Anyone else getting hammered by fraudulent PayPal transactions lately? This month has been alarmingly bad for me. :(

Dan

how is the fraud carried out? i thought paypal screened its customers by forcing them to provide a bank account, depositing a few cents into it, and then having the customer confirm the payments.

or is this unverified customers using credit cards? i use paypal for receiving small payments, but i don't use their service to send money, so i'm unclear on how easy it is (or not) to send a fraudulent payment.

I assume it's either unverified people submitting payments with stolen CC's or hijacking verified accounts. Either way, PayPal tells you to reply with all the pertinent information possible, which I dutifully did for the first couple this month, only to be told I wasted my time replying because my programs are non-tangible goods...

This may just be a temporary hiccup (of roughly 80% lost business), but if it's the sign of a growing trend, I'll have to rethink some things.

Dan

i force my customers to provide a verifiable email address by having them register. that way i can at least do some tracking if something goes wrong. and i only suggest they use paypal after i have conversed with them once or twice. that way you get a feel for their integrity. so far, no bad paypal transactions.

i have had a few bad CC transactions in the past, but as i'm in the non-tangible goods business too, i chalk those up to people testing the validity of a CC, so i'm not really out anything because they weren't potential customers anyway.

i think the more hoops you make potential customers jump through leading up to a purchase, the less bad transactions you're likely to encounter. you might worry that you'll scare them off before they make a purchase, but if they really want your software a couple of hoops are worth the effort.

My approach also requires a valid email address, as that's how I inform them of their account info for downloading the purchased file. I even gave that to PayPal upon request, but they gave no indication that they bothered to follow up. Being an AOL address, I can't say I would care to delve into it.

It's true that the whole non-tangible goods thing doesn't leave you out any cash (unless you get hit with chargeback fees), but a bigger concern is if the fraudulent parties are stealing the software and then redistributing it. Quite likely, given the lack of ethics already demonstrated.

Dan

Hi Dan,

I just caught this thread, its weird because last not I received my first ever PayPal 'reversal'. I sell jewellery on ebay and take PayPal, this is my first problem transaction.

I was always under the impression that once someone pays with PayPal thats it, but from a quick search I see people are trying it on and claiming they never purchased the item or other fraudulent claims.

My confidence in PayPal has now taken a down turn and if this becomes a regular pattern I will just shut my account down and customers will have to pay by personal cheques.

The value of the 'reversal' was just $30 but what eats away at me is the fact someone has ripped me off.

Seems you have been hit hard Dan, I feel for you :(

Pete

Originally posted by phppete:
(...) My confidence in PayPal has now taken a down turn and if this becomes a regular pattern I will just shut my account down and customers will have to pay by personal cheques. (...)
You may also try Kagi (http://www.kagi.com/) (Berkeley, CA), which accepts credit cards, checks, cash and money orders (over 40 currencies). They seem to be an old and reliable company for national and international payments (software and non-software products, donations...). For example, Kagi (not PayPal) is one (https://secure.futurequest.net/Billing/Payment/Kagi/) of the payment options accepted at the FQuest Payment Desk.

A thread related to online payments (or search (http://www.aota.net/forums/search.php) for more) is Can someone recommend company to process credit card purchases for my web-business? (http://www.aota.net/forums/showthread.php?threadid=12078)

i recommend conversing with your customers (when this is easy enough to do) before sending the goods. a legitimate customer will always be a little excited about their purchase, whereas someone trying to rip you off will either not reply or say virtually nothing (not reply has been my experience). if you ask them to request the item directly before purchase i think you'll see bad transactions go way down. this may not be practical for high volume sites with lots of traffic, but most merchants have low sales volume and this approach is feasible, i'd think.

if you are selling web software you can always require a domain name and a matching email address to lower the incidence of generic addresses like aol. i don't do that presently, but it might be a good idea in the future. i do reject all the common addresses like yahoo.com, hotmail.com, aol.com and the like. however, there are so many free email address portals around that this is largely fruitless.

i liked the idea of paypal because i was under the impression that paypal customers could only SEND money once they were verified. if that's not the case, a large part of what makes them attractive as a transaction agent goes away. i hope they tighten things up.

