Frode: what is it, where does it come from and how to fight

Frode is the ecommerce ulcer. Any company that accepts payments on its website, sooner or later faces a fraud problem and incurs losses from it. In order to protect oneself from fraud, one must constantly keep defense mechanisms and procedures at the ready, as well as regularly check their effectiveness. I propose to figure out what's what.

In a simple way, fraud (from English fraud, “deception”) is when a bad person pays for services with a stolen payment instrument. Usually this is a credit card, but sometimes Frod happens with PayPal.

Fraud in practice

Consider the practical example of Frode:

1. Stepan is an ordinary person. Trusting, a little naive. Proposals to increase income by 10 centimeters per month hurt Stepan for a sore spot, and he pays a course to increase income. But he did not take into account that the site on which he made the payment is unsafe, and his bank card details are intercepted by a fraudster.

   
   

2. The fraudster is looking for ways to "drain" the money received, finds the seller and buys the product from him for $ 100 from the stolen card. Tip 1: it is always good to have an anti-fraud system that will determine the Fraudster and will not allow him to even make payment on the site.

   
   

3. The seller is still a green newcomer, so any sale for him is champagne and ovations. He still does not believe in Frode, so he goes to his supplier and buys the product for $ 80, which he later sells to the fraudster, without having the slightest idea that he is actually a fraudster, and the money was stolen. At first glance, the seller earned $ 20 and everything is fine. Alas, not for long. Tip 2: without careful verification of the payment can not be calculated with partners.

   
   

4. A month has passed and something sadly for Stepan - the income has not increased, but on the contrary - the money from the bank card is actively disappearing. Stepan nervously looks at the account statement and tries to understand where his hard earned money goes: “So this is $ 100 for a course on increasing income, this is $ 20 for dinner at a restaurant ... And this is what for $ 100? At that time I was sleeping, I could not make this payment, and I did not order the sneakers on Amazon! ”

   
   

5. Stepan runs to his bank in a panic and tearfully asks for a refund.

   
   
6. The bank satisfies the application - there is unauthorized activity from the bank card of their client. The bank requests a forced refund (chargeback) from the seller’s account ($ 100), and also charges a fee of $ 20 for the chargeback. Tip 3: The seller’s responsibility is to check the payment for fraud, and if there is a fact of fraud, the bank will charge a penalty. The bank almost always satisfies the client's request (chargeback).

Summary of the story:

• Stepan is happy because he received his money back and can find a new course to increase income.
• The bank fulfilled the client's request, raised its reputation in its eyes and complied with the AML / KYC / CIF policy requirements (see below).
• Payment processing made a note that the seller he serves allows fraudulent payments and may be involved in fraud. Through N such cases, payment processing simply refuses to provide services to this seller.
• The supplier earned money on the order of the seller, he is not obliged to make a return. Protection against fraud - the problem of the seller.
• The scammer was able to get the product for free (that is, for other people's money).
• Well, the seller bears a $ 200 loss ($ 80 to the supplier, $ 100 returned to Stepan and $ 20 - a bank fine). In general, the seller in this story looks like this:

Where does fraud come from?

If the card itself was stolen - everything would be clear. But how can one steal the card data that Stepan always carries in his wallet?

Here are the main ways:

1. Stepan enters his card details on a site with a low level of protection (for example, without an SSL certificate) and is intercepted by a fraudster.

   
   

2. Stepan follows the link and logs into his PayPal wallet, but does not notice that the domain address is pavpai.com. Thanks to the fake page, the fraudster gets access to Stepan's wallet and can dispose of it at his own discretion. Such fake sites are called phishing.

   
   

3. Stepan inserted his card into the ATM, which is equipped with a skimming device. The device read its card data and now the fraudster has full access.

   
   

4. Stepan did not take care of the security of his wallet and as a password from Internet banking set the date of his birth. Since Stepan is a public person and information about the date of his birth is publicly available, it was easy for a scammer to pick up a password.

   
   
5. Tens of thousands of data stolen cards and PayPal accounts are sold absolutely freely on the Internet. And it is in the open network. In Dark Net, this business has long been put on stream.

International ways to deal with fraud

We are not the only company in the world that suffers from Frode and fraudsters. This is such a big problem that it takes up entire government departments.
At the very core of the modern financial industry are anti-fraud, money laundering and terrorist financing policies.

AML

AML stands for anti-money-laundering. In Russian - counteracting money laundering. This is a set of procedures, laws and rules that are needed so that citizens do not receive income illegally. AML politicians recommend introducing businesses around the world, both in personal interests and in the interests of the international fight against economic crime.

A very clear and up-to-date list of recommendations was invented at the G7 summit congress in 1989. I will make a short excerpt from paragraph 5, which we are guided by:

In a nutshell in Russian:

• All new customers (and ideally also old ones) need to be identified for authenticity.
• The verification includes identity documents, credit card photos, a description of the business and, in the most extreme cases, a source of income.
• In international terminology, this procedure is called Customer Due Diligence (CDD).
• This is so that the question of how legitimate our actions and how correctly to ask clients to submit their documents is no longer necessary.

KYC

KYC (Know Your Customer), in Russian - know your customer. This is part of the CDD procedure that financial institutions and other regulated companies must follow. It helps to protect against money laundering. Its main goals and functions:

• the collection and analysis of basic identification information (in US law, this is even referred to as a separate term “Customer Identification Program” (CIP);
• verification of the name of an individual or beneficiaries of a legal entity in the “Politically exposed persons” (PEP);
• identification of risks in the context of the client's inclination to launder money, finance terrorism or steal personal data;
• formation of ideas about the transactional behavior of the client;
• monitoring customer transactions for compliance with their identity.

