Confidence Rating |
|---|---|---|
| PayPal account payer_status=unverified
While many non-US accounts are sometimes difficult to verify, US based accounts that aren't verified may be a sign of potential fraud. |
Possible unauthorized | 70% |
| Shipping address address_status=unconfirmed
Many users do not have a confirmed shipping address, however, combined with other factors, may indicate a potential fraudulent transaction. |
Possible unauthorized | 40% |
| Proxy HTTP variable HTTP_X_FORWARDED_FOR
Use of a proxy is highly suspicious and usually indicates that the buyer is attempting to avoid being tracked down. |
Proxy | 100% |
| HTTP Source Socket > 10000
High socket number indicate use of an anonymous proxy or public internet access point. |
Proxy | 51% |
| No hostname for IP reverse lookup
No hostname is not suspicious by itself, but helps indicate that the buyer is using an unusual ISP. |
Unusual ISP | 49% |
| No HTTP Keep-alive HTTP_CONNECTION
The non-use of keep-alive usually indicates a relay or proxy is in use. |
Proxy | 49% |
| Direct request - no referral URL in HTTP_REFERRER
By tracking the initial referrer of every user to your website, you can track direct hits which are common with fraud, but also common with repeat visitors. |
Possible unauthorized | 30% |
| IP Originates from high-fraud countries or doesn't match PayPal account country
Depending on what your product and market is, you can avoid fraud by not completing sales to countries with high amounts of credit card fraud. Additionally you can check the buyer's IP address location against their PayPal account location - US address and IP out of South Africa is a definite sign of fraud. |
Possible unauthorized | 100% |
| IP changes for session variables
It is not common for IP addresses to rotate for each hit to your site, some DSL users may get new IP addresses every so often, but excessive different IPs should be suspect and considered similar to the use of an anonymous proxy. |
Possible unauthorized | 50% |
| Timespan on site less than 10 minutes
Most fraudsters "case" your website and products prior to making their fraudulant transaction from another IP such as home, then use a different anonymous connection to quickly make their fraudulent purchase. Unless you have a very simple site, less than 10 minutes on your site and combined with no referrer link could indicate a suspect transaction. |
Possible unauthorized | 50% |
Calculate the total confidence rating percentage of possible fraud, and if the total reaches 100% or more, the transaction should be flagged for manual intervention and any shipping/electronic goods delivery should be dissallowed until the named account holder is contacted - fraudsters will typically avoid contact and move on to another stolen identity/card or another site to target.