Fighting Online Fraud – Pitfalls and Solutions

8/10/2019 Fighting Online Fraud Pitfalls and Solutions

1/14

Fighting Online Fraud Pitfalls

And Solutions

Online payment fraud is rampant. Whether it is becauseits easier to steal anonymously, or because tracking downsomeone over the net and prosecuting them is difficult ifnot impossible, online fraud hits everyone who takespayments online.

The situation is even more problematic for digital products,in which case credit-card companies or Paypal refuse toprovide any kind of seller protection. The reasoning behindit is that digital product fraud does not result in actualmaterial loss, and its hard to prove delivery both arefalse, but the situation stands as it is anyway.

!s a marketplace for digital products, "inpress has been

hit by its share of online fraud. We used to accept bothPaypal and credit-card payments #through stripe$, andboth have been abused in various ways.

Fraud methods

Paypal

Paypal promotes itself as a more secure payment methodby removing the need to enter credit-card details online. %nreality, Paypal account credentials can be compromised

&ust as easily as credit-card details, and it still has thevulnerability of credit-card payments #unless you disablethat feature$.


2/14

Paypal can be abused in several ways, so lets go over themain attack methods'

Paypal account hijacking

"y getting a hold of Paypal account credentials or anactive logged-in session, an unauthori(ed user can makepayments using Paypal as if he were the real accountholder.

This route is very advantageous to the attacker he does

not have to pass all the checks banks employ on credit-card transactions #address, (ipcode, )*)$ and use theaccount to pay immediately.

Paypal payments with stolen credit-card details

Paypal allows people without an account to pay directly

with a credit-card #unless you specifically disable thatoption$. This means that stolen credit-card details can beused the same as with every credit-card payment option#which will be covered in more detail in the ne+t section$.

ortunately #or not$, Paypal has its own fraud detectionmechanism that it uses on credit-card payments. Thismeans that credit-card payments on Paypal are less likely

to be stolen, but on the other hand Paypal often re&ectslegit payments that fail their somewhat strict detectionsystem.

Paypal disputes on legit transactions

%n a way, this is the most troublesome fraud of all. Thetransaction itself will appear completely legit, as theaccount owner in fact authori(ed it. What we deal here is


3/14

buyer remorse, where the buyer simply decides he doesnot want to pay for the transaction, and opens a disputeon Paypal.

Paypal will side with the buyer most of the time, unlessyou can provide strong evidence of delivery #for e+ample,a sign-off on a shipping paper$. To some degree, Paypalwill offer payment protection on certain products./nfortunately, digital goods are not included and Paypalprovides no guarantee of protection for those kind oftransactions.

Credit-card transactions

Unauthorized transactions

!n attacker will attempt to make an online payment bygetting a hold of credit-card information. The informationcan start at only the card number, and e+tend to e+piry

date, )*) and even address details.

/nfortunately, confirmation of credit-card details acrossbanks is very inconsistent. 0ome banks do not even checkthe e+piry date or the )*) security code #1$, while othersmight return a false positive #it wouldve been better if theyhad returned not checked$.

To make matters even worse, a bank might approve atransaction even if some of the details were checked andconfirmed as incorrect. This attitude e+tends to somepayment gateways, which will leave the decision up to thebank and will not deny a transaction if some of the securitychecks are false. #We use 0tripeby the way, which followsthis approach$.

Chargebacks on legit transactions0imilar to the Paypal
https://stripe.com/https://stripe.com/


4/14

option, a person who paid with a credit-card can laterdisavow his purchase by filling a chargeback with thecredit-card company. This process is worse than Paypalsdisputes, with the cost usually higher and a much lowerchance of keeping the money from the transaction.

Fighting back

Recognizing fraud attempts

"efore we can stop a fraud attempt, we must be able torecogni(e it before we process a transaction.

There are some indicators which should be used to detectfrauds attempts, with multiple occurring at the same timeindicating a higher chance of fraud'

2 The billing country and the %P country #via geolocation$ donot match. !dvanced attackers will be using a pro+y

though, more on %Ps and pro+ies later.2 /sage of a pro+y to disguise location and attempt to avoid

the previous indicator.

2 %P country #via geolocation$ is from a high-risk country.

