Credit Card Fraud – Perspective of an online merchant.

Antair, like most online merchants, is not immune from having to deal with credit card fraud.

If you are processing your payments through a middle-man like Plimus or Shareit, a portion of the ridiculous transaction costs that you pay out are used to keep you from having to worry about such things too much. But if you’ve graduated to a proper merchant account, and are processing your own payments, credit card fraud becomes and entirely new source of headaches.

Let me take you through a typical case …

You wake up in the morning, log into your backoffice sales database, and notice a slew of overnight sales. Now this may not be atypical for your shop, except that most of the sales are coming from either the same customer e-mail address, or similar customer names.

Digging into the sale records, you see several thousand dollars worth of purchases from a customer using an obviously fake name. The e-mail address is a generic one (@yahoo, @hotmail, @mac, etc). Several different credit card numbers are used, with seemingly proper addresses, but different phone numbers. The IP address, of course, is nowhere near the physical address for the card-holder. The buying patterns for the products purchased are completely off: 64 units purchased of something which typically sells 1 to 3 units per transaction, 108 units purchased of something for which only a single unit would typically suffice for one person, and so on.

If you’re selling physical goods, you may be checking these orders manually before shipping, in which case, you’re about to lose an enormous amount of time, but probably not a lot of money. If you’re selling software, and are automatically e-mailing license keys upon proper checkout, you technically haven’t lost any money on shipping physical goods either, but get ready to lose just as much time (and you’ll probably eventually see 108 units of whatever was just purchased being sold on e-bay for 1/16th of the price you charge).

So now what do you do?

Well, first you wonder, how is it that my merchant account even let these transactions through? They may not know my selling patterns to be able to recognize fraudulent activity by sight, but surely that week I spent configuring fraud protection mechanisms with them would have been fruitful?

So you go on trying to figure out what happened…

But the credit card numbers are valid. The expiration dates are valid. The addresses match the cards. And even the credit card number security codes are valid. If any of these things were fake, those fraud protection mechanisms would surely reject the transaction. But they are all valid; meaning the credit card was probably stolen, as the thief has access to not only the card number, but the full and proper address, as well as the security code which is typically found on the reverse side of the card (useless piece of data — positional protection).

So now you’ve wasted an hour finding out that there is very little that your immediate processor could have done about it.

So you step back and think for a bit. What do I do? Several of these things came in before the daily reconciliation; meaning that they already cleared and the credit cards were charged. Several of them came in after the reconciliation, meaning they’ve not cleared yet and you can simply void those transactions without them showing up on the credit card statements. The voided ones are easy…but what do you do about the ones that went through? Do you refund those? Surely the customer would be confused upon seeing their credit card statement with a $600 transaction for an unknown product, from an unknown company, with an immediate refund for the same amount.

So what do you do now? Well … you call the issuing bank, of course.

Except the issuing bank doesn’t care! Neither does the card company itself. They either tell you to refund the transaction without justification, or they tell you to “use your best judgement”. What they don’t tell you is if this card is indeed reported as stolen, or what the proper procedure is to go about rectifying the situation.

The processor doesn’t know anything except the phone number of the issuing bank.

The issuing bank doesn’t tell you anything because the customer they just called back isn’t at home, the card hasn’t yet been reported stolen, but yes indeed, everything you tell them about the name being fake and the phone number being fake on the transaction is true. Except that they’re not going to do a damn thing about it until the customer complains.

A merchant is taking time out of his day — spending hours on the phone — not devoting time to his business — to tell you idiots that your own customer is being robbed blind. You are being provided with all the transaction details possible, down to the millisecond of the transaction, and all you can do is say “use your best judgement”? You’re a 12-billion dollar bank, don’t you have policies in place to handle this instead of routing my phone call to Bangalore and giving me some wishy-washy answer?

But what would happen if you “use your best judgement”, and decide that it’s not your problem to eye-ball each and every transaction that comes through. That if three levels of corporate checking decided that the card transaction is valid and let it through, who are you to undermine them? After all, they know better. It’s quite natural for the same named customer with different physical addresses, and 7 different cards to purchase 107 copies of the same $15 video game.

What happens is that the customer receives his statement in the mail 20 days from now, sees a transaction for something he has no knowledge of, and calls his credit card company (or, they call YOU, and YOU have to deal with them personally — because as a merchant, your phone number appears next to the transaction on the statement).

And when the customer call his credit card company, then they start caring. In fact, they go into caring overdrive, sending a team of investigators after you via phone, mail, and e-mail, with an “official open fraud case”, to try to figure out what the hell happened. And no, they don’t care that you spent half the day trying to tell them of this thing three weeks ago. All they want to do is to clear this “official open fraud case”. So now you spend more time dealing with this nonsense, at the end of which, you wind up refunding all the money anyway, and probably get hit with a charge-back fee. And what happens when your merchant bank hears of this? Well, after enough times, they’ll increase your credit card processing rates, or blacklist you entirely, and you’ll be going back to Plimus, or Shareit, or some other payment processing middle-man; out of necessity this time around.

