everyone, thanks for the in put. The cc validation is a you get what you pay for. So for complete validation, e.g. billing address, phone, etc. you pay a lot more for each transaction. My customer gets very little fraud so the cost is too great for the benefit.
He is not getting much fraud, but he thinks they are using his site to figure out which cards will work and which will not. they are not even bothering to put in a shipable address most of the time so they don't expect to get product shipped. He believes they are just sifting through cards looking for ones they can use. I believe most of the vendors do almost no validation on the cc, just the 3/4 digit code plus your name. thanks Ann Chris Penn wrote: > Better credit card validation, I would think, with billing address and > 3 digit code on back of card, would be the best bet. It might also be > a good idea to match the billing zip code with the IP address > location, at least to the country. It is easy to use an open wifi, > tor, and/or a http proxy to hide one's IP address. It is also easy to > use tor and a dns to get an exit node in the same region as the > billing address. If you are lucky you might get a stupid user making > the transaction from a real IP; give the information to the > authorities when you report the crime. > > You could block tor and many known proxies in iptables which would > likely avoid a considerable amount of fraud imo, though this is not > friendly to those who enjoy their privacy. > > Chris... > > On Thu, Jul 5, 2012 at 9:20 PM, Todd Lyons <tly...@ivenue.com> wrote: > >> On Thu, Jul 5, 2012 at 6:39 PM, Randall Whitman <909li...@whizman.com> wrote: >> >>>> Any way to "capture" the ip address from the http request or something >>>> like that? It is a java application running under tomcat with apache as >>>> the web server. >>>> >>> By default, the client IP address is the first field of the Apache >>> access log file. A clever attacker will spoof it, else use a >>> compromised botnet rather than one's own machines. >>> >> I'll nitpick a little here. You can't spoof the endpoint of a valid >> TCP connection. They may proxy it through some open proxy, but it >> will be the IP of the proxy, and most proxies, even open proxies, will >> add a HTTP header that indicates what IP it's proxying for. >> >> ...Todd >> -- >> The total budget at all receivers for solving senders' problems is $0. >> If you want them to accept your mail and manage it the way you want, >> send it the way the spec says to. --John Levine >> _______________________________________________ >> LinuxUsers mailing list >> LinuxUsers@socallinux.org >> http://socallinux.org/cgi-bin/mailman/listinfo/linuxusers >> > > > > -- Ann Richmond ---------------- Randr Inc 951-369-3427 951-787-8683 Fax www.randrinc.com
_______________________________________________ LinuxUsers mailing list LinuxUsers@socallinux.org http://socallinux.org/cgi-bin/mailman/listinfo/linuxusers
