Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Fraud..help


gnfailure

Recommended Posts

Over the last couple of days my website has been inundated with new customer signups followed by paypal payments for outrageously huge amounts. Since the product I'm selling is Real time call credit for VoIP I'm scared of loosing big time and not sure what to do.

 

I reported the problem to Paypal on Thursday, but they don't seem to be doing jack shit. All they did was flagged the payments and sent me and the customer an email asking if its all correct. But I had already sent emails to the customers querying if the payments are legit and realised that the PayPal email addresses they provided are all bouncing. Told that to Paypal, but don't think I'm getting across to them. Plus payments just keep on coming for big amounts.

 

Looks like all the payments are originating form South Africa, but the paypal accounts belong to US and UK addresses. Some payments are direct Credit Card payments with no address details.

 

Because of the nature of the service I'm selling, I am unable to pro actively monitor 24x7 to see if each customer sales is legit. To give you an idea: most customers buy $10 or $20 credits and these dodgy customers are buying $600 and $1000 dollar credits. Some have used up the credit already (before I got around to blocking them), but as soon as I block a new account is created and paid for. It feels like I'm being targeted with dodgy payments! :'(

 

Please let me know if you guys have any thoughts as to what I can do.

Link to comment
Share on other sites

so you're saying using osCommerce with the paypal module and you're receiving orders notifications from paypal along with the osc notifications and all these orders are fake?

 

But I think you aren't using osCommerce and is one of the reasons you're getting these problems.

Link to comment
Share on other sites

Hi,

 

I've been using OsCommerce and the site has been running like this for about 2 years now. Paypal is the only payment module installed.

 

As far as the system is concerned, its all legit orders..i.e. some one registers, adds cards into basket, goes to Paypal, pays and is is immediately allocated credit to the user account.

 

 

The problem I'm having is dodgy guys signing up and paying using dodgy cards or stolen paypal accounts..I really don't know how to stop these dodgy guys creating accounts on my site and making payments and using up credit.

 

Pls let me know if u have any thoughts.

 

thanks

 

 

 

so you're saying using osCommerce with the paypal module and you're receiving orders notifications from paypal along with the osc notifications and all these orders are fake?

 

But I think you aren't using osCommerce and is one of the reasons you're getting these problems.

Link to comment
Share on other sites

Hi,

 

I've been using OsCommerce and the site has been running like this for about 2 years now. Paypal is the only payment module installed.

 

As far as the system is concerned, its all legit orders..i.e. some one registers, adds cards into basket, goes to Paypal, pays and is is immediately allocated credit to the user account.

The problem I'm having is dodgy guys signing up and paying using dodgy cards or stolen paypal accounts..I really don't know how to stop these dodgy guys creating accounts on my site and making payments and using up credit.

 

Pls let me know if u have any thoughts.

 

thanks

ok then, check the contributions like:

http://www.oscommerce.com/community/contributions,1296

 

or mail validation

http://www.oscommerce.com/community/contributions,2151

 

checking ips for new accounts

http://www.oscommerce.com/community/contributions,4328

 

manual customer approval

http://www.oscommerce.com/community/contributions,4584

 

so the first or second one can completely eliminate fake accounts (meaning the email address must be valid). IPs and manual approval give the store owner much better control over the accounts. And I am sure there other related modules.

Link to comment
Share on other sites

ok then, check the contributions like:

http://www.oscommerce.com/community/contributions,1296

 

or mail validation

http://www.oscommerce.com/community/contributions,2151

 

checking ips for new accounts

http://www.oscommerce.com/community/contributions,4328

 

manual customer approval

http://www.oscommerce.com/community/contributions,4584

 

so the first or second one can completely eliminate fake accounts (meaning the email address must be valid). IPs and manual approval give the store owner much better control over the accounts. And I am sure there other related modules.

 

 

Great advice Enigma1, thank you. I have just had my first international inquiry on a product's shipping cost and although I should be pleased with the contact, I couldn't help but be suspicious after reading some fruad posts here.

 

I will definately be installing some of the above referenced contribs! Thanks!

We see our customers as invited guests to a party, and we are the hosts. It's our job every day to make every important aspect of the customer experience a little bit better. - Jeff Bezos

Link to comment
Share on other sites

I think the very first one I posted (#1296) is a great idea. Not only offers the email validation, but removes the password fields from the create account page and is where many people try to find ways to reduce the number of fields required by customers to create accounts.

