3

I have developed a many e-commerce stores for clients over the years; almost all of them selling physical products. Recently, one client in particular was repeatedly getting hit with fraudulent chargebacks where someone would purchase an Acme Widget from their site on a stolen/duped card, have the item shipped (with next-day delivery) and then put a chargeback on the (fake) card, getting a Widget for free at an unassociated address before anyone realises what's happened (note: they have tightened security and it's now a much rarer issue).

I'm now developing what is effectively an e-commerce store, except that it's 'selling' virtual goods that act as a fundraiser; for example you would buy a pack of 10 Virtual Widgets for £100, and that would translate as a £100 donation directly to the fundraiser. As such there are no products (physical or digital) & obviously no shipping.

I've been trying to think of a way this kind of site could be defrauded in a similar vein to a physical products e-commerce store (as above), but I'm struggling to think of any. This is my first foray into this kind of fundraising build and the legal department want to be aware of anything that might come up so they can deal with it quickly (as do I).

Are there any known types of attack I should know about, or is it a non-starter to try to defraud a fundraising site?

indextwo
  • 155
  • 5
  • It wouldn't constitute defrauding _that site_, but you'd still need to protect the credit card numbers. ​ ​ –  Aug 02 '15 at 17:07
  • @Ricky Demer: That would be a given. Card processing & security are always in place and PCI-compliant. This is specifically about the possibility of fraudulent transactions on a fundraising site. – indextwo Aug 02 '15 at 17:40
  • 1
    A one-way "exchange" like fundraising cannot be defrauded in the common way that online shops have to deal with. When there is nothing to gain, fraud is impossible. That said - how about chargeback charges? Does the charity have to pay for every chargeback? If so, it could be possible for me to harm your charity - if I don't agree with their cause - by a DoS-style attack (hundreds of donations, with hundreds of chargebacks). – Alexander Aug 03 '15 at 14:23
  • @Alexander Thanks for the confirmation - this is kind of what I figured. I was wondering about the chargebacks myself and have queried this with Stripe (I believe I have to pay a fee for challenging chargebacks). If you want to post this as an answer I'll gladly accept it. – indextwo Aug 03 '15 at 15:41

2 Answers2

1

No, a one-way "exchange" like fundraising cannot be defrauded in the common way that online shops have to deal with. When there is nothing to gain, fraud is impossible as per the definition.

That said - how about chargeback charges? Does the charity have to pay for every chargeback? If so, it could be possible for me to harm your charity - if I don't agree with their cause - by a DoS-style attack (hundreds of donations, with hundreds of chargebacks).

I'd guess that I wouldn't try that - it could very well be that the banks would see the malicious attempt and refuse to fulfil the chargeback requests. In that case, I'd have funded a charity that I disagree with. Nevertheless, you should clarify this with your bank.

Alexander
  • 2,143
  • 2
  • 16
  • 22
-1

It should be much easier to protect virtual goods compared to physical goods. The most straightforward method I can think of is to give unique ids to the virtual widget and then tie these ids to the transaction. e.g. customer 123 bought virtual widgets number 200-210. So, if customer 123 issues a chargeback, you can void virtual widgets 200-210.

I am not sure what these widgets actually are, more details will be good. Are they similar to those ingame power ups items? It should be easy to remove the powerups id 200-210 provided the customer hasn't "used" it up yet. Even if they have, it should be possible to freeze or ban the account.

limbenjamin
  • 3,944
  • 50
  • 72
  • 1,281
  • Thanks for the answer. The virtual purchases relate to absolutely nothing redeemable - they literally represent a donation. It is almost a 'gamification' of donating - instead of just 'enter a number and donate', it's 'buy these helpful widgets for this cause'. As such, the purchaser/donator would gain nothing from a chargeback other than their money back. At least, that's what I can figure (hence the question!) – indextwo Aug 02 '15 at 18:38
  • 1
    You should use comments to ask questions – Neil Smithline Aug 02 '15 at 18:39
  • In that case, you can just void the widget id associated with the chargeback, this will allow you to accurately keep track of the total donation amount. You can't do anything to prevent the chargebacks if they have second thoughts on donating. – limbenjamin Aug 02 '15 at 18:44