I use Kagi as my backup/alternative system, but the fees are quite a bit higher and the system a bit on the clunky side (an absolute bear to maintain a storefront). If it gets to the point where the PayPal system is being abused too much to be practical, I'll probably have to look to a merchant account. I don't see Kagi being good enough to completely fill the void.

if you ask them to request the item directly before purchase
Do you mean an email interaction prior to the sale? If I were a potential customer, I'd really, really have to want something (or need a question answered) to bother jumping through that extra hoop.

if you are selling web software you can always require a domain name and a matching email address to lower the incidence of generic addresses like aol.
How would you do that without your own merchant account to set the required fields?

i was under the impression that paypal customers could only SEND money once they were verified.
I believe a non-confirmed customer can still send money, but not as a CC payment. But the last fraudulent order I got was through a verified (confirmed) account, anyway. That's why I suspect hijacked accounts are increasing in frequency.

Part of what troubles me is that the bulk of my fraudulent orders have been for my secure download manager. I wouldn't be surprised to learn that it's been mentioned somewhere as a good way to distribute illegal materials of some sort, free from prying eyes. Have stolen PayPal account, will travel...

Dan

Do you mean an email interaction prior to the sale? If I were a potential customer, I'd really, really have to want something (or need a question answered) to bother jumping through that extra hoop.

for that to be off-putting to you suggests that you believe a significant portion of your customers don't really, really want your software. point is, how many people purchase your software and you never hear from them again? if the number is high, maybe you don't want to force any interaction, but then the more anonymous customers you try to attract, the higher the percentage of bad transactions you can expect.

i have my customers register before they get ahold of my software (there's a trial period), and i wrote my shopping cart, so i can make them jump through as many hoops as i want before i permit the financial transaction. i use the Cybercash system (no longer available) to submit the financial details to the banking network, and don't rely on someone else to collect customer info, like i imagine Kagi does. Cybercash was taken over by Verisign, whose system is pretty good in my opinion. i haven't transitioned to the Verisign way of doing things because i don't see the point. but i imagine most people interested in having control over the transaction process would find it fairly satisfactory. of course, you do have to get your hands dirty with coding your cart application, unless you can find an off the shelf one that does what you want. and there are probably a few around.

by the way, i really doubt that paypal will track fraudulent activities to any extent. my experience with CC companies suggests they don't care either. just issue a chargeback and forget about it is their philosophy. only the bank of the customer whose account was siphoned is likely to do anything about it, and the CC company expects you the merchant to contact the bank and follow through on the matter. who has the time?

for that to be off-putting to you suggests that you believe a significant portion of your customers don't really, really want your software.
No, what it means is that there are lots of alternatives out there -- many of them free -- so creating a barrier to purchasing will be too strong of a deterrant for many.

how many people purchase your software and you never hear from them again?
Quite a few. I occasionally get a very enthusiastic review, but well over 90% of the responses I get are either support or customization requests.

I've actually got my own shopping cart script as well, but it hasn't been integrated into any transaction gateways yet. Might be worth exploring in more detail before long.

the CC company expects you the merchant to contact the bank and follow through on the matter. who has the time?
Or the resources...

Dan

i sympathize with the 'free software' problem. the only hedge against that is to provide the best alternative, or concentrate on a niche market where there are few alternatives (but then you really have to raise your prices to offset the lower demand--it's a tough one, but every merchant has competition).

Do you mean an email interaction prior to the sale? If I were a potential customer, I'd really, really have to want something (or need a question answered) to bother jumping through that extra hoop.
for that to be off-putting to you suggests that you believe a significant portion of your customers don't really, really want your software.
For what it's worth, I have had customers complain (in very strong terms) about any kind of requirement for extra email interaction. It has been made very clear to me that my customers want my software as soon as they purchase it, as in right now, and with an absolute minimum of interaction. Perhaps this is just peculiar to my circumstances, but I wasn't getting that response 2 years ago, and I'm now seeing a very strong trend to that attitude in recent months. I think online purchasing habits & expectations are changing.

At the same time, I've had customers let me know just how much they want my software (ie quite a lot :) )

An interesting addition: I just pulled up my last month's worth of order info from Kagi and was surprised to see a much larger number of "No Sale" transactions than normal. I typically see one or two of them a month, but the past 30 days shows:

9/14 - 2 failed attempts by a Belgium resident (1 program each time)
9/20 - 1 failed attempt by a UK resident (one 3-part program/plugin package; to be referred to as 3 programs from here on, as it shows up every time)
9/20 - 1 failed attempt by same UK resident of another program and the 3-part'er (4 programs)
9/21 - 1 failed attempt (5 programs)
9/24 - 3 failed attempts by a UK resident (7 programs each time)
9/25 - 1 failed attempt (4 programs)
10/4 - 3 failed attempts; same email but different name each time (all 11 programs)

This is a tad disconcerting. :\

Dan

Dan, are there comments -on similar failed attempts- in the Kagi Authors mailing list? (Maybe I should subscribe to the list).

