Best of the ISP-Lists

Traffic Caused by Theft

Members of the ISP-Webhosting list discuss how to deal with stolen credit card numbers and chargebacks. Even the smallest business needs to prepare for the possibility of theft from abroad.

[February 14, 2001]

On the ISP-Webhosting list in January, MT noted,

"We recently stepped up our online marketing efforts and in return have greatly increased the number of online signups. It's been great, except probably one out of ten has been a bogus order with someone using a stolen credit card. What steps can I take to prevent this?"

JM recommended a simple solution:

"What I do is capture their IP address and then check it in the ARIN database. If the order states they are from New Jersey and the IP address is assigned to somewhere in Asia, then I just delete the order. I know it's a lot of extra work, but I'd rather do that than deal with a chargeback."

JK suggested that JM's answer might not be enough:

"Sometimes IP blocks are resold, or are bought by a large corporation and used all over the world by its subdivisions."

Others recalled their attempts at solving the problem:

[WW suggested] "Talk to your credit card system provider about fraud prevention measures. You also may be getting some fraudulent chargebacks, people who decide a month later that they don't want the hosting, so they say they didn't order it.

I've found that a lot of the time, if I email or call the customer and remind them that a fraudulent chargeback is a crime, they will call their credit card company and say they made a mistake. Make sure you store as much information about the initial signup as you can, such as the IP Address, date/time stamp, etc."

[JD offered] "Make sure your credit card system has the Address Verification System (AVS) turned on. Then also log the IP address of every order. Once you get a chargeback, you can look up that IP. Then use that IP to search through the logs and find out how many bogus orders that person made (likely more than one).

I will also usually blacklist the entire IP range for 30-60 days, so that the fraud user can't get to our web site at all for over a month. He won't be able to get to his fraudulently ordered web sites either. After 30-60 days he'll likely give up and choose someone else to bug."

[ST added] "What we do is a three-step process: (1) No orders accepted from free email addresses. The ordering party must provide an email address belonging to the ISP from which they are connecting. (2) All customers are required to sign and fax us two documents: our contract signature page, and a separate page that authorizes the recurring service billing. (3) All charges from the online order page are authorization-only. When the account is set up, we process the approved charge. We do waive steps 1 and 2 for people who contact us prior to the order; the assumption is, if they've spent the time and effort to carry on a dialogue about our features, they're legit.

In five years, we've had one fraudulent order-and we caught it prior to setting up the account or billing the card. I'm sure we've lost more than one customer by making it harder than click-and-buy, but the people who are with us are long-term, so it's a loss I'm willing to accept."

—End