Stolen cards used on my online shop

[sumodaz]

Hi, we had a call from a lady the other day saying that goods bought from my shop were bought using her stolen credit card. We advised her to just do a charge back (was this the right thing to do?) We have since noticed that 4 orders have been delivered to the same address, which i can only presume are also stolen cards, a total of another £2000 worth of good.... What is the process? Are we going to lose a lot of money?


thanks
Darren

 

[benjamin_c]

call the police and contact your payment provider now, or go to the address with 3 or 4 BIG guys with bats

 

[benjamin_c]

i've just looked at your website out of curiosity and given the kind of products you're selling these fraudsters could be using what they're (obtaining) from you to commit further fraud, defiantly contact the police, they could be making fake ID cards or anything

 

[letterboxunlimited]

The chances are its you who will take the hit unless your merchant provider says otherwise. If the address is local you could pop round and take a look because in my past experience as long as you pay the money nobody cares

 

[sumodaz]

The chances are its you who will take the hit unless your merchant provider says otherwise.

I thought as much, not had a lot of lucky with criminality this year.

 

[CaterTrade]

Sorry to hear that. If you had 3D Secure turned on then you shouldn't be liable but probably will be liable if you didn't.

This is from the wikidedia

3-D Secure adds another authentication step for online payments. Merchants are encouraged to use 3-D Secure to achieve higher coverage against fraud losses. When a merchant does not use 3-D Secure they are liable for fraudulent transactions even if the transaction was properly authorized.

 

[groovyjon]

I agree, if you're not already using 3D Secure, look into it now. It's not a perfect system, and it will even lose you some sales when the process confuses customers. But in our experience it more than pays for itself with the reduction in chargebacks.

 

[NuBlue]

Or do Fraud checks on your orders.

We manually check all hosting orders on our website by a strict criteria and if you fail, you get a refund. Most payment providers don't actually process the payment untill midnight of that day and if you refund before then you will not get a charge back and you will not send goods to a fraudster!

The checks to do are:

- Check the IP of the customer against their address
- Check billing / shipping adress are the same
- be dubious of free email accounts (if Dave buys a product but uses sara@hotmail as his contact email alarm bells shoud be ringing.)
- If in any doubt call the customer and confirm the order.

 

[quikshop]

Don't waste your time contacting the Police, the crime is not against you it is against the card holder and the Police will tell you it is up to the card holder to make a complaint.

They will then tell the card holder that the card companies now handle card fraud and they should contact their card company.

Sounds like you need tighter fraud checks throughout your ordering process. As NuBlue said, 3D secure is an absolute must these days but simple things like only shipping large orders to the registered address of the card holder, making random 'customer service' phone calls for large orders and querying large orders that come through with a mobile and yahoo / hotmail style email address - all of which are disposable.

 

[sumodaz]

Thanks for all your advice, unfortunately we cannot make changes to our website as it is leased to us yearly. When we did find a way to change the website (for seo purposes), the IT department of the company we lease it from kicked up a stink, and even implied they were going to sue us?? and now their poorly made site has caused all this, certainly not going to renew this year.

 

[legaltemplates.eu]

You need to get all the records together and take to the police! you will also need to speak to the your credit card merchant provider as if you have too many chargebacks you are going to end up loosing your account or end up paying large amount of fees. It might actually be best to give a refund to the lady and try and claim on your insurance for the loss. For every chargeback you get you will usually have to pay the bank £25.00 or more depending on your SLA

 

[quikshop]

You need to get all the records together and take to the police! you will also need to speak to the your credit card merchant provider as if you have too many chargebacks you are going to end up loosing your account or end up paying large amount of fees. It might actually be best to give a refund to the lady and try and claim on your insurance for the loss. For every chargeback you get you will usually have to pay the bank £25.00 or more depending on your SLA

Poor advice, ignore.

 

[legaltemplates.eu]

Why would it be poor advice? Would loosing your merchant account be worse than taking the hit on the lost goods which you maybe able to claim the loss through your business insurance?

Streamline are very strict about chargeback levels.

 

[quikshop]

Poor advice because as I posted previously, the Police will not help a merchant with card fraud because it is not the merchant who are the perceived victim.

If you refund a fraudulent order, depending on the timing you might also be charged back the same amount thus losing twice and having the hassle of reclaiming one of the payments.

If you claim against your insurance for chargebacks you end up with higher premiums, its an in-affective mechanism for dealing with chargebacks.