I wasn't aware there is such a list... Where do you find it?

When fraudulent orders outnumber good ones 6:1, it would be good to know if others are having the same problem. I'm beginning to have serious doubts about the long-term viability of this chosen profession of mine. :(

Dan

Dan, Syneryder knows better. You may see info on this post (http://www.aota.net/forums/showthread.php?postid=62800#post62800).

Kagi mentions the list at What other Kagi suppliers can do for you (http://faq.kagi.com/cgi-bin/WebObjects/ViewFAQs.woa/wa/specificFAQ?FAQ=partners) and another page (http://faq.kagi.com/cgi-bin/WebObjects/ViewFAQs.woa/wa/specificFAQ?FAQ=graphicsVendors). I haven't found more details on the Kagi website.

There hasn't been anything on the Kagi list lately about increased fraud. I've found that a few failed attempts are okay (from legitimate customers having problems), then of course there's some genuine frauds. Try clicking on the links to the transaction and looking at the error code - you start to get a feel for which are good and bad codes. Off hand I don't know which is which :)

To subscribe to the list, look for details in your last Kagi Supplier News email, there's instructions towards the end (best not to publicize them). I recommend subscribing, there's useful information in there, but also a few whiners who complain whenever the slightest thing goes wrong - in my opinion things are nowhere near as bad as some list members would have you believe, Kagi has been quite a smooth ride for me.

My sales have been way up while fraud is way down lately - I've stopped marketing to download sites, almost always the source of fraud and cracks. Instead I'm using highly targeted techniques, talking with members of user groups interested in my kind of products, that sort of thing. It's working wonders for me.

For what it's worth - I'm getting roughly 2% fraud through Kagi.

My sales are 20% search engines, 10% download sites, 10% links from other sites, 20% word of mouth and 40% from my highly targeted methods. My earnings don't quite match the sales figures - eg only 5% of earnings are from download sites, while 55% is from highly targeted methods.

Ah yes, I see the subscription list section. I guess I've always skimmed over that part in the past.

I just followed the instructions in the monthly message to subscribe to the list, and from the confirmation email, I can't even tell if it subscribed me or not... That pretty much sums up my experience with Kagi in general. The service is fine, but the interface and documenting is about as mysterious as joker.com.

Interesting that you do so little of your business through the download sites. Hotscripts and PHP Resource Index are my major sources of traffic and sales. I have a very strong aversion to marketing -- don't even know if there are relevant user groups -- but I might be forced to look into that.

Dan

It surprised me too, I used to think download.com was my main source of income! Avoiding the download sites was just an experiment, but the results have been incredible. It forces you to think more about who uses your program, what they do and where you can find them.

I used to dislike marketing, but now I find it kinda fun. I approach it with two mindsets - doing the best I can for people by finding what they want and giving it to them, and the programmer's mindset of trying to optimize the performance on every variable. My aim is to be ethical & effective.

On the flip side, I tried advertising and found it to be a complete waste of time... I'm actually happy about that, I don't like ads much. I know FQ (Deb & Terra) had a policy of limited/no advertising, I'd love to ask them more about why they chose that policy and how it worked for them. Another thread, perhaps.

But back on topic, it's possible that using alternatives to the download sites may lower your fraud without affecting revenue. Can you track referrers on your fraud cases dank?

only slightly off topic...

I used to dislike marketing, but now I find it kinda fun. I approach it with two mindsets - doing the best I can for people by finding what they want and giving it to them, and the programmer's mindset of trying to optimize the performance on every variable. My aim is to be ethical & effective.
Kohan is going to give his FQ forum buddies the first shot at his IPO, right? :)

I tried advertising and found it to be a complete waste of time... Advertising has become lies in the public's eyes (hey, that rhymes), a victim of info overload and predatory competition. Sadly the taint of spam and telemarketing is spreading to ads in general.

...FQ (Deb & Terra) had a policy of limited/no advertising,I'd love to ask them more about why they chose that policy and how it worked for them. Me too.Another thread, perhaps. Perhaps.

Andi

Can you track referrers on your fraud cases dank?
Possibly by IP address, but I doubt I have enough information available to put the puzzle together.

