Daily Archives: October 6, 2008

How to detect fraudulent transactions

As of right now I have five online ecommerce shops selling fitness supplements.  Pretty much anything you’d find in GNC is listed on my websites.  Since I work with another middleman company that stores most of the inventory and does the packaging and shipping for me, margins on my end are very slim.

After the first year in business my company received seven or eight chargebacks, which occurs when anybody that owns a credit card goes to their bank and says “I didn’t purchase this” or “I’m not happy with the product or service I received.”  Chargebacks are a whole post in itself, so I won’t ramble too much about their pain right now.  Anyway, this past year we’ve received one chargeback and it wasn’t because of a third party fraud, the guy ordered a product that was on backorder and wasn’t happy that he was too ADD to notice the website or read the email stating the product was on backorder.  Anyway, I’ve become much more acute to identifying fraudulent transactions as they arrive in effort to minimize losses, but I’m not perfect by any means.  I’ve probably canceled a valid order or two in the past year because the risk of filling the order was too high.  Today for example, somebody ordered $15 worth of product and paid $55 for second day air shipping.  I stand to earn about a buck… no, actually, I’d lose about fifty cents if all goes well, and risk losing $70 plus bank fees, which can be up to $50 depending on how mean your bank is, on this order it it were fraudulent and the card owner performed a chargeback.

Methods I use to determine fraudulent transactions:

1. Require the customer to enter the CVV code on the back of their credit card. The idea is that the customer would have to have possession of the card in their hands at the time of the order.  This is not foolproof by any means because they might just be an untrustworthy online merchant that stores all this data in plain text.   The CVV code may deter some fraud, but in reality, this information can be just as easy to obtain as the credit card number itself.

2. Use Address Verification Service (AVS)

3. Pay attention to the products ordered. With most fraudulent orders, the customer will order a high quantity of just one product.  They will not order a variety of products or be very selective or price conscious.

4. What speed of shipping did they choose and how much does it cost it relation to the product cost? Speed of delivery is important.  We offer 1-3 day UPS ground shipping on our sites, but still offer UPS 2nd day air and UPS 1 day air delivery options.  Typically, what would cost $10 to ship via UPS ground will cost $50 UPS 2nd day air and $100 UPS 1 day air.  The scammer in these cases cannot get the product in their hands fast enough; they will choose an upgraded shipping option as the cost means nothing to them.  Occasionally a valid customer will order $50 worth of product and pay $50 to have it shipped, but it’s about 1 in 250 orders.  I do have a regular customer that buys $30 worth of product and pays $22 for UPS 2nd day air instead of $7 for 1-3 day shipping.  The more reliable delivery date is worth it to some people.  However, be very weary of these transactions, especially if it’s the first time a customer has ordered from you and the shipping prices is as much or more than the product total price.

5. Watch for a customer that tries multiple declined credit cards right after one another.  The most likely reason they’re being declined is because they’ve been reported stolen.  I’d be cautious of anybody that must use three or more credit cards to submit  valid transaction.

6. When is the last time the customer ordered from you? It’s common that you’ll have new customers and it’ll be the first time they’ve ordered from you, so don’t get too worried about that.  With my sites, I estimate 50% of our orders are first time customer orders.  The one to watch out for is if the customer placed multiple orders with you with a short time span between orders, say less than four days apart.  Back when I was a rookie at this, I had a guy place an order for over $300 worth of product, then placed another large order, which contained many of the same products as the first, only two days later. Then a third order was placed shortly thereafter.  I was very excited to get a few great orders, but really just had the blinders pulled over my eyes.  By the time I received the chargeback for the first order a month later, I’d sent him over $1200 worth of product and he was long gone.  That’s a $1200 out of pocket mistake I don’t want to make again.

7.  Attempt to communicate with the customer either by email or phone. More often than not, somebody who is out to scam you wants no communication with you whatsoever.  They might provide a very odd looking email address and phony phone number.  I have received email responses from some frauds and they’re usually very short emails; about half the time they respond with one word.  Calling the customer and verifying the billing address on the credit card is a pretty good way to catch them off guard, if they gave you their real phone number.  If they hesitate on the billing address, don’t send them anything!

8. Email address should not be that of the person on the shipping address. The person ordering the product will usually provide their email address in case of any billing issues. Be very cautious if the email address belongs to the delivery person as that indicates they’re in charge of the purchase while using somebody else’s credit card.

9. Phone number should not be that of the person on the shipping address. This is for the same reason as #8. Look up the area code on google and find what state and cities the phone number could be from. Be cautious of it matches the delivery city/state and not the billing city/state.

10.  Validate the shipping address and phone number on whitepages.com. This website will tell you who lives at the residence.  It’s a useful tool to help guide your decision, but it’s not foolproof by any means.  A lot of my customers live in apartments and hop around frequently, so the records are many times out of date.  You can do the same with a reverse phone number lookup, but it doesn’t work on cell phones.

11.  Require that the customers Enroll in Verified By VISA. This program allows customers to assign a password to their credit card so the password must be entered each time when making a purchase online.  If all merchants required this, it would be a great success.  The customer will complain because it’s a few extra clicks and pecks on the keyboard and takes an extra minute, so you will most likely see an increase in abandoned orders during the checkout process.  The bad news is, even as a customer, if you enroll in Verified By VISA, the scammer will simply purchase products from a site that does not have this program implemented into their checkout.

Selenium IDE and TinyMCE 35

I created a test case for creating a support ticket.  Our support ticket interface has multiple tinymce editors present for the various ticket description and action update fields.  I had a difficult time find a solution that would make Selenium IDE type text into one of these tinymce editors, but I found one that worked using the dom.  Use command “type” and target should be “dom=document.getElementById(‘id_of_the_tinymce_frame’).contentDocument.body” and the value can be any text you want entered into the tinymce editor.

Note – if you copy and paste the dom code above, you may have to redo the single quotes around the id after you paste it somewhere else.  I did this and the character changed and threw me off for a bit.

Using variables with Selenium IDE 7

The “store” commands embedded into Selenium IDE are very useful when working with dynamic content.  “store” allows you to specify a variable and it’s value for use later on in your testing suite.  You can create a variable in one test case, then retrieve and use it in another.

I created a test case that creates a support ticket.  In all, I’ll need to create tests for creating the ticket, updating the ticket, and deleting the ticket.  All three can be upwards of 40-50 commands a piece once all the data verifications are included.  In order to keep test cases as small as possible, I’d store the new support ticket ID in a variable upon completion of the first test case that created the support ticket.

In this situation, the support ticket ID will be different every time, so “store”, which allows you to hardcode a variable value, will not work.  The command I used was “storeAttribute”, which allows you to locate an element, or it’s value, on a page using xPath and store it.  The target will use xpath “//input[@name=’newTicketId’]@value”, which selects the value of the input with name “newTicketId”.  The value will be your variable name, such as “newTicketId”.  To access this variable, references it like “${newTicketId}” in another command’s value.