If you are suffering high levels of chargebacks then there are issues with your website that must be addressed - any business that susceptible to fraud is going to loose their merchant facility.

 

[legaltemplates.eu]

I agree with you on some points, but the merchant is the victim if they have shipped out goods... its stolen property for starters is it not?

When issuing a refund I would have made it clear to the cardholder/victim that I would be doing this so they didnt actually create the chargeback. Most banks these days will request that you provide "further information" before actually actioning the chargeback, this is your opportunity to provide proof that the funds have been refunded to the cardholder.

 

[quikshop]

I agree with you on some points, but the merchant is the victim if they have shipped out goods... its stolen property for starters is it not?

You've obviously never had to deal with any of these issues in the real World. The Police are not resourced to deal with distance selling fraud, the Police deferred all of these issues on card fraud to the banks over a year ago.

I can assure you, you will not get a Police service to investigate a dodgy order. Even their cyber-crimes division don't get involved, they are only interested in capturing organised crime on a large scale.

 

[Astaroth]

You can get them to investigate it but it is damned hard work and 99.9% of the time they will refuse to do it advising they have an agreed process that the card issuers investigate it and only refer suitable cases to the police.

 

[PayVector]

The Police are not resourced to deal with distance selling fraud

Actually I read earlier this week that a new task force had been authorised by the Gov to deal with online card fraud. Be damned if I remember where though.

However quickshops advice is right. It is not that the police dont care it just they often do not have the knowledge to know what to do, where to look etc.

We detected a fraud last year over a bunch of merchant with 1.5m worth of goods going to 3 addresses in Manchester. We prepped a file, gave the police all they needed and nothing was done. Well not in time anyways. By the time the police reacted the fraudsters were long gone.

Also if your website company is refusing to upgrade your site to 3D secure then get another one built ASAP. You just lost a couple of grand. Most web devs can do you a decent site for less than that.

 

[Atilla]

??
Me thinks someone needs to lay off the medication.

 

[cjd]

We detected a fraud last year over a bunch of merchant with 1.5m worth of goods going to 3 addresses in Manchester. We prepped a file, gave the police all they needed and nothing was done.

As a point of information, if you tell the police about a crime in progress they are legally obliged to investigate and intervene. If you give them details of a crime that has happened, they can decide whether it's worth investigating or not. [A DCI handling a big fraud case I was involved with told me that]

Might be worth picking your words carefully next time - even so, I'm sure they'll wriggle around it.

 

[samjohnnylee]

Probably, as all have contributed its been nice to be here..
Even I lost my cards and not yet recovered but the way they have spend the money and they were caught so not an issue.. I will get the money.. now or sometime after..!!

Wallion.!!

 

[PayVector]

As a point of information, if you tell the police about a crime in progress they are legally obliged to investigate and intervene. If you give them details of a crime that has happened, they can decide whether it's worth investigating or not. [A DCI handling a big fraud case I was involved with told me that]

Might be worth picking your words carefully next time - even so, I'm sure they'll wriggle around it.

I am sure they are. And they did. However the time it took for them to actually get someone out to the location the fraudsters had moved on. The point is that online fraud is pretty low on the agenda for the police. Catching the robber who took little Grannies purse because there is seen to be a victim. Online fraud is almost seen as victimless. The person who has their card details stolen gets their money back. The only one that loses is either the bank or the company the card was used at. And who cares if a bank loses some dosh right? And a company cant be a victim can they?

 

[KateCB]

You need to check your order for high value, repeat and successive orders; the first order may be small to check that YOU don't check, the next will be a little larger just to make sure and if you fail to stop it (refund/void/contact) they will continue to place large orders until you finally catch on as you have now. The payment processor usually offers 3D (who are you using?) and it is actioned by the card issuer - i.e. Nationwide insist on it for all online transactions, and we simply said that we wante dot add 3D/VBV to our Sagepay account and it happened.

Chargebacks - you have to refund the customer, and pay a fee to the issuer (i.e. streamline) which can be £25 - 50; if you have a large number of chargebacks they can refuse to process your payments. We only ever had ONE chargeback, it was ONE order (their test order) and the card had been stolen; the customer called the police and the card issuer, and despite the fact that we had signatures for delivery etc we had to pay the fee; Sagepay for processing is good as it includes all the address/history checks through 3rd man, so in 11 years of e-commerce we have been stung once and that was in the days before 3D/VBV!

Also think that come renewal time you move away from a company who don't allow you to do what you need to with YOUR website that YOU are paying for!

Good luck with this one.

