Credit card fraud is a problem. We all know this fact. But what are the appropriate steps to combat this crime. Hexa has listed some protection strategies of their own.

Credit card fraud has become pervasive on the Internet. According to MasterCard International, account takeover fraud has increased by 369% since 1995. It has become one of the fastest growing types of fraud, and one of the more difficult to combat. More than $700 million in online sales were lost to fraud in 2001, representing 1.14 percent of total annual online sales of $61.8 billion, according to GartnerG2.

Even if the credit card company has given the authorization as to the validity of the card, there are several ways fraudulent cards can be used on your site. The card may have been lost or stolen, but the card owner is yet to report its loss. Or the number on the card (and not the card itself) may have been lifted without the knowledge of the owner. There is also a scam called identity theft, where the card has been issued under false pretenses using someone else's identity and data.

As an online merchant, you need to have a system to check the authenticity of orders placed to safeguard your business. While the effort may require additional time and money, it can save you the cost and stress caused by charge-backs for fraudulent orders. You lost your physical products; you lose the sale price; you lose another business opportunity; and you will be fined an additional $15-$50 charge-back fee.

If you have a high percentage of charge-backs, your card services company can even blacklist you and cancel your merchant account. You will also spend time looking up the order and provide the requested information to your card services company. All of these hassles are things you can surely do without.

How can you protect your business from credit card frauds? Here are a few steps that can be taken to ensure that the transaction is being requested by the real cardholder.

• Suspect shipping address. According to ClearCommerce Corporation, a provider of payment processing and fraud protection software for e-commerce, orders from Ukraine, Indonesia, Yugoslavia, Lithuania, Egypt, Romania, Bulgaria, Turkey, Russia and Pakistan have a very high incidence of fraud, and often have unverifiable addresses.
• Untraceable email address. In many fraudulent orders, the customer's email address is often at one of the free email services, like hotmail.com and yahoo.com, which are relatively untraceable.
• Expensive items. Be wary of expensive orders, especially for expensive brand-name items.
• Multiple items. It can be a bad sign, for example, if someone orders three X-Box or three DVD players at once, especially where the items have a high resale value.
• Express shipping. Most fraudulent orders specify overnight or 1-day shipping without hesitation.
• Shipping address differs from billing address. Receiving point and billing address are different in fraud orders. If you are selling valuable items, it can be a good policy only to ship to the billing address of the card’s holder.
• Suspicious billing address. The address looks too simple or invalid. If the billing address is 123 Main St, New York, the order is probably fraud. You can use or online location tool to see if the address can be verified.
• Leave at door or post office box. If the courier service cannot guarantee delivery of goods, the risk of fraud is very high.

The advancement of geo-targeting in the Internet allows us to pinpoint the geographical region for an order. The information can be used to reduce the fraud by verifying it with the billing address and delivery address. This method can identify the scenario where someone from country X has stolen the credit card data from country Y. The IP address lookup service will reveal the real country instead of relying on the country filled in the order form.

IP2Location™ provides technology to translate IP address to country origin. The lookup table is available in several formats such as database and COM. It is the perfect solution to automate the fraud detection using client side programming languages like C++ & Visual Basic; or service side programming languages like ASP, PHP, JSP and CFML.

For example, company XYZ received a credit-card order from IP address 161.139.12.3. The order details are as following:

Name:  John Ma
Address: 123 Main St
City:  New York
ZIP Code: 1111
Country: United States
Tel:  (503) 111-1111
Credit Card No: 1234 5678 9012 3456
Expired Date: December 2010

Credit card merchant processor will authorize this order if the billing address matches the order details. Unluckily, the credit card data has been stolen earlier by Mr. ABC from another country through the Internet. Later, he made a purchase of digital products from company XYZ using the information. His order approved by the merchant because all the details matched John’s record in the bank’s database. IP2Location™ technology can filter the difference between order’s country and record’s country upfront to protect your business. You can classify this kind of order for manual inspection before delivering the goods. You will be surprise how much this method will help in identifying fraud orders.

For the implementation, we use a fully functional IP2Location™ ActiveX component available at http://www.ip2location.com/ip2location-country.zip to query country by visitor's IP address. The unregistered version has a 5-second delay in each query.

First, install the ActiveX component in IIS web server. It could be as simple as running a command in DOS prompt.

C:\> regsvr32 ip2location.dll

We create a script to compare the lookup country and data given in the order authorization flow. It serves as a filter to reduce fraud. All rejected orders will be manual verify by merchants.
 
verify.asp

<%
 ' Country info filled in the form (US is only an example)
      BillingCountry = "US"
 ' Create server-side object
 Set ipObj = Server.CreateObject("IP2Location.Country")
 ' Initialize IP2Location object
 If ipObj.Initialize("demo") <> "OK" Then
  response.write "IP2Location Initialization Failed.
 End If
 ' Get visitor's IP address
 IPaddr = Request.ServerVariables("REMOTE_ADDR")
 ' Detect visitor's country of origin by IP address
 CountryName = ipObj.LookUpShortName(IPaddr)
 ' Free IP2Location object 
 Set ipObj = nothing
 If CountryName = BillingCountry Then
  ' IP address originates from country in billing address
  ' Low Fraud Risk
 Else
  ' IP address different from country in billing address
  ' High Fraud Risk
 End If
%>

DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.

