Re: Influx of stolen credit card "testing"

This very thing costs us somewhere near $200 per month as everytime someone tries to run a card through our bridal jewelry store, it costs us 25 cents, even though the transaction is denied.

So yes, I've seen this problem, and we've had to handle it on our own as our payment processor and gateway provider don't care to fix it and probably don't have the technology to do so anyway.

You're likely going to have to block IP's of the offenders on your own. If you all ready have StatCounter which is a free analytics tool, you can label visitors IP addresses if they seem phishy (pun intended) and once you feel you know a certain IP is one of the individuals testing stolen cards, you can block that IP from accessing your site.

We noticed a lot of the bad traffic was coming from countries overseas that we don't do business with anyway so not only did we block their IP, but we blocked the entire range of IP's that were all assigned to that country or provider.

So no one will likely help you remedy this (not even your web host), so figure out through your hosting provider how to block IP's via your hosting control panel, figure out what IP the scum bags are accessing your site through and begin blocking them one at a time.

Re: Influx of stolen credit card "testing"

I guess that depends on what kind of web host you have. :-)

We've done some interesting work for clients who had this type of problem and there was no way to remedy this natively in Miva Merchant (there used to be a module for MM4 that was reasonably helpful with these card testing scenarios, unfortunately it's not available for MM5).

As a simple example of what we have done - you mentioned you don't do business with a lot of the countries where these test orders originate from. Well - it turns out there are ways to block IPs based on country codes. All organizations that issue IPs (ARIN, APNIC, LACNIC, RIPE, AfrNIC, etc) keep a database of where each block is assigned to. An there are programs you can install on your server which allow you to cross-check that database on a regular basis, and automatically update your local "blocked countries list." And yes, you need to keep it updated regularly, as IP block allocation does change or get reassigned all the time. Problem solved. If you don't want traffic from Nigeria, China, Pakistan or India - it's only a few small changes you need to make and from that point forward all IPs assigned to those countries will be automatically blocked from accessing your system.

Re: Influx of stolen credit card "testing"

What? You don't ship to Nigeria?

Why would the card companies do anything about it? They're making money off of you with every fraudulent transaction. Predatory capitalism at its finest with the honest, hard working store owner as the prey.

Re: Influx of stolen credit card "testing"

Here is some actual code you can use.

If you have Emporium Plus toolkit and a module that lets you collect additional customer data at checkout. (my example uses the Sebenza module)

Now you'll have the IP along with the order.

Open your main .htaccess file and add this to the top.
add a new line for deny of the new IP address.

there's 3 to get you started.

Dynamic Drive has a nice tool to help you write the code if you like:
http://tools.dynamicdrive.com/userban/

Good luck
CP

Re: Influx of stolen credit card "testing"

It also depends on the payment gateway you have as well.

One of the reasons we got directly into the payment business was we wanted to be able to control the experience our customers had and do our best to protect them from the predatory capitalism mentioned earlier.

In the new Miva Merchant Payment gateway it comes with Velocity settings built in (free of charge) which default on to limiting someone to 100 transactions an hour. The setting can be adjusted by the user and raised or lowered to more closely match their peak volume.

When it comes to this type of Credit Card fraud once they realize they can only test a handful of cards before getting all decline messages, they'll most likely move on to a more vulnerable source.

Most other gateways charge extra for this type of fraud protection and then profiteer when the merchant gets defrauded.

Re: Influx of stolen credit card "testing"

Just as a side note, "predatory capitalism" for the credit card industry came about from 3 Supreme Court decisions.

The first decision stated that States do not have the right to enforce interest rate regulations.
Usery Laws Unenforceable

The second stated that States cannot regulate credit card fees.
Credit Fees Unenforceable

The third states that States cannot enforce consumer protection laws.
Consumer Protection Laws Unenforceable

The end result is a predatory credit industry that is unregulated and futhermore any attempt for a State to regulate them and protect consumers is illegal, according to the Supreme Court.

Supreme Court Justice Sandra Day O'Connor "resigned" just one day after dissenting in a court ruling calling it the "most corrupt decision in the history of American jurisprudence". The ruling gives corporations the power to sieze private property for their own uses.
http://www.law.cornell.edu/supct/html/04-108.ZD.html

Stay tuned ... I feel like there's more fireworks coming in the credit industry after the next national election. Also watch out for an attempt to impeach a supreme court justice, or at least force a retirement or two under threat of impeachment.

Okay, I'm done ranting at the credit folks. Gotta get back to work.:D