'Bad Guys' Can bypass Fraud Detection

[neobug103]

Even with MaxMind telephone call enabled, the major problem that we have is that the person may get denied in the order form, but even then their account is created in the client area, therefore they are logging into the client area and trying different credit cards until one works and an order works. This is a serious issue as it allows any 'bad guy' to very easily bypass the Fraud Detection System by just ordering via the Client Area as no fraud check is run when an order is made while logged into the Client Area.

 

There are a couple ways to prevent against this...

 

1. Do not enable 'active' status to clients who receive are not able to get by the Fraud System in the order form, so therefore they will not be able to login and order anything else if their order is labeled as 'Fraud'.

 

2. Even though this would be a lot more cumbersome to existing clients, it is still an option....to enable fraud detection in the Client Area as well. This is something that I would like to avoid if at all possible.

 

3. Most of these 'bad guys' are trying different credit cards and the system sends out multiple emails saying 'credit card payment failed'. Now with all the chargebacks we receive, 80% of these accounts have many 'credit card payment failed' emails, as they have been entering in multiple credit cards. I think there should be an option to prevent the client from entering more then a set number of credit cards within a certain number of hours or days. Additionally you could essentially lock their credit card and not allow them to enter a new card or allow them to charge the existing card in their file without the account being first looked at by an administrator; essentially a tripwire if you will.

 

Please feel free to share your opinion(s) and/or provide more ideas on how we could combat this issue.

[Matt]

This is totally incorrect. Every order has a MaxMind check run on it if you have it enabled - regardless of it's a new or existing client - even if they are logged in and place an order from the client area, it is still fraud checked as are all orders.

 

Matt

[neobug103]

Not in my experience...

 

Whether it is enabled or not, something needs to be done to prevent them from trying out a hundred different credit cards before one works.

[pacwebhosting]

Not in my experience...

 

Whether it is enabled or not, something needs to be done to prevent them from trying out a hundred different credit cards before one works.

 

Not in my experience.

 

They need to reorder as the order is set to cancelled and this in itself runs another maxmind check which also fails as per whatever reason it has just failed for.

 

If they manage to get through it is probably because they are ordering again from a different set of circumstances IP, address etc and they could do this with or without using the same account with you.

 

Maybe you could cc the credit card failed emails to an email you can pick up and vet or maybe the hundred different orders coming in would be a good indicator someone is taking the proverbial.

 

Unfortunatley it is a fact of life that these people keep trying however it is up to you to have a system in place to vet and detect if they get through maxmind.

 

Paul

[Matt]

Paul is correct. When the fraud check is failed, the invoice is cancelled, so the user cannot try one, let alone one hundred different credit cards to pay from your WHMCS client area as they have no unpaid invoices with which to do it.

 

Matt

[webresellers]

It would be nice to get an email alert saying that the customer has updated their credit card information. Helpful to see if a customer is trying a bunch of credit cards for each fraud order (which we have seen people try), and just to know that legit users have updated their credit card so we can process the new/updated credit card....

We had a user that continued to updated their expiration date using year/month instead of month/year for some wierd reason, they the tranaction failed.