How did/do you find user groups pertaining to your programming areas? I tried searching groups.yahoo.com last night and found nothing even remotely close in the thousands of listings. %)

Dan

Try this Dan, http://www.apcug.org/ it looks very promising, though I have no personal experience with them.

Andi

Thanks, but I don't see that that gets me any further. Looks to be a regional directory of general computer groups. Nothing that I can find for searching on specific topics, which is the basic problem I had with the Yahoo groups setup.

Dan

Going back to the traditional Usenet newsgroups, you may try a search at http://groups.google.com/ (800,000,000 messages currently).

Just use a special email address when posting on newsgroups. You know, that address will receive spam probably.

That's a much easier to use system, but it seems to be slim pickings. The closest I can find to discussions on web-based software (lots of PC-based stuff) is the announcements groups, with the best fit being:

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&group=fm.announce.web

But an announcements group does me little good... That basically gets back to the ineffective advertising aspect.

Dan

ok Syneryder, spill the beans. what are you doing right that affords you that new chair?

Hahahahah who said that I could *afford* the chair? :D You're talking to a guy who doesn't even have a car yet! Though that's partly by choice... err, or I claim it's by choice ;)

The deal with the chair is I like to dream and have crazy goals... and I also thought I had bad back problems, but I went for a check-up today (since I posted about the chair) and I've been given the all-clear. So an Aeron isn't so urgent anymore.

How did/do you find user groups pertaining to your programming areas?

I'm sorry to hear that your Yahoo Groups search didn't turn up much, because that's where I started. One of my beta testers was in one of the groups, and so she helped spread the word without me suggesting it. When I heard the group really liked my program, and that some were having trouble affording it, I offered them a time limited discount code. At that point, sales kind've, umm, "spiked" :)

From there, I've been lucky in that the groups mainly approach me to donate prizes to competitions they run... which I do, and sometimes also offer a discount to them too (eg if they're celebrating an anniversary or something). It doesn't always have such a dramatic effect, & lately it's dropped off... but considering it increased sales by 10x the first time it's been worth it... and the emails you get after negotiating a special price with someone who genuinely can't afford it, that kinda feedback *really* makes it worthwhile.

I had a list somewhere of tips to try... it included discount coupons and GWP (Gift With Purchase, I believe?). Unfortunately I've lost the list. But they're the sorts of things I want to try... bundle packs, discounts, free gifts, cycle them around and offer them specially to some groups/magazines sometimes, other times to everyone. That kinda thing. Find email newsletters who accept news and are interested in my kinda stuff.

I probably had some more ideas too but it's 7am, I haven't slept and hence I've forgotten them all :) But generally, that's been my "secret" that worked way beyond what I expected.

I figured you must've stumbled across the groups somehow, because it's downright impossible to find one intentionally. :\ Oh well.

Dan

Dan,

What keywords would your potential customers be using while they discussed a need for a program(s) like yours?

Andi

I was trying to think along the same lines, but they're all so general that they bring up very useless results:

web-based, calendar, download manager, secure, database backup, searchable results, etc.

In fact, most of my regular google searches for user groups along those lines yielded my own product pages at the top of the list. I guess that's what happens when you build user groups into your scripts as a primary feature. %)

If you have any better luck finding something than I did, I'm all ears...

Dan

After I got the contact with the first group, I did then go through all the lists I could find at Yahoo. From memory there were 400 relevant lists - this was for my Photoshop plugins, so the keywords were easy to choose. I sat down one night and checked out all the lists, but skipping over anything with less than 100 members. There were at least 4 good groups I found.

Hey Dan, here's an idea from left field... have you considered offering a discount to members of the ASP (Association of Shareware Professionals) (http://www.asp-shareware.org/)? I think some of them might be interested in D-Man, and you don't have to be a member to offer a discount (http://www.asp-shareware.org/resources/memberoffer.asp). I haven't tried that yet but it's been on my to-do list a while. Using the rule of 1-percenters, it might translate to 10 sales or so (they have 1000-1500 members).

this was for my Photoshop plugins
I figured that was the other half of the equation. Very few of the user groups seem to deal with web based software, but lots of apps groups.

the ASP has been dedicated to the advancement of shareware, also known as try-before-you-buy software, as an alternative to conventional retail software.
I could see running into a bit of resentment over the fact that my software is not try-before-you-buy. Pretty tough to do with PHP, short of shelling hundreds of dollars to Zend and losing much of the program's customization flexibility.

