Basic Fraud Detection

SOLO Server provides several features to help detect fraudulent customers and orders. This topic was written to help educate you and show you how to use the tools provided. Identifying a suspicious transaction from an order confirmation email often becomes intuitive after considering the following points:

• Refer to Interpreting Approval Codes. Was there an Address Verification (AVS) code returned? Almost all cards issued in the United States support AVS matching. Did the user supply a valid CVV2 number? If the bank reported that either of these pieces of information did not match (as opposed to the service not being available), immediately look into the order further.
• Does the name and address look valid? Sometimes hackers use obviously false information which raises an immediate red flag. Sometimes hackers put their email address in the address field instead of a street address.
• Did the user supply a phone number? Does the phone number ring valid? Does that person answer the phone? Most customers do not mind a simple phone verification, especially for large dollar amounts.
• Does the email address match the customer name? Is it a corporate email address?
• Is the email address through a public service provider such as hotmail.com or yahoo.com? Sometimes hackers will create a mailboxes on one of the public service providers that might trick you into thinking it is legitimate. For example, if a hacker obtains a credit card account from Jane Smith, they may register janesmith@hotmail.com.
• Similar to how Domain Name Servers (DNS) convert host names such as www.softwarekey.com to numbers (IP address), often times DNS servers can look up the IP address and return the registered host name.
• Does the Country of IP Address match the name and address given by the user? Is it a foreign IP address using a customer address in the United States or vice versa?
• Was a reverse DNS host name listed on the order confirmation email? Does it match the email address domain? Does the hostname match the city and/or state of the customer?
• If a reverse DNS hostname is not available or you want to probe the Country of IP Address further, attempt to see who the IP address block is registered to. To do this, click on the order details using the link at the bottom of the order confirmation email. Click on the IP address hyperlink. In the middle table, click Network Lookup then Submit. Is the IP address coordinator in the same country as the customer? Is the country code listed or does the country code of their phone number match the customer? Is it a foreign IP address using a customer address in the United States or vice versa?
• Were there one or more attempts that were declined, possibly using different credit cards? Is this hacker "fishing" for a valid number? Were there one or more attempts where the customer uses the same credit card but alters the address? If any declines are present for the customer within the previous 24 hours, the count will be displayed in red near the bottom of the notification email.

Other important notes:

• The IP Address of the requesting party can be "spoofed," which means that the value received by the server can be incorrect. If multiple orders occur from the same person, is the IP address in the same range? Are they from the same country?
• Interesting article about IP address blocks and physical location: http://www.aspfaqs.com/aspfaqs/ShowFAQ.asp?FAQID=179

Examples of Valid Orders:

Sample 1

Approval Code: 947061A
Company:
Contact Name: Jiamiene Hsu
Address Line 1: 2008 Midwest Club Parkway
Address Line 2: Oak Brook, IL 60523
Address Line 3:
Country: USA
Voice: (630)789-8281
FAX:
E-Mail address: jhsu@allways.net
IP Address = 208.148.108.2
DNS HostName = 208-148-108-2.dpliv.com
Country Of IP Address: United States

The AVS matched the street address but not the zip code. The DNS HostName does not tell us much, so we look up the IP Address coordinator to see:

• Allways, Inc. (NETBLK-CW-208-148-104) CW-208-148-104
• 208.148.104.0 - 208.148.111.255

which matches the email domain. Not 100% sure this is valid, but we have no reason to think it is not valid either.

Sample 2

Approval Code: 091404YM
Company:
Contact Name: Dale Mori
Address Line 1: 16275 Willow Stream Lane
Address Line 2: N. Ft. Myers, FL 33917
Address Line 3:
Country: USA
Voice: 941-567-2931
FAX:
E-Mail address: DaleMori@msn.com
IP Address = 63.233.149.217
DNS HostName = 0-1pool149-217.nas1.fort-myers1.fl.us.da.qwest.net
Country Of IP Address: United States

The credit card AVS matched (Y) and the CVV2 matched (M). The DNS HostName contains the city of the customer. This looks very legitimate.

Sample 3

Approval Code: 005385GU
Company:
Contact Name: Chris May
Address Line 1: 101 Wilton Road
Address Line 2: Wellington, 6005
Address Line 3:
Country: NEW ZEALAND
Voice: +64 4 4703843
FAX:
E-Mail address: cmay@deloitte.co.nz
IP Address = 202.36.181.10
DNS HostName = firewall.deloitte.co.nz
Country Of IP Address: New Zealand

The credit card AVS and CVV2 responses are not available (typical for international cards). This is an international order and the DNS Host Name and email address both match. This looks legitimate.

Sample 4

Approval Code: 784259S
Company: CAF
Contact Name: JOSE LUIS DE SIMONE
Address Line 1: AV. LUIS ROCHE TORRE CAF
Address Line 2: ALTAMIRA
Address Line 3: CARACAS, 1060
Country: VENEZUELA
Voice: 58212 2092170
FAX: 58212 2092170
E-Mail address: jdesimone@yahoo.com
IP Address = 200.14.9.189
DNS HostName =
Country Of IP Address: Venezuela

The credit card AVS and CVV2 responses are not available (typical for international cards). This is an international order. The DNS Host Name is blank and the user is using a public email service (yahoo.com). We look up the IP Address coordinator to see:

• Corporacion Andina de Fomento (NETBLK-CAFCSVC)
• BOX-69.011
• Caracas
• VE

At least the coordinator is in the same country. This looks legitimate.

Sample 5

Approval Code: 014706AM
Company: Electric Power Research Institute
Contact Name: Lance Agee
Address Line 1: 3412 Hillview Avenue
Address Line 2: PO Box 10412
Address Line 3: Palo Alto, CA 94303
Country: USA
Voice: 650-855-2106
FAX: 650-855-1026
E-Mail address: lagee@epri.com
IP Address = 144.58.57.133
DNS HostName =
Country Of IP Address: United States

The AVS matched the street address but not the zip code (A) and the CVV2 number matched (M). The email address looks like an abbreviation of the company name. We look up the IP Address coordinator to see:

• Electric Power Research Institute (NET-EPRI)
• Information Technology Division
• 3412 Hillview Avenue
• P.O. Box 10412
• Palo Alto, CA 94303
• US

This looks perfectly legitimate.

Sample 6

ContactName: Patty Sinkler
MailAddr1: 5918 Rosebay Forest Place
MailAddr2: Midlothian, WA 23112
MailAddr3:
Country: USA
EMail: asad_shahid@yahoo.com
Voice: 3452324234
IP Address = 24.64.73.134
DNS HostName =
Country Of IP Address: Canada

There were several attempts with different account numbers using the same information above. The email address does not match the user's name at all. We look up the IP Address coordinator to see:

• Shaw Fiberlink ltd. (NETBLK-FIBERLINK-CABLE)
• Suite 800, 630 3rd Avenue SW
• Calgary, Alberta T2P 4L4
• CA

But this customer is supposedly in Washington State. This was not a legitimate order. Blocking this user's email address turns up several other orders with other customer information and account numbers!

Notice with this new Country Of IP Address, that instantly your attention is directed to the fact that the Country Of IP Address: Canada is not consistent with the address of the customer.