[Gaessaki]

Card testers are so frustrating to deal with. We run a food delivery platform coop that processes orders and then delivers them on behalf of our restaurant members. We’re an ideal card-testing target for the perps before they hit up the Apple store. Only basic anti-fraud measures because we’re a startup and as a reward, free meal if they find a card that works.

The hit is usually doubly painful for us as we not only lose the money, and get the 15$ Stripe dispute fee, but we’re still on the hook for the restaurant’s food and driver’s tip and need to pay that out of pocket, and we also lose valuable time from our drivers. So all in all, a 50$ fraud might cost us 80$.

The signs are always obvious. Always ~70$ orders. Asking for the food to be delivered to a person across the street. Obviously fraudulent names and emails. Postal codes from elsewhere in the province. Orders from only certain restaurants. The problem, we always catch this too late through manual reviews. The restaurant usually has the food made before we find out.

Despite mitigations, blocking blocks of addresses (digital and physical), Radar, etc. it’s still trivial to get around and make fraudulent orders if you’re able to constantly acquire a fresh supply of new cards. We can probably build more sophisticated detection mechanisms, but we haven’t gotten there yet.

We’ve resorted to just cancelling the order quietly once we find out, without informing the fraudster. When they invariably call an hour later inquiring about their delivery (with a voice totally not matching the name), we either tell them we’re sending cops or cuss them out loudly. The silver lining is that it’s fun to witness their reactions on the phone when they realize they’ve been caught.

The banks and police are no help. There are obvious fraud patterns (we’ve physically seen the crooks and know where they live) and we have compelling evidence we can provide, but they won’t do anything. Understandably, they’re fighting the problem at a much greater scale and probably don’t have time for small peanut cases like ours, but it’s still frustrating nonetheless.

[jhugo]

> We’ve resorted to just cancelling the order quietly once we find out, without informing the fraudster. When they invariably call an hour later inquiring about their delivery (with a voice totally not matching the name), we either tell them we’re sending cops or cuss them out loudly. The silver lining is that it’s fun to witness their reactions on the phone when they realize they’ve been caught.

Don't do this. Just give an automated message that you've canceled the order due to being unable to process their payment, without elaborating on what was wrong with the payment. If they call, give them the same information and nothing more.

Every piece of additional data you give them about how your anti-fraud system works helps them to evade it. Also, as you grow, speaking to them on the phone will become a larger and larger risk as some fraudsters will be very skilled at convincing your customer service people that they are legit.

[nindalf]

Aren’t you contradicting yourself?

> Every piece of additional data you give them

Yes, we shouldn’t give them additional data

> Give an automated message

??

[charles_kaw]

A bland, useless message is less information than cussing someone out and calling them a fraudster.

[nindalf]

No, it’s more information.

An automated message arrives every time, one time. For this specific type of fraud where they are trying out many cards to figure out which works, getting an automated message is perfect.

Leaving the fraudster in the dark - excellent. Forcing the fraudster to call if they want more information - excellent. Both of these increase the time investment from the fraudster. They need to spend more time per card.

Cussing - doesn’t make a difference either way from an information perspective.

[charles_kaw]

I worked with the fraud team implementing the security for a real time data ingestion pipeline at a major bank partner. I am a bit more informed on this than the average hn poster :)

It's literally less information versus directly letting them know. One message lets them know you know, and the other doesn't.

> Forcing the fraudster to call if they want more information - excellent.

But there's something else you're not taking into account, which is innocent people who trigger your fraud detection.

>Cussing - doesn’t make a difference either way from an information perspective.

Well it certainly lets the fraudster know you know. A legitimate customer receiving that kind of abuse would be pretty unusual, don't you think?

[nindalf]

> I’m a bit more informed than the average HN poster

You’ve mistaken me for the average. I’ve worked in Integrity for a FAANG company and in FinCrime for a bank. I have a very good idea of how to mask information from bad people automating things. That’s literally all I’ve done for more than half a decade.

Save your condescension for someone else.

[joshmn]

I've done a lot (...) of stuff with fraud. Some advice (for new accounts only):

* if the postal code is a million miles away, flag it for manual review;

* check the IP address (and its ASN) and start identifying ones that are used commonly in chargebacks; if they're using a mobile device with a mobile network it's trickier, same if they're using proxies (though residential are harder to come by now that vip72 is no longer around)

* check if an email address actually exists and isn't just a carder's fresh email — like you said it's pretty obvious;

* don't deliver to person across the street;

* do some sort of phone verification/confirmation (and don't trust VOIP-type phones) (though this is still beatable, it's at least another cost to the carder).