 

You can also check the ban ip related ones

http://www.oscommerce.com/community/contributions,2532

 

A good idea would be to use the #1296 for verification. Then if the account is never used (ie: created but not logged-in) for say up to a week you have a script to automatically ban the ip and delete the account. Now that's just an idea I don't know if a contribution exists for it, you may have to combine few contributions together to achieve this.

 

Then you have other modules like the active countries where you can pre-select from what countries/states you allow account-creation, shipping and billing. In every case before installing, keep a good backup of your store, some of these module require several changes and you want to keep your site operational.

Link to comment
Share on other sites

I think the very first one I posted (#1296) is a great idea. Not only offers the email validation, but removes the password fields from the create account page and is where many people try to find ways to reduce the number of fields required by customers to create accounts.

 

An interesting contribution.

 

Question: What happens during a new customer checkout? Does it mean that they have to check the email for password before they can complete the checkout? Or could they still checkout easily and would receive an additional email informing them of the password?

- The Jackal

Link to comment
Share on other sites

An interesting contribution.

 

Question: What happens during a new customer checkout? Does it mean that they have to check the email for password before they can complete the checkout? Or could they still checkout easily and would receive an additional email informing them of the password?

 

Good question TheJackal, I would like to know the answer to your question and also to verify that once a person does login with the contribution-generated password, that they are still able to change it easily via their account?

We see our customers as invited guests to a party, and we are the hosts. It's our job every day to make every important aspect of the customer experience a little bit better. - Jeff Bezos

Link to comment
Share on other sites

Good question TheJackal, I would like to know the answer to your question and also to verify that once a person does login with the contribution-generated password, that they are still able to change it easily via their account?

The way it works is it automatically generates a password upon account creation. The customer has to login afterwards (the system does not login customers immediately). And in order to do that he must receive the email with the password. The other account related pages aren't affected so the customer can change the password for his account (if he wants to).

 

This method is more effective than #2151 as the later adds an extra field for the verification (and still requires the password to be entered during account creation) making the whole process more complex for someone to register.

Link to comment
Share on other sites

The way it works is it automatically generates a password upon account creation. The customer has to login afterwards (the system does not login customers immediately). And in order to do that he must receive the email with the password. The other account related pages aren't affected so the customer can change the password for his account (if he wants to).

 

This method is more effective than #2151 as the later adds an extra field for the verification (and still requires the password to be entered during account creation) making the whole process more complex for someone to register.

 

Thanks for the clarification. Since the customer has to wait to receive the password email and then sign in to be able to checkout, do you think this would be a deterrent to customers purchasing if they're made to wait? I would definately rather be secure than not though. Maybe it would be to my benefit to give the user some kind of message saying that they need to create an account and login with the generated email BEFORE adding items to their cart. At least just to let them know about the extra step beforehand?

We see our customers as invited guests to a party, and we are the hosts. It's our job every day to make every important aspect of the customer experience a little bit better. - Jeff Bezos

Link to comment
Share on other sites

Thanks for the clarification. Since the customer has to wait to receive the password email and then sign in to be able to checkout, do you think this would be a deterrent to customers purchasing if they're made to wait? I would definately rather be secure than not though. Maybe it would be to my benefit to give the user some kind of message saying that they need to create an account and login with the generated email BEFORE adding items to their cart. At least just to let them know about the extra step beforehand?

you shouldn't need to. They have to login before checking out anyways. So as long as the create account (create account success) page mentions the password is with the create account email

 

The shopping cart contents will be merged once they login so they shouldn't lose anything.

Link to comment
Share on other sites

Upon reading the contribution further, I realized that you can actually checkout without the email verification (skip the unregister variables).

 

Of course, one would ask..what's the point of installing this contribution then?

 

Well..it is much easier to install than PWA (Purchase Without Account) for one! The thing I don't like about PWA is that it modifies the core OSCommerce. And this can cause unnecessary havoc and admin issues. Maybe I will try this out and let everyone know how it goes.

- The Jackal

Link to comment
Share on other sites

Upon reading the contribution further, I realized that you can actually checkout without the email verification (skip the unregister variables).