I like the general idea, though.

Dan

I was trying to think along the same lines, but they're all so general... I didn't think there would be an easy answer, or you would have had it already. But I did need to get past that step before moving to the next, which is about these statements: I'm beginning to have serious doubts about the long-term viability of this chosen profession of mine.

...I have a very strong aversion to marketing.I think your aversion is to sales not marketing. Marketing is simply *identifying and reaching the market.* Sales is overcoming objections and closing the deal.

If the goal is to short-circuit the traffic from Hotscripts and PHP Resource Index, you should try to get more information from your present clients. Not a qualifying interview as Stephen suggested but maybe a few optional questions on a form during the sale to aid in future marketing. Do you have many repeat customers? Is support ever a source of add-on sales?

I am putting a lot of thought into this problem because I am analyzing the traffic to my own site--my top three search terms by a wide margin are download, free, software.

It will still be a *long* time before I actually try to capitalize on the traffic to my site, but marketing software is on my mind. Asking the right questions is just the first step.

Andi

I think your aversion is to sales not marketing.
I would agree with that distinction, but they're generally one and the same.

Sales is overcoming objections and closing the deal.
That part I don't necessarily agree with. I'm regarded as being quite persuasive when I want to be, but I strongly dislike self-promotion, which is what sales boil down to. When I coached, I refused to actively recruit, because I'm not fond enough of the educational system to sell anyone on the school, despite it being touted as one of the best academic schools in the NW.

The reason for the concern I expressed earlier is two-fold. 1) The web services marketplace seems to be getting sucked dry by the explosion in numbers of web designers, increase in number of people doing their own WYSIWYG design work, and the general lack of money on anyone's part to hire out. Pretty much the only design inquiries I've gotten over the past year are word of mouth. 2) The demand for technical stuff is still there, but the fraudulent activity is quickly surpassing the legitimate stuff, at least for me. That has pretty much killed the incentive (and income) the past few weeks...

Do you have many repeat customers? Is support ever a source of add-on sales?
There's a decent number of repeats, but mostly first-timers. The repeats are usually people that like the scripts enough to install them for someone else they work with. Support is always provided as part of the purchase, not an add-on.

Dan

Not a qualifying interview as Stephen suggested but maybe a few optional questions on a form during the sale to aid in future marketing.
don't forget to get their resume while your at it. and a credit history is nice too.

optional questioning doesn't work. few bother to offer info that way. instead, when you submit your link to software lists, use an application-specific link, such as abledesign.com/dman and redirect to the appropriate page after stashing referrer info. that will tell you where they are coming from.

try before you buy is a good idea. that's what i do. i let them download the software with a trial key that expires after 30 days. it takes some brain power on your part to come up with a scheme that isn't likely to be easily got around, but if you can do it in perl (like me) you can do it in php. thus, i sell the key to people who come back to my site. and they don't come back unless they really want the software, so when they make a purchase i send a follow-up message to say hello. if they don't respond, that raises an eyebrow and i investigate them a little--i'd rather reverse the charges on a highly suspicious transaction than wait for the chargeback fee.

i checked my fraud rate. on the total number of transactions, it's about 3 percent, though some of those are repeat customers. so for first timers it's probably twice that. i also find that about 1 in 10 who download actually make a purchase. however, i'm a total loser with the marketing and not many have downloaded my software. like others in this thread, i know i'll have to come up with a better method before long.

...optional questioning doesn't work. I think the best you can say Stephen is that it hasn't worked for you.

I have often encountered marketing questions from very successful companies during the purchase process. The number who answer depends on what and how you ask. Those who do bother to answer are likely to give useful information for marketing and so the percentage answering doesn't matter. Depending on how robust your order stream, you can modify the questions often, experimenting with the wording, questions etc.

In any case customer feedback is valuable even if only a few offer it. This doesn't solve the fraud problem by itself but understanding the buyer better can help in many other ways. A dialog with your customer can help in developing new products, new features or in finding that your product is being used in ways you hadn't imagined. Finding markets is a puzzle that pays off in real dollars and so is worth the play.

It is possible that a single clue provided by one actual buyer can open up a large new market for you.

Andi

I have a nearly 100% response on my optional questions during the purchase process (asking operating system and "where did you hear about us"). (Nearly is probably 70-80%... it's one metric I don't track closely).

I also had a beta testers form that had lots of demographic info that was optional, again very high rates of ppl replied. I got well over 100, maybe 120 responses to that (pretty good considering the size of my business).