Lastly, when you have a suspect order, don't tell them that you've cancelled the order due to fraud, or that you've found out: tell them that you're having trouble processing the order with the confirming bank and that you need them to enter another card. They will try again, burn some of their own money, and you'll have everything ready to go.

Querying your database and looking at patterns is certain to be helpful. Just a few joins and you can find a lot.

Happy to talk more offline to help you identify this better. Email in profile.

[jhugo]

> don't deliver to person across the street

I feel like this is probably crossing over the line balancing an acceptable amount of inconvenience to genuine customers vs. the amount of fraud that is prevented.

Certainly it's fine to flag such a transaction for review, but it's not at all unusual to order food from a restaurant over the street. For example, when it's just me and a sleeping baby at home, but I really want to eat the food from the restaurant over the street.

[mjmahone17]

I think in this case it’s delivering “across the street” from the delivery address, not the restaurant address.

Basically the fraudster is asking to deliver to a location other than where they actually live, because they don’t want to be traceable. They don’t want the delivery person to ring the door, because then the fraudster might lose out on the food.

[patmcc]

My reading of this is "yes my (credit card) address is 123 fake st, but please deliver to the park across the street".

[jhugo]

Ah, I didn't consider that. Still, I often forget to update my card addresses for a while when I move, now that they don't post you anything. I usually don't move across the street, though...

[piperswe]

Agreed - maybe use it as a signal for potential fraud if this is requested in the first order for a new account or a new payment method, but it's useful functionality that shouldn't fall victim to fraud prevention

[withinboredom]

During Covid, we’d order to an address down the street because our actual address was “too far away” but four houses over was not.

[jhugo]

Yes, I've also done this, as the line of 5km from a cluster of good restaurants is through the middle of the development we live in, and we're on the wrong side of it.

[kuschku]

> don't tell them that you've cancelled the order due to fraud

NEVER do that. You’ve got a contract with the customer, you have to either fulfill that or properly explain why you’re breaking the contract.

I’ve had a company break a contract with me (as it later turned out, because I hit one of their fraud measurements) and it took quite an annoying legal battle to force them to accept me as customer (but they had to, and I got almost 2 years of free service out of the company).

If you follow this advice, expect that at some point a customer will be accidentally affected, and some of them will sue you. And you’ll lose.

[SnowHill9902]

Do you actually enter into a contract if you void their payment?

[kuschku]

Yes! At least in German law refunds don't void the contract, the customer has a right to see the contract fulfilled.

A commonly known example is the person who auctioned off farm equipment on ebay, the customer bought a tractor for 1€, and the seller tried to void the contract and refund the customer.

The obvious court decision was that the contract had to be fulfilled, the tractor had to be delivered.

There's very few exceptions in the law surrounding that:

https://www.gesetze-im-internet.de/englisch_bgb/englisch_bgb...

I'm sure in other countries laws it's similar.

[Gaessaki]

Thanks for the tips. We’ve implemented some of these measures already and it has helped. We’ve had phone verification from day one for example. we try to balance the opportunity cost when possible.

For example, we lose a lot of potential clients due to them being turned off by the phone verification, though we rationalize that by saying that the support and operational costs are a lot lower this way as the driver can get in touch with the clients should there be any issues.

I think the next steps as you outlined are to build additional flows for fraudulent users and regularly verifying some heuristics on our data. We’ve haven’t gotten there yet due to it not being that pressing, but it’s clear we’ll need to do so as we keep gaining traction.

I’ll definitely keep your contact in hand when we visit this issue further!

[vishnugupta]

I don’t know if you handle customer registration. If you do then a customer registering and then placing a big order ($20 or more) within minutes is a big red flag. We clamped down a big chunk of credit card fraud this way.

[plumeria]

I would add:

* disallow registration with disposable email addresses (increases the cost for fraudsters). See: https://github.com/disposable/disposable

* disallow or flag transactions depending on ip-rating services. See: https://iphub.info/api (you could cache sketchy addresses to prevent exceeding the requests/day limit)

[lostlogin]

> don't deliver to person across the street;

The time my manager accidentally ordered food from a place we could see out the window was amazing. I’d have been sad if that was blocked.

[kweks]

I'd recommend trying a 3rd party fraud scrubbing service.

