[joshmn]

I've done a lot (...) of stuff with fraud. Some advice (for new accounts only):

* if the postal code is a million miles away, flag it for manual review;

* check the IP address (and its ASN) and start identifying ones that are used commonly in chargebacks; if they're using a mobile device with a mobile network it's trickier, same if they're using proxies (though residential are harder to come by now that vip72 is no longer around)

* check if an email address actually exists and isn't just a carder's fresh email — like you said it's pretty obvious;

* don't deliver to person across the street;

* do some sort of phone verification/confirmation (and don't trust VOIP-type phones) (though this is still beatable, it's at least another cost to the carder).

Lastly, when you have a suspect order, don't tell them that you've cancelled the order due to fraud, or that you've found out: tell them that you're having trouble processing the order with the confirming bank and that you need them to enter another card. They will try again, burn some of their own money, and you'll have everything ready to go.

Querying your database and looking at patterns is certain to be helpful. Just a few joins and you can find a lot.

Happy to talk more offline to help you identify this better. Email in profile.

[jhugo]

> don't deliver to person across the street

I feel like this is probably crossing over the line balancing an acceptable amount of inconvenience to genuine customers vs. the amount of fraud that is prevented.

Certainly it's fine to flag such a transaction for review, but it's not at all unusual to order food from a restaurant over the street. For example, when it's just me and a sleeping baby at home, but I really want to eat the food from the restaurant over the street.

[mjmahone17]

I think in this case it’s delivering “across the street” from the delivery address, not the restaurant address.

Basically the fraudster is asking to deliver to a location other than where they actually live, because they don’t want to be traceable. They don’t want the delivery person to ring the door, because then the fraudster might lose out on the food.

[patmcc]

My reading of this is "yes my (credit card) address is 123 fake st, but please deliver to the park across the street".

[jhugo]

Ah, I didn't consider that. Still, I often forget to update my card addresses for a while when I move, now that they don't post you anything. I usually don't move across the street, though...

[piperswe]

Agreed - maybe use it as a signal for potential fraud if this is requested in the first order for a new account or a new payment method, but it's useful functionality that shouldn't fall victim to fraud prevention

[withinboredom]

During Covid, we’d order to an address down the street because our actual address was “too far away” but four houses over was not.

[jhugo]

Yes, I've also done this, as the line of 5km from a cluster of good restaurants is through the middle of the development we live in, and we're on the wrong side of it.

[kuschku]

> don't tell them that you've cancelled the order due to fraud

NEVER do that. You’ve got a contract with the customer, you have to either fulfill that or properly explain why you’re breaking the contract.

I’ve had a company break a contract with me (as it later turned out, because I hit one of their fraud measurements) and it took quite an annoying legal battle to force them to accept me as customer (but they had to, and I got almost 2 years of free service out of the company).

If you follow this advice, expect that at some point a customer will be accidentally affected, and some of them will sue you. And you’ll lose.

[SnowHill9902]

Do you actually enter into a contract if you void their payment?

[kuschku]

Yes! At least in German law refunds don't void the contract, the customer has a right to see the contract fulfilled.

A commonly known example is the person who auctioned off farm equipment on ebay, the customer bought a tractor for 1€, and the seller tried to void the contract and refund the customer.

The obvious court decision was that the contract had to be fulfilled, the tractor had to be delivered.

There's very few exceptions in the law surrounding that:

https://www.gesetze-im-internet.de/englisch_bgb/englisch_bgb...

I'm sure in other countries laws it's similar.

[Gaessaki]

Thanks for the tips. We’ve implemented some of these measures already and it has helped. We’ve had phone verification from day one for example. we try to balance the opportunity cost when possible.

For example, we lose a lot of potential clients due to them being turned off by the phone verification, though we rationalize that by saying that the support and operational costs are a lot lower this way as the driver can get in touch with the clients should there be any issues.

I think the next steps as you outlined are to build additional flows for fraudulent users and regularly verifying some heuristics on our data. We’ve haven’t gotten there yet due to it not being that pressing, but it’s clear we’ll need to do so as we keep gaining traction.

I’ll definitely keep your contact in hand when we visit this issue further!

[vishnugupta]

I don’t know if you handle customer registration. If you do then a customer registering and then placing a big order ($20 or more) within minutes is a big red flag. We clamped down a big chunk of credit card fraud this way.

[plumeria]

I would add:

* disallow registration with disposable email addresses (increases the cost for fraudsters). See: https://github.com/disposable/disposable

* disallow or flag transactions depending on ip-rating services. See: https://iphub.info/api (you could cache sketchy addresses to prevent exceeding the requests/day limit)

[lostlogin]

> don't deliver to person across the street;

The time my manager accidentally ordered food from a place we could see out the window was amazing. I’d have been sad if that was blocked.