A Case Study in Order Fraud Detection

This article contains older information. Go here for newer information on shopping carts and transactions.

I received an order a couple of weeks ago that caught my attention. I use ShopSite 6.1.1 Pro software for selling service and e-books, and now tangible products, my Doctor Ebiz Internet Marketing Seminar Videotape Learning Package (www.wilsonweb.com/seminar/video.htm). ShopSite 6.x now has several fraud-fighting tools that I appreciate.

Strange Order Pattern

The order was for a $12 e-book -- one I sell very few of because I give it away free for subscribing to Doctor Ebiz. Why would someone order an e-book they could get free? Occasionally I've had orders that buy everything I sell. I give those orders a second look, too. Anyone ordering my Videotape Learning Package is certain to be looked at carefully. Any order pattern out of the ordinary, especially made in the middle of the night, raises a red flag.

AVS and CVV2 Matches

Upon closer examination, I observed that neither the AVS or CVV2 fields matched.

AVS (Address Verification Service) works for most US and now Canadian addresses and performs two look-ups -- (1) for the numbers in the street address field, and (2) for the numbers in the ZIP/Postal address field. My payment gateway response indicated:

AVSADDR=N AVSZIP=N CVV2MATCH=N

This tells me that the person who placed the order isn't giving the billing address on file with the credit card company. If the processor returned AVSADDR=X AVSZIP=X I would suspect that the bank did not support this function. Some don't. But an N=No response indicates that either the person has moved and not changed their address -- or possesses a stolen card number without a corresponding address.

CVV2MATCH=N tells me that the 3-digit Card Verification Code is wrong. Y indicates a match. American Express cards don't return anything for this field. Since I've been asking for CVV2 the last few months, I'm relying more upon it in case of a questionable order. At least a "Y" value gives me real assurance that the physical card is in front of the purchaser.

When I saw the AVSADDR=N AVSZIP=N CVV2MATCH=N indicators, I looked farther. I called the telephone number on the order, and wasn't surprised to find there was no such number. I checked the street address in Puyallup, Washington, at http://maps.yahoo.com and found that the street address was bogus.

IP Address Tracking

ShopSite now allows me to view the IP address of the Internet Service Provider from which an order was made. The IP address in this case was 212.80.166.163. Of course, it's possible to spoof IP addresses (see my article "How Cyber Thieves Hide Their Identity and How to Spot Them," Web Commerce Today, 10/15/00, http://www.wilsonweb.com/wct4/fraud-spoof.cfm).

But I was able to track the IP address to Madrid, Spain -- a long way from Puyallup. I used the search functions of the three Regional Internet Registries (RIRs) that administer IP addresses: RIPE (Europe, www.ripe.net/perl/whois), APNIC (Asian-Pacific, www.apnic.net/search) and ARIN (No and So. America, Caribbean, Sub-Saharan Africa, www.arin.net/whois).

E-Mail Address Domain

Finally, I searched for the e-mail address using a Whois domain database (such as www.allwhois.com or www.netsol.com/cgi-bin/whois/whois) and found that the domain had been registered only two days previously to a person purporting to be Anne Sullivan in Florida, but using an e-mail address xxxx@home.ro originating from an Internet Service Provider in Bucharest, Romania, an Eastern European hot-bed of Internet fraud.

I've learned the hard way to scrutinize orders carefully. If I had passed this order through carelessly I would be out not only my merchandise, but also a chargeback fee.

Insist upon Merchant Fraud Prevention Tools

If your shopping cart program doesn't show you the AVS responses, complain to the developer. If it doesn't support CVV2 checking, complain to the developer. If it doesn't display the purchaser's IP address, complain to the developer. Then ask them to send you a free upgrade when those changes have been made. If you don't insist, the software developers may not realize that merchants need these tools to protect themselves in the wild and wooly World Wide Web.