Stripe's Radar is all well and good, but they have no skin in the game. If they're right or wrong, you're on the hook.

Services like SIGNIFYD apply their own fraud logic. If a transaction is approved and is later disputed, you are refunded the value of the order and the chargeback costs.

Not associated with them, but have been using them for several years and hundreds of thousands of transactions; our fraud problems are non existent.

[srmarm]

Although in that case isn't SIGNIFYD's 'skin in the game' that they're on the hook for fraud so they're incentivised to be overzealous in blocking?

[xmprt]

I'm always surprised that cops don't care about "small peanut" cases because that's exactly how you get to the head of an organized crime ring.

[mschuster91]

The problem is metrics, as usual. Police efficiency is usually measured by % of cases solved (=perpetrator(s) identified and, ideally, enough evidence to convict). Now, when people file all sorts of small crimes with no clear way of identifying the perp (e.g. stolen bicycles without trackers, shoplifting with grainy NTSC camera video, online fraud), the PD's efficiency rate goes down and each case means at least an hour or two of paper work that won't lead anywhere, so the first level cops often enough actively discourage people from filing a case - no matter if the leadership is blasting out campaigns that people should report crimes.

[1123581321]

I think it’s partly a communication and organization issue. The local police funnel most immediate public requests through the same two intakes (emergency and non-emergency numbers) which don’t appear to be staffed by people eager to shop your small loss around until they find the individual or department who wants to use it to build a case.

Larger agencies like the FBI have more intake points, but don’t seem to reliably route to local police.

[Gaessaki]

That’s what I would have thought… Not to mention that with the in-person data we have from our drivers that other online merchants don’t, they would be able to sus out entire networks.

[warent]

This sounds like the kind of thing someone says which sounds true and compelling in an exciting way, but is actually totally bogus :) Do you have any evidence of this being true?

[from]

https://storage.courtlistener.com/recap/gov.uscourts.txed.20...

Here’s a recent example: They investigated guys who robbed Verizon stores, which led them to guys who bought phones from those guys, and wholesalers who then bought phones from those middlemen and exported the stolen phones to Hong Kong and Dubai. The value of the fraudulently obtained or stolen phones in the above case is about 100 million dollars and has resulted in various leads ranging from rogue carrier employees unlocking phones to drug cartels using cash to buy phones as part of a trade based money laundering scheme (see also https://storage.courtlistener.com/recap/gov.uscourts.cacd.85...)

[ceejayoz]

You can find lots of examples of this work-your-way-up approach in the history of organized crime; https://en.wikipedia.org/wiki/Bonanno_crime_family#Downfall_... serves as a decent example, leading to the family's boss himself turning into an FBI informant.

[daniel-cussen]

Well I fund them through taxes I have no obligation to pay--contribuciones voluntarias is the term in Spanish, the stupid thing to do nobody does and nobody sees the merit in. Everybody pays the absolute minimum at the risk of breaking the law, like no. Fucking no. I don't need to be twisted to pay, I can pay out of gratitude. I have the tax document, you want to see it? I paid 45% taxes in absolute terms with less than $10,000 income. It's taxes, not charity, which is the other benefit: I can talk about it, tell people exactly how much I contribute.

And like come on, cops are the only thing that allow me to wake up in the morning, stedda getting gutted in my sleep. Specific reason I had to dodge getting whacked after handing a racketeer to police ten years ago, my life depended on police retaliating for my murder. We had a hostage deep in the joint hopeless legal case, got caught on the scene of the crime because of my defiance. He would have paid for my getting whacked, human shield.[1] Counterproductive whack, when California gets pissed which is never but this was never so when they're pissed, they're perfect. Arrested the racketeer perfectly, like the wheel of the police car wheel rubbed against the sole of his shoe crossing the street, four guys--cavalry arrived--pinning him against the wall with no possibility of accusing them of police brutality. He angled his back into it so they'd hurt him--bitchvictim racketeer--they knew the counter move. He was stealing from the police, rackets mean Starbucks would have to cook the books for that location, that meant no profits, no profits no taxes. Protection money, well there can only be one protector. Taxes, the protection money that doesn't cost twice as much every time you pay.

And they protected me, again, human shield. Tragic fucking story twitching up his allies. Not even perpetual solitary confinement, or just as simple as competition in maximum security, which I'm not sure he got, even medium security, murderers bigger than him in competing gangs, and like no respect for anybody ever, treating him like shit (I've been top dog when falsely incarcerated, I know the cage)...plus prison in California is segregated, so it's not like he can carry on the race war he declared on Daniel Cussen very effectively, can't gang up on whites so much anymore. And like how many allies does he need?