 

Of course, one would ask..what's the point of installing this contribution then?

 

Well..it is much easier to install than PWA (Purchase Without Account) for one! The thing I don't like about PWA is that it modifies the core OSCommerce. And this can cause unnecessary havoc and admin issues. Maybe I will try this out and let everyone know how it goes.

You can do many things to speed up the create account process. For instance I thought of using just the name and email address for registration purposes. Then during checkout you could show a form with the address details for shipping/billing. Now that has a marketing advantage of having users easily registered through your store. Then when they checkout the system could store the address details (the first time) and use them thereafter. They still going to fill the same number of fields, the difference is they will be split into 2 different forms with the 2nd one carrying the required shipping/billing info.

 

So you can move the bulk of these options to the checkout where the more registered customers you have the more sales you can make theoretically at least. This also gives an advantage to stores where they want to display prices for registered users only. A tiny create account page helps a lot.

Link to comment
Share on other sites

You can do many things to speed up the create account process. For instance I thought of using just the name and email address for registration purposes. Then during checkout you could show a form with the address details for shipping/billing. Now that has a marketing advantage of having users easily registered through your store. Then when they checkout the system could store the address details (the first time) and use them thereafter. They still going to fill the same number of fields, the difference is they will be split into 2 different forms with the 2nd one carrying the required shipping/billing info.

 

So you can move the bulk of these options to the checkout where the more registered customers you have the more sales you can make theoretically at least. This also gives an advantage to stores where they want to display prices for registered users only. A tiny create account page helps a lot.

 

Thanks to you both for an enlightening conversation about this subject!

 

Enigma1, I think your idea is a great one. To allow user registration with name and email address (password generated by the above mentioned contrib), and then to have the billing and shipping filled out upon checkout and only then inserted into the user details. That makes COMPLETE sense to me and I would love to see a contribution to handle this. I can only hope...

We see our customers as invited guests to a party, and we are the hosts. It's our job every day to make every important aspect of the customer experience a little bit better. - Jeff Bezos

Link to comment
Share on other sites

You can do many things to speed up the create account process. For instance I thought of using just the name and email address for registration purposes. Then during checkout you could show a form with the address details for shipping/billing. Now that has a marketing advantage of having users easily registered through your store. Then when they checkout the system could store the address details (the first time) and use them thereafter. They still going to fill the same number of fields, the difference is they will be split into 2 different forms with the 2nd one carrying the required shipping/billing info.

 

So you can move the bulk of these options to the checkout where the more registered customers you have the more sales you can make theoretically at least. This also gives an advantage to stores where they want to display prices for registered users only. A tiny create account page helps a lot.

 

That's certainly a neat idea especially if one is after customer registrations.

 

I doubt that having more registration necessarily equates to more sales. Most of the time, my experience is:

 

i. they buy it while they are at your site OR

ii. they leave and never come back again.

 

That's why I think a lot of store owners swear by PWA. Seal the deal. One just cannot rely on them coming back, logging in, adding to cart and then buy.

 

I am glad that OSCommerce v3.0 is addressing many of the checkout issues to reduce the number of steps. I don't know why many people are frustrated that v3.0 is not ready..but I would rather wait for a great solution, vision and upgrade for the next version. In the meantime, MS2.2 should serve most of the needs with the vast number of contributions out there.

- The Jackal

Link to comment
Share on other sites

That's certainly a neat idea especially if one is after customer registrations.

 

I doubt that having more registration necessarily equates to more sales. Most of the time, my experience is:

 

i. they buy it while they are at your site OR

ii. they leave and never come back again.

 

That's why I think a lot of store owners swear by PWA. Seal the deal. One just cannot rely on them coming back, logging in, adding to cart and then buy.

You need to take into account the users experience. So someone who does his shopping on the internet, he will visit other sites also, create accounts etc. Now the create account (or PWA whatever) is the primary key for checkout. Users who will experience your tiny registration form vs another store's complicated one will give you the thumbs up right from the beginning. So do not underestimate the visitor's first impression seeing a tiny registration form, it really matters for the final sale.