Different countries have legislation adopted by KYC procedures . That is, we do not just have the right to demand documents, but simply have to do this in order to comply with the law and reduce our financial risks.

CTF

CTF (Counter-terrorist financing), in Russian - the fight against the financing of terrorism. What it is, I think, and so it is clear. Since the concept of terrorism in Russia and Ukraine has recently become very vague and has no boundaries, a complaint can literally come to any site that is even indirectly associated with terrorism, etc.

In the case of such projects, complaints come immediately from the official and from the law enforcement bodies of our jurisdiction, to which we respond in accordance with current legislation.

In fact, in the world there are many policies and standards to combat Frod. In the next section, I will explain how we deal with Frode at Unihost and what rules we have learned from this practice.

Fraud risks

As you already understood, fraud is bad. Let's now specify this “badly” and highlight the list of risks that it carries for any company, as well as Unihost, as for a hosting provider.

Direct losses on chargeback commissions

All financial risks for the transaction are borne by the seller, as the recipient of funds. So, he and take measures to counter fraud. And if these measures are insufficient and the seller made unlawful payment of funds, then when returning the funds the bank will punish the seller with a $ 20 fine.

I advise you to introduce the Customer Due Diligence procedure for all orders.

Abuzas

Clients who use services for illegal purposes (sale of stolen credit cards, phishing, DDoS attacks, etc.) will be charged. Abuzas are official requests demanding an end to illegal activities.

Naturally, such unreliable customers need to block and return the money paid to them. Naturally, this negatively affects our reputation with payment processing.

Reputation in payment processing

The presence of chargebacks and refunds has a negative effect on the reputation of payment processing. In addition, any processing has limitations on the volume of refands as a percentage of monthly turnover and the frequency of refands. Exceeding the limits may result in payment processing penalties, up to and including complete refusal to cooperate. I advise you to once again check the client than to lose the partner - the payment processor.

Legal risks

Legal risks are associated with anti-money laundering (AML) policies and non-compliance with any law or decree. It may include anything from fines to criminal cases.

In the modern CIS legal field, this risk is minimal. But it is still worth considering.
To minimize risks, implement a client verification system using CDD.

Unihost Verification System

When a scammer comes to us, there are two options for the development of events:

• Nice option. We request documents from the fraudster and determine that his card is stolen (either the person simply refuses to verify or does not respond to our letter). We make a refund as quickly as possible - it saves us from a potential complaint from the bank, and accordingly from chargebacks.

  
  
• Pleasant and unacceptable option. We are requesting documents from a fraudster, incorrectly determining their authenticity and providing a service (ours or partners). The bank sends a request for a refund, we make it and lose funds. Sometimes we lose another $ 20 if the bank did not waste time on an official request and made chargeback. The situation is played out according to the scenario with Stepan at the beginning of the article - the seller has only losses.

In order to minimize risks, we first verify the transaction, then the client, and then his order. The first protects us from already known fraudsters, the second - from the latter-day, and the third - against abuses.

Transaction verification

With a new order from an unverified customer, we:

1. Check it modulo FraudRecord. This is an international base of unreliable clients, scammers and other bad ones.

   
   

2. Check the number of failed payment attempts. If there are less than two, everything is OK. If there are more, go to the verification of the client and put the label "suspicious".

   
   

3. Check if the client's IP is unique. Often, clients already blocked by fraud create new accounts for other names.

   
   
4. We check the compliance of geo-IP with the country of billing. Many fraudsters pay cards from Europe and the United States, but are themselves in the CIS or China.

With repeated orders and renewals, the client only needs to go through point 2.

Customer verification

Verification of identity is needed in order to make sure that the client is a living person and to make sure that the payment method really belongs to him. To do this, we ask the client for documents proving his identity.

Only state documents from the following list are accepted:

• Passport (Passport);
• An Identity Card (also known as an ID) is an analogue of a passport in many countries;
• Driving license (photo);
• Temporary Resident Card (Temporary Resident Card)
• Certificate of temporary / permanent residence permit (Residence permit)

We carefully check all documents for compliance with state standards. Although often a fake is determined at a glance. So, one of the clients sent a passport with the date of birth “December 30, 1792”.

To verify the payment method, we require a photo of a bank card (with a visible front side, but closed CVV) or a screenshot of payment from PayPal, where you can see that the payment was made on our website. This item is already familiar to many.

Project Verification

We ask to describe the project when ordering a server or VPS. Moreover, we send back a simple “website for a company” or “website for a customer” with a request to tell in more detail: what the client / company is doing, what will be posted on the website. After all, the client may be the site of child porn, and this is a problem.

If the project plans to send letters, we require proof that the recipient database was compiled by the client, and the recipients themselves passed double opt-in verification.

List of projects that we do not accept:

• DDoS attacks of other resources;
• port scanners;
• sites calling for terrorist activities, cruelty, violence, etc .;
• child porn, bestiality and other chernukha;
• outgoing spam;
• phishing sites.

Conclusion

It cannot be said that these measures are 100% saved from chargeback or abuz. But they significantly reduce the number of scammers who gain access to services. Therefore, if your company is still only on the path of implementing a customer and order verification system, I advise you not to save. It is known that the greedy always pays.

I hope that one day we will live in a world where you can take everything on faith. But until this world has not come yet - verification is the only way out. Let it not the most colorful or popular aspect of the e-commerce business, but it is just necessary. It is a pity that honest customers should also be tested.