2 /sage of a free 3mail service for the provided 3mail #ifyou have an 3mail field in your payment form$. 3mailaccounts with private domain names are less likely to be

used in a fraud attempt. !gain, if the free 3mail service isfrom a high risk country, it increases our suspicion offraud.

2 !n unusually large purchase. While by itself is not a realindicator, combined with any other indicator raises thechance of fraud, in addition to the risk of losing more value#in the case of physical goods$.

2 4igh velocity of purchases by the same person multiplepurchases in rapid succession over a short period of time
http://www.onlinefraudguide.com/risk-countries-fraud/http://www.onlinefraudguide.com/risk-countries-fraud/


5/14

are a good indication of a fraud in progress. The variousways to track a person between transactions arediscussed below.

% will now suggest an actual process for getting theinformation needed for those indicators. 5ou can skip anyof the steps, but the more indicators you have the betteryou can assess the risk of fraud.

1. Check IP

/sing the client machine %P, we can attempt to determinethe location of the person attempting the transaction viageolocation. %n addition to the standard %P headers,pro+ies might send the actual %P through a long list ofalternative headers. 0ee this 0tackOverflow 6uestionforsuch a list and mock code #in P4P$.

7etecting and using a pro+y alternative %P header is

important for a couple of reasons -

2 irst, we have the actual %P to use in the ne+t step geolocation.

2 0econd, using a pro+y by itself is a strong indicator offraud. While not all pro+y users are fraudulent users, fraudattempts are much more likely to use a pro+y than youraverage user.

2. etching the client address !ia "eolocation

! geolocation service will receive an %P and send back anappro+imate address that corresponds to it. 5ou can use ageolocation service via an !P% or via an %P database onyour server. ! good free database can be obtained from8a+mind, as well as a more accurate one and an !P% for a

small cost.
http://en.wikipedia.org/wiki/Geolocation_softwarehttp://stackoverflow.com/questions/5421144/php-get-real-ip-proxy-detectionhttp://www.maxmind.com/app/geoip_countryhttp://www.maxmind.com/app/geoip_countryhttp://en.wikipedia.org/wiki/Geolocation_softwarehttp://stackoverflow.com/questions/5421144/php-get-real-ip-proxy-detectionhttp://www.maxmind.com/app/geoip_countryhttp://www.maxmind.com/app/geoip_country


6/14

Once we have the client %P from the previous step, we useour preferred method to fetch his9hers location through ourgeolocation service.

#. Compare client address to billing address

The rule of thumb is simple the farther away the clientcurrent location is from his billing address, the higherchance were dealing with a fraud transaction. The chanceof fraud increases even more when the location isconfirmed from a set of high-risk countries #mentioned

above in the list of indicators$.

The billing address should be collected on the paymentform for credit-card transactions, or via:et3+press)heckout7etails!P% operation for Paypaltransactions, before confirming the transaction #if you usethe "uy ;ow buttons instead of the !P%, youre out ofluck. )onsider switching to the !P% we have a great

Paypal !P% component for P4Pthat makes using it verysimple$.

Of course, an address mismatch by itself is noconfirmation of fraud. People travel all the time to differentcountries and use their credit-cards to make paymentsonline. We should use this information with the otherindicators to assess the risk of fraud.

$. Check %mail address

&ote'this step is only applicable if you collect an 3mailaddress in your payment form, or use the Paypal !P%which provides it in the billing details.

!s mentioned before, free 3mail services are much more
https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_api_nvp_r_GetExpressCheckoutDetailshttp://www.binpress.com/app/php-paypal-api-class/20http://www.binpress.com/app/php-paypal-api-class/20https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_api_nvp_r_GetExpressCheckoutDetailshttp://www.binpress.com/app/php-paypal-api-class/20http://www.binpress.com/app/php-paypal-api-class/20


7/14

likely to be used in a transaction and especially if the3mail service is a fringe, lesser known service. There is6uite a comprehensive list over at 5ahoo, and you shouldadd the domains of each to the check you run on theprovided 3mail address.

%f the 3mail address is from a free service, we should takeit into account as another indicator with the others coveredso far.

(. Consider size o) transaction


8/14

can get the results of the bank credit-card checks bycreating a customer with the payment token beforeactually processing the transaction, and then deleting thecustomer once the transaction has been processed.%deally, they would have provided this information whenthe token is created, but currently they do not.

