Not to pry, but would you consider sharing the heuristics, even if at a general level, perhaps via a blog post? I think that many hacker peers would love to know what works for your team.
Here are some of the things Telerivet looks at to detect suspicious payments:
- Credit cards that fail the address, zip, or CVC check. Stripe tells you whether these checks fail, but will still process the payment anyway.
- Unusually large payments. For some reason we often see suspicious credit card payments of exactly $100. Maybe they're just testing if a stolen credit card works?
- Payments for very new customers, or for customers that aren't actively using our service yet. Our service has a free plan for testing, so most real customers don't pay immediately.
- Same credit card used on multiple accounts. We store Stripe's card fingerprint for each account so we can easily search our database for duplicates.
- Multiple payments in a short amount of time.
When someone tries to submit a payment, we create a "customer" record on Stripe and test their credit card first without charging it. If the customer looks suspicious, our servers send us an email and save a record for the pending charge in our database. Then we can investigate further and either process the charge on Stripe or delete it. If the customer is legitimate after all, we'll mark their account as trusted so any future payments will be processed automatically.
We can't really prove that the card isn't stolen. One of the frustrating things about the card-processing system is that there's no way for merchants to actually initiate a fraud check (where the bank calls the cardholder to verify a purchase), or even any way to warn the cardholder that their card may be stolen.
Our manual review process usually consists of looking at:
- When the customer first registers, we ask them an open-ended question, "How do you plan on using Telerivet?". Did they provide an answer that would indicate that they are a legitimate customer?
- Does the customer's verified email address look suspicious (e.g. a disposable email account, or something that seems randomly generated)? Actually now we automatically block accounts from known disposable email providers from registering for Telerivet in the first place, but that's a whole different story.
- Does the customer's name look suspicious (e.g. random letters/numbers)?
- Does the customer's use of our service so far look suspicious?
Potentially we may also follow up with the customer over email. People who seem suspicious typically don't respond.
- Credit cards that fail the address, zip, or CVC check. Stripe tells you whether these checks fail, but will still process the payment anyway.
- Unusually large payments. For some reason we often see suspicious credit card payments of exactly $100. Maybe they're just testing if a stolen credit card works?
- Payments for very new customers, or for customers that aren't actively using our service yet. Our service has a free plan for testing, so most real customers don't pay immediately.
- Same credit card used on multiple accounts. We store Stripe's card fingerprint for each account so we can easily search our database for duplicates.
- Multiple payments in a short amount of time.
When someone tries to submit a payment, we create a "customer" record on Stripe and test their credit card first without charging it. If the customer looks suspicious, our servers send us an email and save a record for the pending charge in our database. Then we can investigate further and either process the charge on Stripe or delete it. If the customer is legitimate after all, we'll mark their account as trusted so any future payments will be processed automatically.