|
Fraudsters are using selected merchant's Web sites to test 'sequenced' credit card numbers. Sequencing is a common practice amongst fraudsters where potentially valid credit card numbers are generated through the use of hacker programs. These programs, widely available on the Internet, take a known 'good' account number and attempt to extrapolate additional account numbers based on the issuing sequence. The fraudsters need to test these generated accounts to determine which are valid, prior to using them fraudulently. Discover® Network Security has found thousands of 'sequenced' number tests in the last several months at retail Internet sites.
We have determined that the Internet sites chosen by fraudsters to test generated account numbers share common characteristics in the 'checkout' process. Most importantly, sites chosen for testing all returned unique error messages based on the specific problem with the order. Also, sites chosen for testing, rejected orders with mismatched customer billing information.
For example, if an invalid number was entered at checkout, the site might return an 'Invalid Credit Card' message to the user. However, if the card was valid but there was mismatched customer billing information, a different message such as 'Unable to process order, please verify billing information' might be displayed.
It is this difference in the two messages that confirms for the fraudster whether or not the generated account number is valid. And, because the fraudster enters fictitious billing information, no sales are ever completed. This allows the fraudster to test one generated account number after another in a very short time.
The result is potentially thousands of fictitious orders to your site, and thousands of erroneous authorization attempts on consumers' credit card accounts. A positive test also allows the fraudster to commit more egregious fraud elsewhere.
Discover Network Security recommends the following in order to prevent fraudsters from using your Web site to test fraudulent credit card numbers:
Use a single, common error message in the checkout process, regardless of the type of issue. Remember that it is differences in error messages that identifies whether or not a generated credit card number is valid.
Set a maximum number of errors allowed in the checkout process. Fraudsters may attempt dozens of account numbers at a time. Automatically canceling an order after 3 - 5 errors will disrupt the fraudulent activity, while allowing for honest mistakes by valid customers.
Implementing these recommendations will minimize the utility of your Web site for this type of fraudulent activity, reducing a potentially heavy volume of fraudulent transactions.
----------------------------------------------------------
Helpful Hints to Reduce Chargebacks and Risks:
Request and validate the Card Identification Data (CID) (the three-digit code on the back of the card in the signature panel). The CID can be submitted in the electronic authorization request or can be used when calling our authorization center
Verify the customer's billing address, either electronically or by our automated phone system (Address Verification System - AVS)
Check your delivery service contract for who is responsible for merchandise not delivered
Get a signature for each delivery
Keep all delivery records
All declines are final. Do not force through any sales for which you have received any declined response to your authorization request
If the sale is on a credit card, do not refund in cash or by check. Refund sales on the same card account that the purchase was made on
Include your common DBA and customer service number on the Cardholder's transaction statement
Clearly communicate any and all delivery charges, restocking or other fees
Clearly explain any return policies and offer documentation of this policy with each sale
When working on a chargeback, document efforts to satisfy the customer
Respond to all Chargebacks, even the small ones (remember, this is your customer)
Duplicate charges, or installment plans, unless otherwise stated, require an authorization for each sale
Types of Suspicious Behavior:
Please consider that these are only indicators of higher risk transactions. One behavior alone may not be a concern.
New customer attempts to make a very large credit card transaction
Customer doesn't know the Card Identification Data (CID) found on the back of the Card, indicating that they don't have the actual Card
Customer’s address does not match when attaining an Address Verification
Shipping to an address other than the billing address
Customer asks that you try lower dollar amounts when a decline message is received
Customer instructs you to try different expiration dates when initial attempts fail
Customer hesitates, or has a long pause, when asked for personal information
Customer repeatedly sends e-mail messages requesting confirmation of shipment
Customer attempts to place multiple orders to the same address
Customer attempts to purchase large quantities of a single item
Customer purchases several large-ticket items, which do not go together, e.g., appear random
Customer calls a few minutes before closing and wants several large-ticket items
Customer requests that sales be split up to avoid paying "import taxes" and/or "duty fees"
Customer requests shipment to an overseas destination
Customer seems overly concerned about delivery time frames to overseas destinations
Customer attempts to place a large order using several credit cards to obtain the total authorization amount
Customer offers the phone number to an authorization center to speed up the credit card approval process
Customer has little regard for price
Customer shows little or no concern for return policies, manufacturer warranties and/or rebates when purchasing in large quantities
These fraud prevention tips were taken from Discovers website.
|
FAQ
Search