Fraud prevention

MOSCMOSC Member Posts: 10
While I see Lightspeed has an extremely basic set of bullet points about preventing fraud here (https://ecom-support.lightspeedhq.com/hc/en-us/articles/115001881054-Minimizing-chargebacks-by-detecting-fraudulent-orders-NB-), it really only barely skims the surface.

In case anyone else needs a little more help, here are some additional points I've found along the way:

Authorize.net used to have a nice article about preventing fraud but they've taken it down.  Here are a couple of useful tips that were in it:

1) Bank BIN lookup https://binlist.net/ (first 4 digits of the card)
  • You can ask your card processor for the first 4 digits of the card used in a fraud; they identify the issuing bank.  When you call the card-issuing bank, have your merchant number, your phone number, the customer's full name, address, and phone number ready. You can ask the card-issuing bank to make a courtesy call to your customer to verify the charge. (CIBC refused to do this during our Cayan fiasco; they didn't seem to care the cards were being used for fraud.)
2) If you're based in the US you can file a complaint, here:
3) Establish a "holdover policy" for large orders. 
  • The dollar amount of the large order can vary depending if the order is domestic or international. Most credit card thefts are reported within 24 hours. Even after a phony card number is discovered by a retailer, it can take up to 24 hours for that number to be included in the databases that card processors use. (This did not help in a case where we had fake customers using real, stolen credit cards.  When I tracked down the customers via their name and address they looked at their accounts and told me there were numerous fraudulent charges, some of which were 14 days previous.)
Finally, the best (but not foolproof) method I've found for verifying a suspicious, large-value purchase is to use Google and try to track down the customers by name and address (In one case I found them by a family car dealership, another one by an obituary).  In both of those cases the credit cards used were stolen.  In another case I was able to verify a high-ticket purchase as genuine.

There is a user-curated list of fraudulent customers, here, that you can search: http://badbuyerlist.org/

And we've started passing the shipper's insurance surcharge through to the customers and requiring a signature on high-value purchases.  So far this seems to be helping.

8 comments

  • MOSCMOSC Member Posts: 10
    Some more tips for small webstores which have few enough suspicious high-ticket orders to vet them manually:
    1. Google the IP address of the transaction you're questioning in quotes such as, "XX.XXX.X.XXX" - In one case I found an address in a page cached in Portuguese from a third-party fraud-prevention site (https://webcache.googleusercontent.com/search?q=cache:My3K7i88w3YJ:https://www.maxmind.com/pt/high-risk-ip-sample/69.116.9.247+&cd=2&hl=en&ct=clnk&gl=us) - this kind of search will also sometimes uncover the address in an open list of high-risk IP addresses (https://github.com/firehol/blocklist-ipsets/blob/master/firehol_webclient.netset)
    2. You can do phone lookups here: https://nuwber.com/search/phonehttps://www.intelius.com/search/reversephone
    3. You can do person lookups here: https://nuwber.com/
    Unfortunately the problem is not going away (https://blog.maxmind.com/2018/03/22/rising-e-commerce-fraud-trends-and-how-to-combat-them/#more-384).  But hopefully getting the word out about vetting these things can slow down the crooks and save some other small merchants unnecessary chargebacks.  Eventually we may have to add an additional automated third party vetting service to our processing pipeline (beyond what Authorize.net already provides).
  • MOSCMOSC Member Posts: 10
    One other note.  You can try confirming an order using phone numbers listed on this site: https://www.fastpeoplesearch.com (A fraudulent order will never provide the correct billing phone number or email address)
  • JoeyJoey Administrator, Moderator, Lightspeed Staff Posts: 276 moderator
    Just wanted to say thank you for writing up all this useful information! We in support will make sure to point merchants to this post when they have questions about dealing with fraudulent transactions.
    Hopefully, other merchants will also post their experiences and workflows for all to learn and improve. :)
    eCom Support Team
    Lightspeed HQ
  • gregaricangregarican Member Posts: 683 
    Our companies use a middleman for e-com transactions called Riskified (https://www.riskified.com/). They run through a series of automated and manual fraud detection processes to vet these transactions.

    Any declined transactions aren't subject to a fee. Any approved ones incur a 0.7% transaction fee, but are insured by Riskfied for a 100% chargeback guarantee. For us it saved us manpower going through all of these very valid and helpful suggestions the original poster above submitted. After several years with Riskified we've never had an approved transaction kickback!
  • MOSCMOSC Member Posts: 10
    Thanks for the heads-up, Gregarican.  Riskified appears only to work with Magento, Shopify, CommerceCloud, and Stripe, at the moment.  I would love to find a service like Riskified that works with Authorize.net (unfortunately the built-in fraud prevention there still requires manual vetting).  This manual vetting is working for us now, but simply will not scale.
  • JoeyJoey Administrator, Moderator, Lightspeed Staff Posts: 276 moderator

    Starting today, the following fraud protection has been implemented into the Cayan payment integration:

    CVV Mismatch: Card Verification Value, is the three-digit number (usually) printed on the back of the card.

    AVS Mismatch: Address Verification System, the billing zip code used during checkout needs to match the zip code associated with the credit card.

    If there is a mismatch the customer will be notified that the payment has failed and asked to try again.

    As usual, the order will show as awaiting payment in the back office and automated payment notifications will be sent (if enabled) to encourage the customer to complete the order.

    This is a great step towards better fraud protection!


    eCom Support Team
    Lightspeed HQ
  • MOSCMOSC Member Posts: 10
    Just an update - we've turned off Authorize.net and now are solely using PayPal, since I've seen much less fraud through them, and users no longer have to join PayPal to use PayPal.
  • Andrew42Andrew42 Member Posts: 1

    Just a correction and update of information concerning the Bank Identification Number (BIN) also known as the Issuer Identification Number (IIN). Information about credit card and debit card issuers can be found using databases that record the information against the BIN/IIN. The BIN/IIN is the first 6, and now the first 8 digits of the primary account number (credit card number). There are a number of reliable websites that provide free access to this information such as www.binlist.net and www.binlists.com. binlists.com also has a Luhn digit checker and many pages and advice that aim to reduce the chance of being a victim of online credit card fraud.

Sign In or Register to comment.