I could maybe add a survey to my existing "thank you" page. That wouldn't necessitate a customizable cart/merchant account and would still have a decent chance of success. Basically a message saying, "while your order is being processed, please take a moment to fill out this optional survey..."

Dan

Andi, you are funny. first i get chastized for conducting "an interview" with my customers (which of course i don't do) and then i get a lecture on how conversing with them can actually provide useful business information.

hmmm. wasn't it me who suggested that communicating with your customers is a good thing? and, of course, it is :noddy:

i have to say Syneryder, it's odd that your customers strongly oppose email communication with you but at the same time are willing to cough up copious information about themselves.

either way, automatic tracking of referer info is always more accurate than a response like "i think i was one of those script archives" %)

Andi, you are funny. first i get chastized for conducting "an interview..." Oh no, I wasn't chastising you, not at all. I was simply distinguishing what I was suggesting from what you had suggested. I am so sorry if that sounded like criticism. Indeed I am very much in favor of customer contact, but since Dan said he had an aversion to marketing I wanted to make that distinction clear.


But I am quite ok with being funny... :ROFL:

Andi

yeah. funny is good. and no offense taken. i'm not thin skinned, believe me. just trying to figure out whether you are bi-polar :D

whether you are bi-polar... Not even bi-coastal though the polar Midwest winter may have me reaching for some Zoloft.

I will be thinking about software marketing today.

Andi

Originally posted by Andilinks:
I will be thinking about software marketing today.
Google Directory: Software Marketing Guides
http://directory.google.com/Top/Computers/Software/Marketing/Guides/

:QTmoney:

Thank you Juan, that is a good page.

For me, "thinking about software marketing" means adding links and comments to my own site so I like to first use my own Copernic search bot and then check the other directories last just to be sure I didn't miss any obvious selections. Doing it in reverse order makes sub-conscious (or conscious) copying too tempting. I know the ODP directory is open source and I *could* just copy it but that has pitfalls too.

Too many directories out there are just dmoz.org clones and I like to differentiate Andilinks from them. But software marketing is a long-term project for me and I don't plan to do a comprehensive survey today, just explore some of the topics brought up in this thread. So perhaps I will begin at the Google Directory after all... :)

When Stephen reads this he's going to say I'm in my manic phase today... he he he. :bounce:

Andi

Hey Andi, first link for ya:

http://www.dexterity.com/articles/

If you get time those articles are worth reading. I love them all, they're great stuff. Also if Joel Spolsky from Fog Creek Software (joelonsoftware.com?) has any marketing articles they'd be worthy additions too.

i have to say Syneryder, it's odd that your customers strongly oppose email communication with you but at the same time are willing to cough up copious information about themselves.

They don't all oppose emailing me I guess. I have had general friendly chit chat emails with some select customers. But my software is try-before-you-buy, so customers already know before purchase what the software does, if it meets their needs and runs okay. So most of them just want their unlocking code ASAP - like, yesterday :) So no chit chatting in those circumstances. The only emails I get in advance are if prospective customers have problems running the software. Naturally, people oppose having to write those kinds of emails.

After several hours on this I have only reached one firm conclusion, and that is that I will never use PayPal for anything. I had hoped that the eBay acquisition a year ago (yes, it has been a year) might have changed things but Googling +PayPal +fraud brings up enough recent nightmare stories to steer me clear of them forever.

A Google on +Paypal +fraud returns 102,000 results. The same Google on +"American Express" +fraud, 140,000. Consider that Amex bills over $100 billion/yr... eBay acquired PayPal for 1.5 billion, I can't find figures on their billings.

As for Software marketing I have come up with a lot of material, links, articles, etc. Thanks for the contributions, I will continue to work on this and post my results on my web site on the Programming and App Dev page.

If I come up with anything more that relates specifically to the issues brought up in this thread I'll post them here.


Andi

Where's that Prozac?

Andi! You're keeping to the topic of the thread! What are you THINKING!?! %) ;)

i recommend those dexterity.com articles that Syneryder alerted us to. i've only managed to read a few of them, but i recognize the benefit of bookmarking the site and going back for more. i'm sure there are several things suggested in those articles that could double sales (or better) if applied with some degree of earnestness (i don't believe i've ever used that word before).

I can see I have a lot of homework to do...

Dan

[oops, meant to click on New Topic]

I can see I have a lot of homework to do...

