[thelist] what kind of fraud is this?

Maximillian Schwanekamp lists at neptunewebworks.com
Wed Mar 9 00:01:04 CST 2005

Erik Heerlein wrote:
> Over the past couple of days, someone has been trying make purchases 
> from my SSL e-commerce site. Each time that they do, their card is 
> declined.
> My question is, what is this person trying to achieve?
> So my only other idea is that he's 
> trying to eavesdrop on the transactions to glean some potentially 
> fruitful information. So am I vulnerable here in some way? Is he trying 
> to hack into authorize.net or the banks?

Is he submitting these transactions via a shopping cart (or similar) 
app, or are these transactions being posted directly to authorize.net? 
If the latter, then he is probably attempting to crack your AuthNet 
account password.  If the former, then he is probably using stolen card 
numbers, and is trying to determine if the number is valid.  You say 
that this person is using the same IP every time, so the first thing to 
do is ban that IP address from your site.  Not sure what your platform 
is, but this is generally easy.  Google it.  Anyway, sounds like you're 
plagued by just an amateur, so you can consider it a good heads-up 
excuse to audit your ecommerce security.

You're using Authorize.Net, so you'll have a good array of anti-fraud 
tools available.  A few recommendations:  First off, AuthNet recommends 
that you use "password-required mode" if you're using AIM (Advanced 
Integration Method).  This means that in order to submit a transaction, 
your AuthNet login password is required.  This is good only if you 
consider your ecommerce software reasonably secure.

Definitely do use CVN ("Card Code Verification" in AuthNet).  Requiring 
this is becoming standard practice on the web now, and it does add some 
extra security (for now).  Set AuthNet to reject transactions lacking 
CVN or where CVN fails.

If possible, use the MD5 Hash feature.  This a way to authenticate that 
you are in fact getting a response from Authorize.Net and not from some 
other location.  The SIM/AIM docs explain this pretty well.

Finally, if you want to go the extra mile, get the Fraud Detection Suite 
(this is different from FraudScreen.net, which I don't recommend).  FDS 
will give a bunch of good features that may be useful for you.

> Also, is there anybody else I should report this to?

Contact your Authorize.Net reseller asap.  Most underwriters will hold 
the merchant responsible for fraudulent charges unless the merchant has 
taken demonstrable steps to prevent them.  Fraudulent transactions are 
not just someone trying to get something from you for free.  The 
potential ramifications to your business can be devastating.  Also 
contact Authorize.Net support.  In my experience (at least recently) 
they're very helpful about security issues.

*** I do not work for Authorize.Net or an AuthNet reseller.  Thus, when 
in doubt contact your reseller and/or Authorize.Net.  I did work for 
years with a hosted ecommerce service provider and an Authorize.Net 
reseller.  I do use AuthNet for my own transactions, and that's about 
the extent of my relationship with them these days.

Hope this info is of some use to you!  Good luck!

Maximillian Von Schwanekamp

More information about the thelist mailing list