More ASP Articles
More By Hexa Software Development Team

 

developerWorks - FREE Tools!

NEW! Don't wait! Try the Rational Application Developer (RAD) v7.5 open beta code today Download the Rational Application Developer (RAD) v7.5 open beta code and start developing applications for the JEE5 standard which features EJB3.0, JPA, JSF 1.2, JSP 2.1 and Servlet 2.5 standards. When you use this beta you will see how you can increase developer productivity for already existing applications with improved support for refactoring, as well as adding new features to existing applications. In addition, the beta provides tooling for JD Edwards, Oracle, SAP, Siebel and PeopleSoft to improve the developer productivity with these enterprise systems. FREE! Go There Now!

NEW! Download IBM Data Studio V1.1 Visit IBM developerWorks to download the latest trial version of IBM Data Studio V1.1 at no cost. IBM Data Studio is a comprehensive data management solution that helps you effectively design, develop, deploy and manage your data, databases, and database applications throughout the data management life cycle utilizing a consistent and integrated user interface. Unlike other client-side data management solutions that focus on only one aspect of the application lifecycle or database administration, Data Studio complements the Rational Software Delivery platform, providing unparalleled flexibility for a heterogeneous data server environment across platforms. FREE! Go There Now!

NEW! Download IBM Rational Developer for System z Download a free trial version of IBM Rational Developer for System z, software that can help you deliver core development capabilities; the power of Java Platform, Enterprise Edition (Java EE); and rapid application development support to diverse enterprise application development teams. With comprehensive development tools to help create, deploy and maintain traditional enterprise and composite applications, Rational Developer for System z enables developers with different technical backgrounds to easily participate in important technology projects. FREE! Go There Now!

NEW! Download the free Web Application Security eKit Discover how IBM Rational AppScan Standard Edition can help you detext vulnerabilities in your web applications in the Web Application Security eKit. IBM Rational AppScan is a leading suite of automated web application security solutions that scan and test for common Web application vulnerabilities. The new Web Application Security eKit provides you with valuable resources, including white papers, demos, and additional information on the benefits of testing your Web applications. FREE! Go There Now!

NEW! Evaluate IBM Rational Software Analyzer V7.0 Download a free trial version of IBM Rational Software Analyzer Developer Edition V7.0 to identify bug defects earlier in the software development cycle. Rational Software Analyzer is an extensible software development solution that reduces the expense of bug-fixes by enabling static analysis code reviews and bug identification very early in the development cycle. FREE! Go There Now!

NEW! Hello World: Learn how to install and use the Rational Asset Manager Eclipse client In this tutorial, you can learn how to install and configure the IBM Rational Asset Manager Eclipse client, explore the different views in the Asset Management perspective, learn various search techniques, work with existing assets, and submit a new asset. FREE! Go There Now!

NEW! The dirty dozen: preventing common application-level hack attacks As organizations have grown increasingly dependent on online software, the risk of malicious attacks has also become far more serious. Fortunately, well-governed organizations can protect their Web applications by injecting vulnerability assessments and ethical hacks into their software development and delivery processes. This paper describes 12 of the most common hacker attacks and provides basic rules that you can follow to help create more hack-resistant Web applications. FREE! Go There Now!

NEW! Trial download: IBM Informix Dynamic Server Express Edition V11.0 Informix Dynamic Server (IDS) Express Edition offers outstanding online transaction processing (OLTP) database performance, while helping to simplify and automate many of the tasks associated with deploying databases for small business applications. IDS 11 further extends the ease of management and applications integration with the Admin API and Scheduler, high availability with Continuous Log Restore for backup server recovery in case of a primary server failure, and column level encryption to protect personal and company private data. FREE! Go There Now!

NEW! Trial download: IBM Rational Performance Tester V7.0.1 Get a free trial download of the latest version of IBM Rational Performance Tester V7.0.1, a load and performance testing solution for teams concerned about the scalability of their Web-based applications. Combining multiple ease-of-use features with granular detail, Rational Performance Tester simplifies the test-creation, load-generation and data-collection processes that help teams ensure the ability of their applications to accommodate required user loads. FREE! Go There Now!

NEW! Webcast: Application security testing and Web compliance Join the IBM Watchfire team for an informative discussion on techniques and best practices to proactively manage Web application security and how to effectively build application security testing into the software development lifecycle (SDLC). In this Software Delivery Platform webcast you will learn: How to better understand potential web application security vulnerabilities, best practices and how to effectively integrate application security testing into the software development lifecycle, the importance of detecting and removing software vulnerabilities during application development. FREE! Go There Now!

All FREE IBM® developerWorks Tools!