Hacker News new | ask | show | jobs
by Pyramids 4727 days ago
An easy to implement solution would be to use MaxMind's fraud API prior to capturing card data.

Although it's nowhere near fool proof it cuts out a good chunk of fraudulent orders. In our experience false positives have been very low (less than 2%) and detection has been fairly good (80%+)

I wouldn't deny orders completely based on MaxMind results, but if you have a human interpret the results / scoring or use it in conjunction with other methods, it's definitely a viable option.

Furthermore, you can use their call verification API, or even call card holders yourself whenever an order is placed to an alternate shipping address.

Fraud is just a fact of the business though, even with the best fraud detection and verification methods. Fraudulent orders may slip through, especially as you scale, and you should account for this as a cost of doing business.
1 comments
nunoloureiro 4727 days ago
What's the threshold (risk score) you use to consider a transaction as fraudulent?
link
Pyramids 4726 days ago
Although we combine with internal scoring and manual review, as stated; If I was using MaxMind exclusively I'd consider 5.0 to 7.5 a good indicator of a possible fraudulent order.

This is based on their current riskScore system[1] (changing on January 1st, 2014) and 10 as an instant failure without review. Most orders will generate a non-0 score, however.

Another great tactic for preventing fraud is to never indicate an order has failed or a card hasn't been charged ('ghosting'), this is a tactic used heavily by Google for AdWords and other paid services.

Giving a clear indication of failure allows "carders" a way to easily figure out your detection algorithms by placing orders until one gets through, and share that information with others who will attempt to victimize your checkout process.

[1] http://www.maxmind.com/en/ccfd_formula

link
nunoloureiro 4721 days ago
Any idea what the equivalent 'riskScore' would be? If we are starting using minfraud it doesn't make sense to use 'score'.

Thanks

link
Pyramids 4708 days ago
riskScore is a combonation of hard coded scoring, along with what I'd equate to a bayesian filter.

In a way, riskScore simplifies the calculation, because it's a percentage instead of an arbitrary number. Depending on your business, I would consider starting at 30% for manual review, and 90%+ for auto refusal, making adjustments to the threshold from there.

link