[thelist] what kind of fraud is this?
Maximillian Schwanekamp
lists at neptunewebworks.com
Wed Mar 9 00:01:04 CST 2005
Erik Heerlein wrote:
> Over the past couple of days, someone has been trying make purchases
> from my SSL e-commerce site. Each time that they do, their card is
> declined.
> My question is, what is this person trying to achieve?
> So my only other idea is that he's
> trying to eavesdrop on the transactions to glean some potentially
> fruitful information. So am I vulnerable here in some way? Is he trying
> to hack into authorize.net or the banks?
Is he submitting these transactions via a shopping cart (or similar)
app, or are these transactions being posted directly to authorize.net?
If the latter, then he is probably attempting to crack your AuthNet
account password. If the former, then he is probably using stolen card
numbers, and is trying to determine if the number is valid. You say
that this person is using the same IP every time, so the first thing to
do is ban that IP address from your site. Not sure what your platform
is, but this is generally easy. Google it. Anyway, sounds like you're
plagued by just an amateur, so you can consider it a good heads-up
excuse to audit your ecommerce security.
You're using Authorize.Net, so you'll have a good array of anti-fraud
tools available. A few recommendations: First off, AuthNet recommends
that you use "password-required mode" if you're using AIM (Advanced
Integration Method). This means that in order to submit a transaction,
your AuthNet login password is required. This is good only if you
consider your ecommerce software reasonably secure.
Definitely do use CVN ("Card Code Verification" in AuthNet). Requiring
this is becoming standard practice on the web now, and it does add some
extra security (for now). Set AuthNet to reject transactions lacking
CVN or where CVN fails.
If possible, use the MD5 Hash feature. This a way to authenticate that
you are in fact getting a response from Authorize.Net and not from some
other location. The SIM/AIM docs explain this pretty well.
Finally, if you want to go the extra mile, get the Fraud Detection Suite
(this is different from FraudScreen.net, which I don't recommend). FDS
will give a bunch of good features that may be useful for you.
> Also, is there anybody else I should report this to?
Contact your Authorize.Net reseller asap. Most underwriters will hold
the merchant responsible for fraudulent charges unless the merchant has
taken demonstrable steps to prevent them. Fraudulent transactions are
not just someone trying to get something from you for free. The
potential ramifications to your business can be devastating. Also
contact Authorize.Net support. In my experience (at least recently)
they're very helpful about security issues.
*** I do not work for Authorize.Net or an AuthNet reseller. Thus, when
in doubt contact your reseller and/or Authorize.Net. I did work for
years with a hosted ecommerce service provider and an Authorize.Net
reseller. I do use AuthNet for my own transactions, and that's about
the extent of my relationship with them these days.
Hope this info is of some use to you! Good luck!
--
Maximillian Von Schwanekamp
http://www.neptunewebworks.com/
More information about the thelist
mailing list