[natvod]

I think someone else mentioned this in another post about this. Thought it was a great idea so I'll repeat it here:

To prevent fraudsters from using you to authenticate their stolen credit cards, set it up so that every purchase automatically redirects to a 'order successful' page. After seeing that a few their credit card numbers all seem to work on your site, the fraudster will realize they can't use your site to test and move on. In the back-end, turn on manual approval of each purchase and let through the ones you deem legitimate.

Should a legitimate customer mistype their credit card info, send them a follow up email with a link to the order page briefly explaining to them the situation and asking them to enter their details again.

(If there's some issue with this method I haven't thought of, let me know.)

[Retric]

There are several stages of CC validation. EX: http://www.experian.com/decision-analytics/credit-card-verif...

  M = Full match
  P = Partial match
  C = Match, but account is closed
  L = Match, but card is lost or stolen
  E = Invalid card number
  X = No record or security alert
  N = No match

IMO, you can display an error page for some types of issues without helping scammers. However, for physical goods it's a good idea to wait 24+ hours to display C or L codes to users. That way it's not useful for CC scammers, and you have minimal impact on users. Partial matches or other stages that fail your security checks are up to you.

[giancarlostoro]

Additionally if a customer is a repeated customer you may want to "whitelist" them, assuming they ever need to update their info (card expiration). Just a small tweak so they get feedback right away if they keep coming back.

[morgante]

Actually, you can just do a Luhn check on the credit card and if it fails show an error message.

Scammer cards will pass the Luhn check, so it won't be helpful for them validating cards. But it will catch many customer typos, thus giving them immediate feedback.

[kbenzle]

Best reply, but... How often is a typo made (1:1000?), how much time for support staff is needed and how many lost orders due to a ~24 hour delay in some orders being placed. Also, easy to flood the system with bad orders that need to be manually sorted, like a fake order DDoS.

[sitharus]

If a typo is made 1:1000 times Candy Japan would have had.. 2? At this small scale it's probably worth it - the loss of a customer isn't as big a problem as loss of physical goods.

[dmit]

Not to mention that you can verify the Luhn checksum on CC numbers and immediately catch ~90% of all typos (and 100% of single-digit typos). Don't even need a server call.

[fweespeech]

Honest people don't make typos that pass the checksum based on my experience at $DayJob.

[hyperpallium]

Would a simple delay in confirmation be enough to dissuade them? e.g. 10 mins? an hour? There's probably some critical threshold where it's not worth it for the criminal/s.

Since the candy can't be dispatched instantly anyway, you could arrange it to not affect delivery times.

Though of course, delayed confirmation would also put off genuine customers. So you could faux-confirm it instantly, and follow-up later if there's a problem. i.e. same as parent, but fully automated.

[jmadsen]

I discussed this with Bemmu & wrote up the idea (in the context of Laravel coding, but the idea is the same) here: http://codebyjeff.com/blog/2015/10/cut-credit-card-thief-cha...

He was doing things a little differently than my idea, so not sure what success he had in blocking them.

[level3]

That doesn't seem like a big enough hurdle. Card testing is already automated with bots, and this method can be easily defeated with a simple tweak (e.g. use a catch-all address and then automate the link clicking).

I know you wrote that it's just "out-running you, not the bear," but you probably won't be outrunning others for very long.

Edit: I have no problem with measures that could help protect against fraud even just a little, but this one also introduces friction for legitimate customers, so it needs to be sufficiently effective to be worth it.

[jordanlev]

How does one deem a purchase as legitimate or not?

And how would you differentiate between a legit customer who mistyped their info versus a fraudulent attempt?

[tehwebguy]

Some low hanging fruit: orders where the billing address is an exact match and it also matches the shipping address are probably the most likely to be legit.

There are many more factors to consider though.

[huac]

usually, sure - this case is interesting b/c the fraudsters don't care about receiving the actual product

this is a really big field - most large companies that have to process tons of transactions will implement a big data approach - put together as much demographic and behavioral info about customer as possible and analyze risk. this is really impossible for small vendors

[song]

AVS which checks the billing address only really works in US. It's pretty much useless in any other countries in the world (it's partially supported by some banks in Canada and UK but that's it)