The fields banks can validate aside from the actual cardnumber include the =ipcode, )*) security code #found onthe back of the card$, street address and e+piry date.7ifferent banks run different checks, and you might decide

to re&ect a specific card on the grounds that his bank doesnot provide enough security information #such as notvalidating the )*) or e+piry date$.

% personally consider )*), =ipcode and e+piry datemismatches as showstoppers. Those are details thatcannot be incorrect, while the address field is a bit harderto validate #everyone writes addresses a bit differently,

and its also hard to correctly write down foreign streetnames in 3nglish$.

8aking a mistake on any of those does not necessarilyindicate fraud, but should stop the transaction. 8akingmultiple mistakes in rapid succession though is a goodindication of a fraud attempt.

/. Check the logs

% will cover the actual logging of the transaction in the ne+tstep, but before we get there in the actual process, wewant to check our logs for suspicious behavior. 0uspiciousbehavior might include'

2 8ultiple transactions in a very short time by the sameperson


9/14

2 8ultiple failures over a longer time period by the sameperson

2 Whether the person was previously flagged as fraud #by %P

or session %7 see ne+t step$The amount of transactions and time frame that shouldtrigger a fraud alert is up to you. 5ou can attempt to gatherthat information by reviewing the logs after several fraudshave taken place, or by attempting to guesstimatenumbers that make sense to you.

0a. uspected )raud log the attempt and deny thetransaction

With all the data we have accumulated thus far, we havedecided we have a possible fraud in progress. !t thispoint, we will show a message to the user, and log thetransaction attempt for future reference #and for step >$.

7etails we want to store'

2 )lient %P

2 Pro+y %P #if we found one$

2 )ountry #and city optionally$

2 )lient user agent

2 )lient session %7 #if you are using sessions which youshould, for this purpose at least$

2 Transaction attempt date9time #timestamp$

2 Other identifying details relevant to your service #such asuser identifier if you have it$

2 Transaction status #failed in this case$

Why do we store both %P and session %7? while both canbe changed between transaction attempts, they can be


10/14

considered as failsafes for each other. Our attacker mightswitch to another pro+y but still use the same browser fore+ample. %t doesnt hurt to have as many data points aspossible.

The message we will show the user at this point dependson your philosophy % suggest not mentioning fraud asthe reason as you might scare away potential clients aswell as alert the attackers that theyve been caught. 5oucan say the card was re&ected by the bank #in the case ofa credit card transaction$, or that Paypal has re&ected the

payment. % leave the actual wording up to you.

Optionally, you might choose to manually reviewsuspected transactions. %n this case you should show amessage indicating the transaction in under review andthe time-frame for completion. %f you do choose tomanually review transactions, remember to save all thedetails youll need to complete it later, such as payment

tokens or even credit-card details if you know what youredoing #if youre not P)% certified, %d highly recommendagainst it$.

%n e+treme cases #close to @AAB certainty of fraud$, wemight go as far as block the payment form for the %P 9session %7 of the attacker, and at this point we will show amessage mentioning suspicious behavior so that legit

clients can contact us and notify us that they are not infact attempting fraud #this has happened for us once at"inpress, and the verification process wasnt that simple$.

0b. og and process the transaction

%f we made it this far and have not reached our threshold

for determining a fraud is in progress, we will try toprocess the transaction. Cegardless of whether it was


11/14

successful or not #re&ected by the bank or the paymentgateway$, we will store it in our log for future reference#and for detecting a high volume of purchases by thesame person$.

The case of Paypal

Weve mentioned one attack pattern that we havent fullyaddressed yet usage of an hi&acked Paypal account tomake a payment.

While the same indicators apply, we have an additionaloption to confirm legit account ownership by verifyingthe Paypal account 3mail address.

The 3mail address #and billing country used for one of theindicators$, can be obtained before confirming thepurchase via the :et3+press)heckout7etails!P%operation #assuming you use the !P%. %f you use the "uy

;ow buttons, you are out of luck$.

This means implementing a process similar to thefollowing'

2 On the Paypal confirmation page #after user hasconfirmed payment in their Paypal account$, we check forany of the previous indicators by getting the accountdetails with the :et3+press)heckout7etails !P% methodand e+amining the user %P.

