14

Let me throw out this problem I'm having to some of my technical peeps and see if you guys have any new suggestions:

We have a website that sends text messages and voice mails for our clients. Clients can buy credits and use those credits when sending SMS and voice calls.

We have this Nigerian scammer who has decided that he wants to mess with us and continues to set up accounts, charge other people's cards and send messages. He appears to have full card data, including CVV2, address and expiry. (Harvested from some non-PCI compliant site, I'm sure) He isn't failing any of those checks. Sometimes he charges the card and sends messages, sometimes he just charges the card. (Probably to test validity, though we now automatically block an account that fails a card check three times in a week, so we get 90% valid cards now)

We are furiously developing a method to validate the charge card by charging them a couple of sub-dollar charges and they have to enter the amounts to validate the card. But that's currently slow to program and it's going to be a real barrier to entry for a lot of our more casual users. We are also considering a SMS based validation, but that's less secure as I'm sure he has access to at least 5 or 6 phones as well, or Skype SMS or something.

Plus, if we get too many of these charges backed out by the consumer, we stand to lose our merchant account. We are working to void them before they go through, but that's a painful manual process.

So, while we are working on adding solid card validation, what can we do? Near term and/or long term? This guy creates 5 or 10 accounts a day using all kinds of names, addresses, IP sources (usually in Nigeria, but not always, he also proxies from elsewhere), etc.

In short, everything we do to stop this guy right now is going to stop legitimate users from accessing their accounts or giving us money.

What other kind of defenses can we erect to prevent a single, reasonably technically involved malevolent user? Some kind of evil detecting Turing test?

I hate to admit it, but I'm running out of brainstorming ideas. So I came here.

AviD
  • 72,138
  • 22
  • 136
  • 218
Chris Chubb
  • 241
  • 1
  • 3
  • At what point does your process identify this user as malicious? eg. Is it someone looking through audit logs and flagging them manually? Are you sure you are catching all of the accounts? What percentage are false +ves? – logicalscope Mar 13 '12 at 20:04
  • 1
    Right now we use a third party tool to kind of spy on what the users are doing and flags it for view if they meet any of the criteria like being from a Nigerian ip address, a new user or charging more than a small amount (our typical charge is under $100). I am sure that we are not catching all of his behavior, but the one saving grace is that we don't have thousands of legitimate users, just around a hundred or so. The site is just coming out of beta. – Chris Chubb Mar 13 '12 at 20:08
  • 1
    Once you come out of Beta, you will have to deal with more than one malevolent user. – logicalscope Mar 13 '12 at 20:17
  • @ChrisChubb welcome to [security.se]! I'm glad you chose to bring this issue here, I hope you get satisfying answers. – AviD Mar 14 '12 at 15:11
  • I know this is late but had/have you thought of using the Verified By VISA or the MasterCard version of it? This is a two factor authentication so should stop them using just the card since they'll need the password as well... Out of interest if you've already resolved the problem which method did you use? – Peanut May 31 '12 at 17:12
  • You can require them to run an application (ie with adobe or java) that verifies their IP, because even though the connection is proxied the hosts remain the same. You can probably get MACs too. See the Tor documentation for info on this. Shouldn't be too hard to make a blacklist after a few days of running the application, and if a client chooses not to run it they can't make an account. Easy and fast, and rather hard to fool for an operator of the level he seems to be. – KnightOfNi Jan 23 '14 at 23:57

5 Answers5

9

@logicalscope raises some good suggestions, but overall you still have to deal with one cold hard fact:

Technically speaking, even this Nigerian prince guy is a perfectly valid user.

The only problem with him, is that he does not own the credit cards which he is providing - notwithstanding the fact that he provided all the validation necessary.
This is actually a failing of the credit card system itself - treating what you know (the CC numbers) as something you have (the credit card itself).
And, since these numbers are nearly in public domain (i.e. you give them to many sites, you hand the physical card to the checkout girl in your supermarket and the attendant at the gas station, etc), knowledge of them should not be treated as proof of card ownership.

Bottom line, formally you should be able to rely on the proof given, unfortunately there is the little issue of chargebacks. So, basically, the credit card companies are doing what they do best - screwing you from both directions :).

Ranting aside, what can you realistically do, to avoid charging a card that is not owned by someone who provided the CHD?
Well, not much (and I am thrilled noone suggested CAPTCHA....) However, your idea of minimal charges as a form of proof of ownership is a very good one.

It is very similar to Paypal's method, and I would in fact suggest modifying your scheme slightly in their direction. When signing up (IIRC), a single small charge is made. The amount is not the secret, as there are only so many sums that can be made in the sub-dollar range... instead, they ask you for the transaction number, that shows up on your credit card report. The only way to get access to that, is either to receive the card-owner's mail, or to have access to the CC provider's consumer portal. For the record, they also refund that dollar after you signed up.

Perhaps you want to implement this only for potentially risky accounts, as @logicalscope suggested - such as by IP geolocation.

One other possibility I think you should look into, is outsourcing card validation. Either by accepting only Paypal accounts, or using a 3rd party validation system. This transfers the responsibility to someone else, by having someone else accept the payment directly for you (ala VBV/3Dsecure).