Well so I need an ally in some sense, the police. But taxes mean they're not truly allies, they're protectors. Detectives on the case. It's not that confusing why I paid taxes, it was not unmotivated. Made sure not to pay the minimum, that sucks, pay what you can, don't pay when you can't but pay when you can. Dude State of California is the best, the political culture in California is disgusting the rent the private university deans--but--the State of California has pulled out the impossible with minimal budget. I can make that budget less minimal. So it wasn't much money--$20 a work week at minimum wage--but now I can talk shit about billionaires like Bezos, especially of their charity, which they should shut the fuck up about. You cannot brag about charity.

Taxes are not charity, so you can talk about that, I've talked to Marxists who were very surprised but agreed taxes aren't charity, taxes can be public. Fuck tax deductible charity. Then, you can leave charity totally to the imagination, or revealed long after death. It only cost me $80--half federal, half state, and twenty bucks per week each just off the top of my head--to make Californian billionaires look niggardly. 100% marginal tax rate. And it counts extra because I had so little, Book of Matthew says so. Not like I miss those $80, I dream of all the ways the State could have spent them, on an orphan for instance, an extra budget to treat him with better food on his birthday. Pay less interest on municipal debt. On gas for the squad car so it can get to Kearney and Bush in the time I bought them, a gas guzzler with crazy horsepower comfy seats and a watertight cage in the back. In a top district attorney that can shut police brutality accusations the fuck up. On a judge or especially a juror's diet (like wage), pay those jurors double minimum wage at least, so they don't think of money while they think about guilt. Just about no problem no matter what they spent it on in practice. Some expenditures hurt--fluorine in water especially--but rather than tell them what to spend on, I trust them above myself to come up with ideas.

And I can declare it with no shame--Christ paid 100% taxes, after all, he never gave charity, he alone healed schizophrenics outright but never gave them money. Caesar he did, in the attitude of sossegation (coining the term, based on sosegado in Spanish, beyond serenity, Christianity). And it's as easy as pulling a fish out of the water with a gold coin in his mouth. Dude algorithms are easy, I'm going to set to work to doubling a speedup after posting this. Doubling is easy, but doubling has a cost and if you double nothing you can never pay that cost. And charities just don't work, I can give a beggar money directly instead.

Sierra says not to do this, Sierra says give to Sierra, yeah why would that be, no, these days I cut out the middleman. Give those beggars money for whatever the fuck they want, even crack if that's what they want, the State does that, yeah it's terrible but I'm not the one sitting on the sidewalk doing the work of begging, they are they choose. Tell them about better drugs, upgrade the crack to a stimulant.

I saw one of my friends with all this food and he offered me some and I accepted, it made me so happy to see him eating food, he didn't have to but he did, and then he showed me how much of the gift I gave him he had left over for the following days. Responsibility is partly about the amount of the gift, big payouts are sobering. And just like people helped me out when I was fucked. Doctor Derek Dunham. Doctor Anne Green. 911, 5150, beautiful numbers, my salvation from Mortal Kombat on May 12, 2012.

I couldn't have tanked the whole gangsters infinitely. Racketeer was 5'8", hitman was 5'11", then assassins both 6'4" for sure, then they get taller and taller and heavier and heavier and more and more and no longer weaponless, sumo gangster then I'm plain fucked, double my weight can't do it. I asked that when I trained, what's the weight limit, double my weight? "No." Triple? "No." Sumo? "Sumos are dangerous."

[1] Paid any way he could hey tooth fairy might leave a quarter under his pillow, that's money. He'll pay for all of it. Got genetic sequence done too, he didn't talk but he sucked. Threatened to murder me, and made a team effort, RICO act field day. Pointing at me for seven minutes? Yeah whack incoming, 911 into 5150: "I think I'm being followed" "oh you're feeling paranoid" "yeah" "we'll send police to come get you to a place you'll be safe, 5150, you just stay there".

[Ayesh]

Many small scale food delivery startups have already solved this problem.

Phone number verification is the first like of defense. The delivery person might need to call you anyway, so it's an okay compromise to verify the phone number. Only accepting phone numbers from the sake country as you deliver is an added defense, but makes it somewhat inconvenient for travelers without local phone numbers. I'd ease this requirement for neighboring countries (accept US or CA numbers within those two, any EU number within the EU, Singapore+Malaysia, Nepal+India, etc).