2 %f we suspect the account might be compromised, or thepurchase is large enough to re6uire more caution, wesend a confirmation 3mail to the account 3mail addresswith a uni6ue identifier #usually in a link back to our site$.We save the identifier and Paypal payment details in our

database or in the session.
https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_api_nvp_r_GetExpressCheckoutDetailshttps://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_api_nvp_r_GetExpressCheckoutDetails


12/14

2 %f the user opens the confirmation 3mail #meaning he hasaccess to the account 3mail$ and returns to our site withthe identifier, we confirm the transaction and finishprocessing the payment.

Obviously, if the attacker has control of the account 3mailas well, he can easily bypass this method as well. %f theindicators are very strong, we might consider holding suchtransactions for manual approval.

;ote that you cannot change a Paypal account primary3mail without entering one of the complete payment

details #such as a credit-card or bank account numbers$.!ny change or addition of 3mail accounts to a Paypalaccount will notify the original 3mail account as well.

0omething worth mentioning is that you cannot distinguishpayments with a Paypal account from payments using acredit-card through the information returned by the !P%.This is a problem in the sense that there is no point in

sending a confirmation 3mail to someone who used acredit-card to pay, as the 3mail given is the one heentered at payment #meaning he would likely have accessto it$.

The only indicator between a Paypal account paymentand a credit-card payment is the DP!53C0T!T/0parameter in the billing details returned bythe :et3+press)heckout7etails !P% method. ! D*erifiedstatus indicates that is a Paypal account payment, whilean Dunverified status can be either. or this reason, weonly send the verification 3mail to accounts that areverified, while we use more caution with Dunverifiedaccounts.

5ou might even consider re&ecting Dunverified accountsoutright, &ust keep in mind that you wont be able to


13/14

receive credit-card payments through Paypal if you do.

Buyers remorse

The trickiest type of fraud to handle. %f possible, always tryto obtain proof that the user has made the transactionhimself. %f you ship physical goods, obtain proof ofsuccessful shipment.

or digital goods you can use try to ask for anauthori(ation 3mail or a declaration of purchase #using

digital signatureservices$. ;aturally, this process it notappropriate for most websites, and in that case you willmost likely have to swallow the fraud as a loss.

!nother factor is the originating country #if you serve aninternational audience$. 4igh risk countries are more likelyto fall to this kind of fraud as well, which is one of thereasons many services do not accept payments from such

countries.

Fraud detection services

%f all of what %ve described so far sounds like a pain, itsbecause it is. %f possible, % would suggest passing thisinformation to a proven fraud detection service, and relyon their e+perience and e+pertise to increase your fraud

prevention success.

! fraud detection service might be provided by yourpayment gateway. %f not, or if you are not satisfied with it, %personally recommend the 8a+mind 8infraudservice.5ou might have noticed %ve mentioned E 8a+mindservices here and its not by accident #and no, its notbecause % was paid to promote them $.
http://www.signaturelink.com/http://www.maxmind.com/app/ccv_overviewhttp://www.signaturelink.com/http://www.maxmind.com/app/ccv_overview


14/14

The 8infraud service receives the information wecollected thus far and provides a risk score and other datafor our assessment. They use their own geolocationservice to determine the location of the client #we passthem %P addresses we found$, and in addition, they have adatabase of known pro+y %Ps that can be used todetermine when a pro+y is being used and how dangerousit is #how prone it is to be used in fraud attempts$.

They use that data to compare with historical data theycollected on online fraud to calculate the risk score

which is basically the chance the transaction is a fraudattempt #in percentage points$.

The reason %m advocating 8a+mind so much, is thatsince adding 8infraud to to our payment process, we havenot had one fraud slip through their checks #and we had6uite a few attempts$. We use it in a combination withlogging and the bank security checks review to very good

effect.

Bag it and tag it

0o there you have it a basic guide to knowing, detectingand preventing the most common types of online fraud. %fyou feel % missed something or have a 6uestion regardingsomething % wrote, feel free to add your thoughts in the

comments.
http://www.maxmind.com/app/minfraud_risk_score_faqhttp://www.maxmind.com/app/minfraud_risk_score_faq

Fighting Online Fraud – Pitfalls and Solutions

Documents

Transcript of Fighting Online Fraud – Pitfalls and Solutions