Fighting online fraud
Online payment fraud is rampant. Whether it is because it’s easier to steal anonymously, or because tracking down someone over the net and prosecuting them is difficult if not impossible, online fraud hits everyone who takes payments online.
The situation is even more problematic for digital products, in which case credit-card companies or Paypal refuse to provide any kind of seller protection. The reasoning behind it is that digital product fraud does not result in actual material loss, and it’s hard to prove delivery – both are false, but the situation stands as it is anyway.
Paypal promotes itself as a more secure payment method by removing the need to enter credit-card details online. In reality, Paypal account credentials can be compromised just as easily as credit-card details, and it still has the vulnerability of credit-card payments (unless you disable that feature).
Paypal can be abused in several ways, so lets go over the main attack methods:
Paypal account hijacking
By getting a hold of Paypal account credentials or an active logged-in session, an unauthorized user can make payments using Paypal as if he were the real account holder.
This route is very advantageous to the attacker – he does not have to pass all the checks banks employ on credit-card transactions (address, zipcode, CVC) and use the account to pay immediately.
Paypal payments with stolen credit-card details
Paypal allows people without an account to pay directly with a credit-card (unless you specifically disable that option). This means that stolen credit-card details can be used – the same as with every credit-card payment option (which will be covered in more detail in the next section).
Fortunately (or not), Paypal has its own fraud detection mechanism that it uses on credit-card payments. This means that credit-card payments on Paypal are less likely to be stolen, but on the other hand Paypal often rejects legit payments that fail their somewhat strict detection system.
Paypal disputes on legit transactions
In a way, this is the most troublesome fraud of all. The transaction itself will appear completely legit, as the account owner in fact authorized it. What we deal here is “buyer remorse”, where the buyer simply decides he does not want to pay for the transaction, and opens a dispute on Paypal.
Paypal will side with the buyer most of the time, unless you can provide strong evidence of delivery (for example, a sign-off on a shipping paper). To some degree, Paypal will offer payment protection on certain products. Unfortunately, digital goods are not included and Paypal provides no guarantee of protection for those kind of transactions.
An attacker will attempt to make an online payment by getting a hold of credit-card information. The information can start at only the card number, and extend to expiry date, CVC and even address details.
Unfortunately, confirmation of credit-card details across banks is very inconsistent. Some banks do not even check the expiry date or the CVC security code (!), while others might return a false positive (it would’ve been better if they had returned “not checked”).
To make matters even worse, a bank might approve a transaction even if some of the details were checked and confirmed as incorrect. This attitude extends to some payment gateways, which will leave the decision up to the bank and will not deny a transaction if some of the security checks are false.
Common Types of Fraud Knowing what you’re up against is the key to a strategic defense. Online merchants most often face two types of transaction fraud.
The most common type of fraud is verification fraud. Fraudsters can easily obtain or generate potentially legitimate credit card numbers. By submitting orders using a merchant’s payment form, they can determine whether that information is valid. At this point, they are not seeking financial gain, only information. But for merchants who suddenly experience thousands of invalid transactions, the repercussions can be costly.
Once fraudsters have confirmed the validity of a credit card, they can then use it to purchase goods from a merchant. Fraudsters will usually attempt to get a merchant to ship large amounts of a product to a location different from the billing address of the cardholder. Their motive is to steal as much as they can as quickly as possible. By the time the charge backs come rolling in, merchants are left holding the bag.
Fraud detection services
You can rely on our experience and expertise to increase your fraud prevention success. Please call us at 1-800-477-5363 to consult with one of our fraud detection specialist.