AviD
  • 72,138
  • 22
  • 136
  • 218
  • 2
    I suggest using some other forms of a payment portal. Amazon Checkout, PayPal, Google Checkout/Wallet should cover a huge part of the world. Perhaps deal with credit cards only if they need a huge volume, perhaps offer a discount for said volume, allows you to avoid the entire losing your merchant account. – Ramhound Mar 14 '12 at 17:58
5

The only technical solution you may have available to you is to train the user data (such as name, address, IP, etc. information) within some form of spam agent. Similar to an email spam categorizer, this could be used to create your "evil Turing test" that you require. You may consider treating this like a spam problem and see what kinds of solutions exist for email spam, SMS spam, social media/forum spam, etc. The main problem is the quantity and quality of the data available.

Otherwise, from your description it sounds like all of the technical characteristics are being met while none of the human factors are. Failing the above option, in such cases, I would normally present a business case for and against specific action.

  1. How much income are you expecting to make from Nigerian IPs relative to the cost for charge-backs, merchant account loss, reputational risk, etc.? Will removing Nigerian IPs account for XX% of the anticipated malicious users? Obviously this doesn't help with proxying, but you could get the majority of the cases.

  2. Are the messages that the scammer sends obviously spam?

  3. Can you apply the more stringent checks such as SMS and subdollar charges to a subset of the total user population? That is, you've identified Nigeria (and possibly others) as your main area(s) of concern. Why include other "more reputable" countries in draconian measures?

  4. Are you able to reverse lookup the IP? Do most legitimate users resolve? Do non-legitimate users resolve to specific domains or well-known proxies?

  5. Are you able to detect the use of proxies through "X-Forwarded" or "X-Client-IP" or such HTTP headers? This will also catch potentially legitimate users, but again, you can balance this measure in conjunction with other information.

Of course, you don't even need to shut-down the user entirely if any of the above checks fail. Simply move them to a review queue and deal with them apart from other legitimate-looking requests. Is it cheaper to pay someone to review this data than it is to allow it to go through? Sometimes, it all comes down to the business case.

logicalscope
  • 6,344
  • 3
  • 25
  • 38
  • those are all great ideas. I hadn't thought to apply some Bayesian filtering to the set. See, that's why I come to a place like this! I don't have a large enough set of known valid vs known invalid accounts to really prime the pump, but it's a start. Some of your questions: 1) I don't care if I ever make a dollar from Nigeria. If it were up to me all Nigerian ISPs would have IPs in the 666.*.*.* subnet (I know it's not possible, but should be...) 2) Not really. Mostly Mary Kay if you can believe it... 3) Hmmmm 4&5) That's another good data point, hadn't thought of that. – Chris Chubb Mar 14 '12 at 01:40
3

You might consider requiring that users who are setting up an account with you verify their phone number, through a SMS based verification.

You could potentially require that each account be linked to a unique phone number (not used for any other account).

And, more importantly, if you detect fraud (e.g., chargebacks on a credit card), you can block that phone number for future accounts and shut down any existing accounts using that same phone number. This way, if the Nigerian scammer has access to 4 or 5 phones, he can set up 4 or 5 accounts and scam you 4 or 5 times, but that may be in the wash. If he wants to keep opening new accounts, he'll have to keep getting new phones, which raises the bar to attacks.

D.W.
  • 98,420
  • 30
  • 267
  • 572
  • 2
    I had thought of that and we are also setting up a pool of known fraudulent phone numbers, but Skype can now get you a "real" number and accept SMS messages to it. If he has a seemingly infinite number of valid credit cards, I'm sure he can scam Skype just like he scams us. But I like the idea. – Chris Chubb Mar 14 '12 at 01:37
  • 1
    @ChrisChubb - The simple solution is do not accept Skype unless there account remains in good standing for a non-advertised period of time. I another stop gap measure is block all Nigerian user's from using your account. Unless your business is not from primaryly Nigeria it is a solution. – Ramhound Mar 14 '12 at 17:53
1

Could you use the SMS side of things as a potential second-factor in the process? At a guess could you use the BIN number of the card to locate the country of the issuing bank and then require a valid phone number in that country to which you send an SMS message and require entry of that to validate the account.

It would still be bypassable (getting a VOIP account in the target country to receive the SMS) but might raise the bar a bit.

Also you could theoretically could then look to black-list VOIP providers as recipients of the SMS message. Depending on your customer base, that might not be a possibility, but again could make things trickier for your fraudster.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
1

You might want to have a look at the services provided by threatmetrix (see panopticlick for background on device fingerprinting).

symcbean
  • 18,278
  • 39
  • 73
  • That's a brilliant suggestion! If nothing else, perhaps he could require cookies or use supercookies or LSOs to tag his "repeat visitor". If he does this, he should still make it look to the Lad like the site is fully functioning, yet it would delay sending the actual SMS messages until he manually vets them. That way the guy won't know why he's not making any sales. – John Deters Sep 09 '12 at 20:05