 

Also some stores may provide services for registered users. These elements can be exposed quickly from the account page where a customer does not have to enter all other details during account creation to see them. Plus personalized content. It's more user friendly to show various aspects of your store to a user addressing him by his name. More registered users mean, more to sign-up for your newsletter. Plug-in the email templates module and you can send professional looking html emails to these new customers.

http://www.oscommerce.com/community/contributions,2866

 

see example with pictures

http://www.oscommerce.com/forums/index.php?s=&...t&p=1043915

so you do get a chance to send an email like this to more people right upfront from the create account.

 

There are several ways to expose your content and is easier with registered customers than regular visitors.

Link to comment
Share on other sites

so why dont you go into your Paypal account and change the payment options must be verified.

I dont endorse any illegal activity but if your dealing with a large amount of money transactions I would first open an online bank account such as at HSBC.com and you can fund it via your local bank,associate your paypal account with the HSBS account that way when you are paid for items youv'e shipped you can then do a Bank to Bank transfer to your local account that way Paypal with their lawlessness can't screw up your main account by attempting to draft money.

Be very careful as Paypal dont protect sellers too much as Iv'e learned from experience,I still use them but I am very careful when doing so.

Like the old saying about refridgerated items when in doubt throw it out,likewise in commerce if your not sure save yourself and refund the purchase amount and the reason,state if they wish to make such purchases please send a money order or cashiers check that way you can insure it is cleard prior to shipment of the items,good luck!

Link to comment
Share on other sites

  • 1 month later...

Having a bit of this ourselves. We found that they gained access to our ftp account or the downloads that we stored online (?), added script to our site's pages to pull our customers cr card info and send to an email address. They also hacked customer records, changed their email addresses, and then ordered products using someone else's credit card information and our customers address. Not sure where they got the credit cards but 18 out of 30 transactions were approved and processed through Authorize.net. But when we called the customers, they hadn't ordered from us in over a year, the email address on their account had been changed, and they don't recognize the credit card that was processed. None of these things have gone full cycle yet. Just happened 08/10/07. The first customer affected should get a package shipped by us, but not ordered by them, in the next day or so. We've done a bunch of things to resolve this but not sure if we've gotten everything, so the site is down. Can't pay the bills that way! We have: 1) Called Authorize.net and let them know about it. 2) Voided out all credit card payments that we know are fraudulant, 3) Contacted customers whose accounts have been tampered with, 4) Removed the PHP script from the pages that was added to pull cr info, 5) Called the FBI in our region to report the fraud, 6) Called the Federal Trade Commission to report fraud, 7) Removed all downloads of the site off the server, 8) Contacted our server company to figure out how this happened and how to resolve in the future, 8) Called our website security company for assistance, 9) Changed server passwords, 10) Database passwords, 11) Cleaned up extra IDs for the SQL database and otherwise, 12) Set up a webpage monitor for changes... Anything else we should do?

Link to comment
Share on other sites

  • 3 months later...

Hello Guys,

 

Need some more advice on this.

 

Following the initial post back in June, it got to a stage where I was pulling my hair out. Paypal were totally useless at this. I called them to report that several transcations appear to be fradulent and that I've closed the accounts on my site and refunded the amounts immediately. But their response:

 

"Through careful research of the transaction(s) you submitted, PayPals Fraud Team has determined there is insufficient evidence in support of your claim. As a result, we have refused your Unauthorised Account Use Claim." I wasn't claiming anything..all I wanted them to do was to let the paypal account holder know that their account was compromised.

 

Anyway, we installed the contribution allowing us to manually approve customers (thanks enigma1) and have been running like that since August. But since installing it, the number of genuine customers signing up has dropped significantly. I guess no one wants to wait to be approved. ANd though I strive to ensure that the accounts are approved almost immediately, they never return. But the day I take the contribution offline I get 5 or 10 dodgy accounts created with addresses based around the world and silly payments of like 100 or 500 dollars come through for calling cards. None of my genuine customers ever buy more than 10 or 20$s on their first purchase.. Feel like we are being hounded by fraudsters.

 

The worst thing is that because we sell voip topup accounts, the accounts are topped up as soon as the payment confirmation from Paypal comes through. So they do missuse our site like hell and we are seriously out of pocket and Paypal doesn't seem to give a toss. I sent proof to them that one of these users used up nearly 100 dollars worth of credit overnight, but not only did paypal take out the money anyway, they even charged me an administration fee!

