Fraud can be a very big problem for online software vendors. Fraudsters can easily use throwaway email addresses that can’t be traced back to them (e.g. Hotmail) and IP addresses aren’t difficult to hide. Not only does the vendor lose the payment when the fraud is reported, they also often get hit with a chargeback fee. This is pretty outrageous when you think about it – the credit card companies are charging vendors for the fraudulent transactions that they themselves have failed to detect.
Thankfully I have had relatively few fraudulent transactions in the last 3 years of running my own business. However some more mainstream B2C businesses aren’t as lucky. Below are the experiences of one software vendor I have corresponded with [1]. It makes for scary reading. The vendor wishes to remain anonymous for understandable reasons.
I tracked one of our recent chargeback emails to a forum were they had been openly selling stolen credit card information for $2 each. If you do have a popular product that may be prone to chargebacks then it is a small nightmare unless you have a fraud system in place as there are 1000s of credit card info out there with full contact details. There is not a day goes by that we don’t get at least 3 stolen credit card purchase attempts.
We use WorldPay and they have a quick check on cv2 code and if the country, postal address and postcode match. But almost all of these purchases pass the simple fraud checks. You cannot even rely on IP checking as the fraudsters are pretty smart and use proxies, or even hijack PCs to make purchases from the same country the credit card is issued. PayPal is not quite as serious, but we do still receive quite a few hijacked account purchases also.
WorldPay fraud checking is next to useless. Even the ones they warn on are usually legitimate. They have recently released a new backend, but they have made the problem worse as they seem to warn if the IP address isn’t from the same country. The problem with that is we get a lot of sales that don’t match, from military based in different countries. Our whitelist used to let them go through automatically, but now we have to manually capture the payment.
The number of fraudulent purchases changes depending if you make a new release etc or if your software is hard to find an easy crack. It can be from 1% to 15% depending, as you may have a single user trying to hit you on certain days.
We were forced to make our own fraud checking system. At least we had all the information at hand as we make users sign up to our site before making a purchase and we log all activity from a user, but to get that information we had to lose many thousands of pounds in fees. Since implementing our own fraud check (as fraudsters do tend to use amazingly similar criteria each time) we have reduced it to on average 1-2 a week, which are almost impossible to catch.
I think the level of fraud has to do with the type of users we sell software to. They are the sort of people that know exactly where to find cracks/keygens. Our software does have pretty good protection and online activation, so it is not so easy to get an easy “working” crack/keygen for it. We also have large volume sales over the past few years, so we have more information than most developers would see.
The credit card companies can’t really lose, especially with “no card holder signature” sales. Chargebacks cost on average 15 Euros. I have even contacted the likes of PayPal telling them that sales are fraudulent, and quite a lot of times they do not care.
We get to see all our sales, I would hate to think what is happening at these merchant services like Regsoft etc. How many sales are being refused that may be legitimate? I tried paying a programmer once who accepted payments using Regnow from my PayPal account and they refused it. My account was verified and had been in good standing for many years. It wouldn’t have been so bad but the person I was paying did not have a clue it was refused.
So, if you have a successful consumer product that fraudsters might be interested in, be prepared to expend a significant amount of money and effort dealing with online fraud. And don’t expect the payment processors and credit card companies to give you much help. I guess the credit card companies don’t have much incentive to reduce fraud. As long as they can keep pushing the cost of fraud onto the vendors and the fraudsters don’t bring the whole system down, the credit card companies seem quite happy. Why wouldn’t they be?
[1] I have spliced together the contents of several emails and edited it for continuity and brevity.
Successful Software 
You know what’s really interesting for me, being in the same boat, is that you the merchant gets charged a fee for a fraudulent transaction that they authorized!!!! How is that possible? This one still baffles me.
Not only that but it makes you think about the motivations of credit card companies. They actually make more money on fraudulent credit card purchases than normal purchases!!! The only reason they want to prevent fraudulent purchases is because they would lose all credibility otherwise and no one would use their credit cards.
So as an incentive, they only need to be good enough to keep consumer confidence at a reasonable level. Nothing more. It’s actually an economic dissentive to reduce all credit card fraud. If you do the math of the costs of 0% fraud versus the current system, you’ll see that they’re much further ahead now.
Until the motivations change (for example through legislation), there’s no motivation for credit card companies to reduce fraud any more than it already is today. That’s sad!
I was also so annoyed with this that I ended up writing an article on it a while back on my blog Andy. If you haven’t picked it up, you can check it out at: http://www.followsteph.com/2007/04/30/why-theres-still-credit-card-fraud/
And thanks for sharing! Insane isn’t it? Especially the chargeback fees. I can accept the money being returned, but charging me for your own mistake. WOW!!!
For high fraud-attracting apps, I still wonder about a delayed activation system.
1) CC purchase results in a serial being emailed that grants 30/60 days access to the product, with perhaps a 14 day grace period.
2) After 30/60 days, the customer is required to go online to activate the product. Activation will only be available after this time, so hopefully any chargebacks will have been made, and the activation can be rejected if necessary.
Not sure how many sales you’d lose as a result, it might be worth an experiment depending on how much you’re losing to CC fraud.
I wrote an article as a response to your post :): http://www.avangate.com/articles/online-fraud-127.htm
about some antifraud tools and also haven given some numbers about fraud in general, about the average number of tools employed by the e-commerce companies.
I elaborated a little on the IP geolocation, the cardholder 3D authentication and the AVS instrument and also the problematic issue of chargebacks.
According to a 2007 Cybersource fraud report, there seems to be an alarming 4.2% order rejection rate for digital goods which I consider high, when compared to the 1.5% average rejection rate that Avangate had in 2007.
This 4.2% is explainable by the high fraud attempt rate (remember we deal with USA in the report conducted by Cybersource) or by the desire of merchants not to resort to specialized e-commerce companies, which might result in rejecting valid orders.
Bu yeah, in the end it is really frustrating for merchant to be charged back when he is “not guilty”.
My 2 cents :)
Bogdan