I run several non-profit association websites, and about 2 years ago we got hit with a similar blitz on our donation forms. We were able to minimize the number of fraudulent donations by doing the following:
1) Put into place the CV2 field, and make it required. 2) Put in Captcha 3) Make sure your forms function within the context of a user session, and when the order is submitted to the payment gateway (PayPal/Authorize.net), set the authorization code as a session variable. Then, check for the existence of that session variable. If it exists, do not allow the user to re-submit their order. This, more than anything else, helped to cut down the number of incidences we were seeing. 4) Consider putting into place a minimum donation of a higher amount (say, $5). It's a pretty common occurrence for donation forms to be used as a testing ground for stolen cards, because a small charge of $1 is less likely to be noticed than a larger card. Once a fraudster figures out which stolen cards still work, they can then move on to eCommerce sites and use the good cards to make larger purchases. 5) Banning a specific IP address won't do much to stop someone from using your site as a test-bed. They'll just set up another server at a different IP address, or use a proxy to mask their true location. If you know that you're not likely to receive legitimate donations from certain countries (like Vietnam), you can ban the range of IP addresses associated with that country, but people will still be able to find ways around those bans. It sucks that charity sites would be targeted as a test bed for checking stolen cards, but they often represent low-hanging fruit to a fraudster. If your organization is working towards PCI compliance (as we did), this type of activity can really put a ding in your efforts, but it's not too difficult to remedy the problem. It would also be a courtesy to get a report of the people whose cards were stolen (you can get that info from your payment gateway), and either ask your gateway to inform them, or let them know yourself. Much better to do that than wait for the flood of calls that will happen once people see those $1 charges from your organization on their statements, which are immediately followed by a $1000 charge to Best Buy. They might wrongly suspect that your organization was somehow responsible for the card being stolen, and you definitely don't want that. Hope that helps, Michael -----Original Message----- From: Russ Michaels [mailto:[email protected]] Sent: Thursday, August 23, 2012 8:46 AM To: cf-talk Subject: Re: credit card fraud you can also enable 3D secure, which adds an extra level of security. even if someone has gotten someones creditcard and CV2 number, it is unlikely they also have their 3dsecure login as well, unless they garnered the card from a hacked PC with a keylogger trojan. You copuld also use somehting like http://www.maxmind.com/ , On Thu, Aug 23, 2012 at 2:25 PM, Al Musella, DPM <[email protected]>wrote: > > I run a charity website and am getting a blitz of donation attempts. > It looks like they were trying a list of names and credit card > numbers that they had - but they must have been old because only 1 out > of hundreds suceeded. They tried to donate $1 with different names > and credit card numbers on each attempts, but all from the ip address > 113.161.94.67 which appears to be from vietnam. > I permanently banned that IP address from all of my websites. > I am also going to limit bad attempts and increase the minimum > donation to $2.. > Is there anything else I should do? > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352284 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