You may want to check back here from time to time:

http://www.andilinks.com/clr.htm#00125

All the links mentioned in this thread are there and I have added a few others. I don't plan to add any more today but I am going to further develop this category. I'm not sure if I want to get involved in marketing software but it remains a possibility and by adding such resourses I will be both learning and attracting like-minded Googlers.

Andi

Will do, thanks. I think this thread will be a helpful resource (hopefully for others, as well) as I research this further.

Dan

Another reversed PayPal transaction today. :( Once again the download manager/plugin package. And again from a verified member. Other than being a hotmail address, nothing much I can work with as far as avoiding suspicious activity. Pretty darn frustrating.

PayPal obviously does not have their act together with regards to verifying legitimate transactions. This is 4 times now in the past month that they've allowed a transaction through, then notified me within a couple hours that it is being reversed. Rather iffy on their part.

Dan

That's insane. Is Paypal charging you extra fees on top of this each time they reverse a transaction? Can you trace the IP addresses, any clues to country of origin or referring websites or anything?

I haven't been a fan of Paypal since the whole FQ/Paypal incident but, even I thought their fraud protection would be better than this :(

Is Paypal charging you extra fees on top of this each time they reverse a transaction? FWIW most do. Even with our own merchant account we are charged fees for chargebacks, refunds, etc...

Deb
- Not to mention the extra fee fee

For these immediate reversals, there doesn't seem to be extra fees involved, although they make it a bit tough to tell if the original transaction fee is being refunded (I doubt it, but I haven't bothered to calculate it). The Kagi charge backs and reversals carry some pretty hefty fees.

I have the IP addresses the fraudulent downloaders have used. I sent them to PayPal, but they didn't do anything with the info. Good idea to run them through a trace. Let's see ... here's 3 of them:

203.202.120.157 (Asia Pacific Network Information Centre ... Australia)
http://samspade.org/t/ipwhois?a=203.202.120.157

203.162.99.4 (Asia Pacific Network Information Centre)
http://samspade.org/t/ipwhois?a=203.162.99.4

192.168.10.193 (Internet Assigned Numbers Authority ... US)
http://samspade.org/t/ipwhois?a=192.168.10.193

The first two obviously trigger a red flag.

And what I can gather from the recent Kagi disallowed transactions:

http://samspade.org/t/ipwhois?a=64.46.71.194 - failed twice under different names
http://samspade.org/t/ipwhois?a=203.162.99.197 - same attempt as the above 2, but this one shows another Asia Pacific Network Information Centre location :\
http://samspade.org/t/ipwhois?a=216.13.140.59 - AT&T Canada
http://samspade.org/t/ipwhois?a=195.147.88.94 - Amsterdam

Other than that Australian location popping up repeatedly, anyone see anything in there of note?

Too bad PayPal doesn't provide info on blocked transactions. That would probably help fill in some of the pieces of the puzzle.

Dan

Be sure not to confuse APNIC with the actual holder of the domain, they just allocate the IP address (same role as ARIN in America, and the RIPE database). Here's some other tools to use:

APNIC Whois tool (http://www.apnic.net/apnic-bin/whois.pl), tells you which organization the IP is allocated to if the IP is from the APNIC database.
RIPE whois tool (http://www.ripe.net/whois)
ARIN Whois (http://www.arin.net/tools/whois_help.html)
MaxMind GeoIP (http://www.maxmind.com/app/lookup) tells you which country the IP is currently in.

So looking more closely:

203.202.120.157 - allocated to Vietnam, known high fraud country. Paypal should never have allowed this order to go through without your approval. Even Kagi's country specific filters could have redirected this to you for manual approval.

203.202.120.157 - Australia... I'm embarrassed. It's from an education department too, small block of just 15 computers. I don't know if I would have blocked it on the info available :( I would assume this is a student using the computer or someone faking the IP... surely this can't be governmental fraud?

192.168.10.193 - MAJOR redflag. 192.168.xxx.xxx is a special IP address for home networks (I think?) so you shouldn't see that online. Looks like IP spoofing. Unless someone in Paypal itself has ripped you off, then Paypal should have rejected this because you shouldn't see that IP on the net, as far as I know.

----

Now the Kagi ones:

203.162.99.197 - Vietnam again. Login to the Kagi Supplier Database, click on the Order Approvals link on the left and make sure you've checked the box next to Vietnam (ie manually approve all orders from Vietnam). If Kagi doesn't think the order came from Vietnam ask them to consider using the MaxMind GeoIP database.