 

[deniser]

I agree with KateCB. 3rd man is superb. We have only ever had one chargeback for a small one they let through. All other fraudulent attempts were spotted and notified to me and we get them on a daily basis so that's an awful lot of chargebacks we have avoided.

BTW I did get a policeman to go as far as searching the premises where a fraudulent order was sent (in the old days of Paypal before I discovered 3rd man screening) but of course the goods were no longer there and they wouldn't then take the further step of getting a court order to seize the computers so nothing happened.

But the address was known to the police (previous conviction) so they were happy to go round to rattle the occupants a bit.

No hope of recovering monies but made me feel better!

 

[smellyskelly]

In the past 20 years i have investigated countless frauds, in the retail sector.

The last 10 years - before I started our online store, the majority of frauds were online/mail order.

Whilst i agree with Dave (quickshop) i feel it is important to make the following clear:

• It is worth contacting the Police - rarley will they respond and investigate, however, all incidents are recorded and have the possibility of being used in the larger picture from an intelligence aspect - To quote, they do have the knowledge - but are not directed to do so.
• Whilst the directive of non investigation into CNP fraud originates from the CPS, some (always try to speak with a Police Officer and not a call centre Operative!)Officers will take the investigation on if they feel there is

• A possible Suspect
• Previous sound inteligence
• An opportunity to conduct a controlled delivery
• Enough evidence in the 1st Place

• Actually - if the goods were shipped & the card holder has their money back - under the Theft Act (or now the new Fraud Act), the victim is the retailer (99.9% of times the bank are not the victim!) as they have lost out financially as a direct result of a crime. The card Holder becomes a Witness.

• It is true that more and more the Home Office are issuing Guidelines that CNP and Mail order frauds are due to poor diligence and mal- pratice on the retailers part! And of course the retailers can afford to calculate these losses into there huge profits!( am i sounding bitter?)

Any substantial loss through fraud i would make a point of informing the Police, and as previously indicated, you should ensure that it is recorded as a crime - do not allow the police to simply issue you with an incident number.

On a positive note - 3rd Man is great as are some other anti fraud defences. Huge amounts of rescource available to help you online - i previously posted some.

It is best to be alert and try to identify before shipping.

Even after investigation and court cases, you are unlikely to get any financial or moral satisfaction! Hence i chose to leave the industry!!

Hope this helps......

 

[cycloneuk]

Due to selling high risk goods, i get attempted fraudulent orders put in quite often. Due to having 3D Secure enabled and becoming very good at spotting them, i have only had 1 single charge back in nearly 2 years of trading online, and that was before i enabled 3D.

 

[a_baron]

Hi, we had a call from a lady the other day saying that goods bought from my shop were bought using her stolen credit card. We advised her to just do a charge back (was this the right thing to do?) We have since noticed that 4 orders have been delivered to the same address, which i can only presume are also stolen cards, a total of another £2000 worth of good.... What is the process? Are we going to lose a lot of money?


thanks
Darren

I suggest you go to the address and thump the person responsible; the authorities, including the police, don't give a **** about this sort of fraud and seldom bother to investigate it. See my letter in London Metro a few years back.

 

[a_baron]

Hi, we had a call from a lady the other day saying that goods bought from my shop were bought using her stolen credit card. We advised her to just do a charge back (was this the right thing to do?) We have since noticed that 4 orders have been delivered to the same address, which i can only presume are also stolen cards, a total of another £2000 worth of good.... What is the process? Are we going to lose a lot of money?


thanks
Darren

Check out too A Modest Proposal To Totally Eliminate Most Card Fraud.

My MP sent this to the Treasury but they weren't bothered.

 

[NuBlue]

Check out too A Modest Proposal To Totally Eliminate Most Card Fraud.

My MP sent this to the Treasury but they weren't bothered.

I like that, very interesting idea. If you specify what you will and won't be using your card for then it would certainly reduce fraud imho. Seems relatively easy to implement too.

 

[PayVector]

A Modest Proposal To Totally Eliminate Most Card Fraud

This is already done to some extent. Each merchant is given what is known as a Merchant Classification Code or MCC code when they go through the setup phase with the bank. A better way to do it would be to do a bank alert on an online transaction, ie an SMS message and or email to a the card holder.

This introduces a bunch of technical problems. If the bank rejects a transaction after the the actual processing phase there is no way using APACS that the can inform the processor to inform the merchant.

I believe 3rd Man are working on something along this lines but dont know where they are at with it.