So you give up….

Your processor is telling you to talk to the issuing bank.

The issuing bank is telling you that they can’t do anything until the customer complains.

American Express, Visa, and MasterCard themselves are telling you that they have no control over this and to talk to the issuing bank again.

So you void the pending transactions, hand out refunds for the ones that have already cleared, and get started on writing thousands of lines of new back-office code to deal with future fraud.

Your P&L statement for the day shows $5.00 profit because you made $2005.00 in proper sales, and refunded $2000.00 worth of fraudulent transactions.

… and you hope that you won’t see your products being offered on e-bay two weeks from today.

Shipley on Apple and the iPhone …

From Wil’s latest blog post … an excerpt:

“Second, Apple should announce that it’s going to write frameworks so third parties can write applications for iPods and iPhones. No, it won’t be easy. But, seriously, there’s no excuse.”

I completely agree … from a purely self-benefiting standpoint. In fact, we already have a spam_filter_iphone/ in the subversion repository right next to spam_filter_blackberry/.

What’s Antair been up to lately?

I promise this isn’t another product announcement.  We’ve had five of those this year alone — four just over the last few months.

This is a status update to let you know where Antair is right now, and where I see it going over the next few month (read, it’s a relatively slow day, and I feel like rambling on a bit).

This year has been a hectic one. Quite exciting really. Our BlackBerry spam filter product has really taken off, and Antair is now a fully functional “family supporting entity”. This tiny little company that I started and raised from nothing…a personal investment of $1000 back in January of 2005, and a self-promise to either make something out of it without adding a penny more or shut it down, has met and far exceeded all of my seemingly unrealistic expectations.

Over the course of the year, since the introduction of the spam filter (following 2 failed products), we’ve released two more versions of the spam filter, three BlackBerry games (Gavin is an uber-programmer), and a BlackBerry Call Screener program. As I’ve mentioned earlier this year, my accountant is standing firm that starting this year “releasing your revenue numbers publicly is not a good idea”. My quarterlies are due in a few days, so I guess I better listen to him. Suffice it to say, Antair is doing quite well.

From a daily workload perspective: we nearly drowned over the past few weeks/months. My wife has been helping out, and Gavin has been simply indispensible, but the core of the workload, and more importantly customer support, remains on my shoulders, and it has become an almost unbearable burden. The solution — well, believe it or not, a software solution really helped. Ian’s HelpSpot is a miracle app. I can’t say that I enjoy customer support, but at least it’s manageable now, which is several orders of magnitude better than where the situation was a few days before Antair bought a HelpSpot license (3 minute installation, by the way.) Great job Ian! Now, if Ian can just get his 2.0 out the door anytime this year, maybe we’ll be able to meet up for drinks more often than once a year. :)

From a company growth perspective: some of you may already know that we did pass on a VC funding offer a while back. In hindsight, it was a good idea. Honestly, money isn’t an issue at this point — time is the scarce resource. If I can find the time to go out and find a bigger office, that would be time well spent, and would allow me to actually hire some on-site full time devs. Both of these tasks take an incredible amount of time. The few hours a week that I can spend perusing the locals for office space are not proving to be very fruitful. Everything available is either a 100 sq ft shack, or a 10,000 sq foot store front. Honestly, why is it so difficult to find a nice, clean, networked building with a space for, say 3-5 developers working comfortably? As things stand, the situation is like a thread deadlock — can’t hire anymore developers until we upgrade the office space — can’t upgrade the office space until we hire a few more developers to allow me the time to go and find a proper office space. Something will give eventually. I just hope it’s not my sanity.

I think we’re done with BlackBerry apps for a while. I’ve been claiming for over a year now that Antair is a no-niche software company, and all along we’ve been spitting out BlackBerry dependant software. Our upcoming product line is going to be a bit more diversified. Gav and I are already about 40% done with our next game (Windows and Mac, this time around), and the next two applications will be business-focused — one purely for the large-scale enterprise space, and one for smaller, to mid-sized businesses.

Antair Releases BlackBerry Call Screener

This evening, we shipped Antair BlackBerry Call Screener. This is the sister application for our popular BlackBerry Spam Filter, and is the 5th product we shipped this year.

A brief product overview ::

The last thing you need during an important meeting, or during your well-deserved day off, is the obnoxious ringing of your BlackBerry announcing an unwelcomed phone call.

At home, your answering machine can handle those annoying unwanted calls. At the office, you may have your secretary or personal assistant field those calls without bothering you. But what about your personal BlackBerry?

Antair BlackBerry Call Screener screens incoming phone calls where it counts — directly on your BlackBerry device. With one click of the button, you can set your phone screening options, and all unwanted incoming phone calls will be automatically sent to your voicemail box without bothering you at inappropriate times.