Second, adding a card number requires verification too. Charge a small amount, and flag to the payment provider to require secondary authentication the card owner has with the bank. Any serious card owner should have Visa 3D Secure, Mastercard Code, or something similar setup).

This will leave legitimate gift senders (sending muffins to a friend in birthday while I'm in a different country) and travelers, but you'd make that lost revenue by cutting losses for fraud.

[Gaessaki]

We’ve had phone verification since day one. We’ve left the secondary verification stuff up to Stripe, maybe that’s the next place to look.

To be fair, the card fraud is not driving the business into the ground per se, just more annoying when it happens :) solving the problem is more of an opportunity cost thing for us

[Ayesh]

I see. One similar food delivery business I consulted at had a healthy (for the startup) margins at 30% from each order, so I suppose it's beefy enough to absorb some fraud.

Not to derail from the discussion about Stripe, but having a local payment processor helps a lot. In countries with foreign reserve woes (Sri Lanka and Turkey for example), Central Banks impose additional restrictions when paying foreign entities with cards. This can be in stamp fees (about 2.5% of the amount) or a daily/weekly cap on the amount.

For example, hardly anyone uses their credit cards with Uber in Sri Lanka because of this, and a local startup takes many times more orders because they partner with a local payment processor and charge the card as a local entity, sometimes with lower fees too.

[Gaessaki]

That’s an incredible margin. Is this gross before paying out drivers or after?

The suggestion for a local payment processor is a good one. We have another processing entity here in Canada called Interac whose fees are considerably cheaper, though consumers don’t reap the benefits of credit since it’s debit.

I’ve also read about Uber’s efforts accepting cash payments which I found to be very interesting: https://www.uber.com/en-EE/blog/india-growth-cash-payments/

[Ayesh]

In Sri Lanka (where I currently live and run a bakery business), Uber and the local competitor both charge 30% from the shop. This is in addition to a (mostly) flat fee charged to the customer for delivery, and 100% of it goes to the driver. They take cash payments as well. The amount of cash payments the driver collected is deducted from his weekly payout.

To be fair amount the margin, the drivers are paid for completing 20, 50, 100, ... deliveries, which is the bigger portion of their income.

In Indonesia, Grab and Gojek both charge 20-30%, if I'm not mistaken. In Vietnam, Grab, Gojek, and Baemin all charge about the same too. I have lived in Indonesia and Vietnam, and have seen the very same shop marking up the delivery fee into the food. I imagine this is a common practice in Asia at least.

[wzwy]

> I see. One similar food delivery business I consulted at had a healthy (for the startup) margins at 30% from each order, so I suppose it's beefy enough to absorb some fraud.

Alright, cool, a consultant. And then…

> Sri Lanka (where I currently live and run a bakery business),

And suddenly a bakery business.

I wish my life one day would be as interesting as yours. HNers are quite interesting.

On topic, FoodPanda is another popular one I’ve seen in Asia. And yeah, the markup for all of them seems to be close to your stated range. Though, it seems that Grab’s delivery fee changes depending on the number of available drivers (motorcyclists?) unlike their competitors like FoodPanda which is static from my experience.

[Ayesh]

@wzwy (because I can't reply to deeply nested comments I suppose).

The bakery is mostly for the excitement, although it is turning profit so I'm not complaining. I'm only investing and and involved in a small level, with a chef and a manager I hired. But it was a wonderful experience arranging stuff from ovens and mixers to signboards and corrugated boxes, with all minor details in between.

Things tend to be cheap in Sri Lanka, and rent isn't really that expensive, so it was not that difficult to start the business.

[nerdponx]

> Understandably, they’re fighting the problem at a much greater scale and probably don’t have time for small peanut cases like ours, but it’s still frustrating nonetheless.

Are they? Seriously. The FBI maybe is. But local police almost certainly are not.

[bryondowd]

Wonder if maybe you could take the offenders to small claims court, if you have that much info. Might be enough to get them to choose an easier target.

[Gaessaki]

I don’t know if it would materially affect the individual offender. Lot of them are actually just teenagers. And the time cost for us would not be insignificant.

That being said, if there was a way we could signal to all the would-be-offenders that we took prior cases to court, that could be quite worthwhile.

[mellavora]

Well, small claims is not that hard to prepare for (vs "real" claims), and you can hit them up for a few K.

But you are right, they might claim inability to pay.