 

Kinda stuck between a rock and a hard place here. We have manually blocked most of the IPs out (including whole countries like South Africa, Nigeria etc), but these chaps seems to be using proxy servers to get around.

 

We can't use google checkout as the products we are selling are Virtual/Online deliverable products and there is something about google only supporting physical goods sales.

 

Any suggestions would be greatly appreciated..absolutely no clue what to do at the moment other then just pulling the plug on the site.

 

Thanks again

Link to comment
Share on other sites

Any suggestions would be greatly appreciated..absolutely no clue what to do at the moment other then just pulling the plug on the site.

Isn't it an idea to cap the amount that can be bought by a new customer to say $20 for the first week until you manually approved them? Then the legit customers would not be scared off but the scammers would have less to gain.

Link to comment
Share on other sites

You need to be using the osCommerce Pay Pal IPN module (v1.4) in conjunction with Downloads Controller - and make the product a download. In that way the download only gets released when the Pay Pal IPN module is updated with the correct Order Status which shows the payment has been completed.

 

Vger

Link to comment
Share on other sites

Hello Guys,

 

Need some more advice on this.

 

Following the initial post back in June, it got to a stage where I was pulling my hair out. Paypal were totally useless at this. I called them to report that several transcations appear to be fradulent and that I've closed the accounts on my site and refunded the amounts immediately. But their response:

 

"Through careful research of the transaction(s) you submitted, PayPals Fraud Team has determined there is insufficient evidence in support of your claim. As a result, we have refused your Unauthorised Account Use Claim." I wasn't claiming anything..all I wanted them to do was to let the paypal account holder know that their account was compromised.

 

Anyway, we installed the contribution allowing us to manually approve customers (thanks enigma1) and have been running like that since August. But since installing it, the number of genuine customers signing up has dropped significantly. I guess no one wants to wait to be approved. ANd though I strive to ensure that the accounts are approved almost immediately, they never return. But the day I take the contribution offline I get 5 or 10 dodgy accounts created with addresses based around the world and silly payments of like 100 or 500 dollars come through for calling cards. None of my genuine customers ever buy more than 10 or 20$s on their first purchase.. Feel like we are being hounded by fraudsters.

 

The worst thing is that because we sell voip topup accounts, the accounts are topped up as soon as the payment confirmation from Paypal comes through. So they do missuse our site like hell and we are seriously out of pocket and Paypal doesn't seem to give a toss. I sent proof to them that one of these users used up nearly 100 dollars worth of credit overnight, but not only did paypal take out the money anyway, they even charged me an administration fee!

 

Kinda stuck between a rock and a hard place here. We have manually blocked most of the IPs out (including whole countries like South Africa, Nigeria etc), but these chaps seems to be using proxy servers to get around.

 

We can't use google checkout as the products we are selling are Virtual/Online deliverable products and there is something about google only supporting physical goods sales.

 

Any suggestions would be greatly appreciated..absolutely no clue what to do at the moment other then just pulling the plug on the site.

 

Thanks again

Hi

Is there no way you can email the link for virtual delivery once they have paid. That way they have to go into there email address to press the link for the top up. Or would that be an admin/labour intensive problem? I buy from ebay a lot and use paypal to pay for digital delivery of website wholesalers. The link to download the wholesale list is sent to my email address and only when i have accessed my email can i open the link. The email address has to match. of course they could set up loads of email address but that would be labour intensive for them and slow them down. Also you can keep an eye on how many times the email address has called for the link. Or am i of the mark entirley?

good luck paypal can be hard work!!!

Link to comment
Share on other sites

I highly recommend google checkout, drop paypal. As far as I can tell, you can use google checkout for digital delivered goods.

 

Here is there TOS: https://checkout.google.com/termsOfService?...nid=aMIAPIdLLpw

 

 

They even describe a product as this: "Products" mean any digital or physical merchandise, goods, or services offered by Seller that a Buyer may pay for using the Service.

 

We used to have constant problems with paypal transactions, funny how our business has increased 10 fold and we have gone 18 mos (since we started with google checkout and dropped paypal) without one single transaction issue. Google has canceled numerous transactions because they could not confirm the payment, paypal would have let those same transactions complete and have us ship before ever finding the problem.

 

Wish you luck...

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...