195.147.88.94 - not Amsterdam (that's the RIPE address you were looking at), it's actually from the UK.

I can't see anything distinguishing about the other IP addresses via Kagi. But it does appear you have a problem with orders from Vietnam :(

Thanks, that sheds a good deal of light on the situation. I went ahead and "blocked" a good deal of SE Asia in the Kagi options. Too bad PayPal doesn't have anything similar, but I'm looking at that as a band-aid and am full speed ahead on getting a cart set up in preparation for an actual merchant account.

I'm not particularly good at deciphering IP info (betcha couldn't tell!). I guess the inetnum range is a good way to tell the size of the block of computers?

Is the key to go to the Whois tool that corresponds to the IP, then query it through them to find the source, or is there a one-step way of doing it (which is what I thought I was doing at first)?

It was suggested to me that I add some sort of application/screening process for potential purchasers of my download manager so as to discourage thiefs (and maybe impress legitimates ... who wouldn't want something the underground hungers for?), but I haven't come up with any real thoughts yet as to how to implement that in a practical fashion.

I won't even go near any Vietnam jokes...

Dan

...in preparation for an actual merchant account.Rich can probably shed more light on this, but I've heard that if your fraud rate on a merchant account is too high then Visa & Mastercard have a blacklist that they'll put you on, making it very difficult for you to get a merchant account again. That kinda stuff scares me.

I guess the inetnum range is a good way to tell the size of the block of computers?I think so, but I'm guessing. I forgot that you can have networks of computers accessing the net through a single IP, so a 15 IP block might actually be 15 networks of 30 computers.

Is the key to go to the Whois tool that corresponds to the IPI think so, but it's so hard to guess which tool to use. UXN Spam Combat (http://combat.uxn.com/) used to do this automatically for you. If I was doing it regularly I'd go to ARIN since most orders are from the US. If it's wrong, ARIN's results will tell you which database to query.

Personally I mainly use GeoIP or IP-to-Country (http://ip-to-country.directi.com/node/view/36) as the country is a key factor (those tools can even identify anonymizer proxies). Sam Spade's rDNS tool can help too. Whois is mainly if I'm trying to track or catch somebody, and I haven't had much luck with that.

It was suggested to me that I add some sort of application/screening process...You could try telephoning the customer to confirm the order, but I think many customers prefer not to have to deal with that and it may cost sales - then again, I haven't tried any kind of screening.

I've heard that if your fraud rate on a merchant account is too high then Visa & Mastercard have a blacklist that they'll put you on, making it very difficult for you to get a merchant account again.
Ugh, that's not a pleasant thought. I want to reduce fraud, not compound the effects of it...

Dan

Yippe, another $140 dinger of a fraudulent order chargeback from Kagi today. Only took them 9 weeks after processing the order. And Kagi had the nerve to tell me that I should consider witholding the purchased goods for a few days after the payment clears. Yeah, like that does a lot of good.

Dan

Why do I get the uneasy feeling that someone is up to no good here? I sell guitar strings at my ecommerce site. The average person buys 1 or 2 sets of strings at a pop. The largest order I've gotten in 5 months has been for 7 sets. I get an email from someone looking for 120 (yes, 120!) sets of strings. I'm immediately suspicious so I ask several questions in a follow-up email. His reply answers just one (not a good sign). He claims to be an exporter located in Florida.

My question to you is this: wouldn't any reputable exporter get his strings directly from the manufacturer? Why does he want to buy from a retail site?

I think I know the answers to these questions already. It's too bad; a (legitimate) sale like this would mean about $1400 in my pocket.

Tom

Ooops! I meant to start a new thread with this post. Why can't I delete it?

I feel your pain. You really want to believe those large orders are legitimate, but the cost of trusting people is becoming prohibitive... Lots of bad apples on the internet. :(

I got my merchant account set up today and have started playing around with it. So far so good, but still lots to get figured out and incorporated into my system. Hopefully, in a few days I can dump Kagi and PayPal for sales and this nightmare will be a thing of the past.

Dan

PayPal obviously does not have their act together with regards to verifying legitimate transactions. This is 4 times now in the past month that they've allowed a transaction through, then notified me within a couple hours that it is being reversed.
It sounds like PayPal has implemented (or "beefed-up") their fraud screening departments. You should expect this type of activity from ALL processors. You must make sure that you can screen your transactions yourself to eliminate fraudulent transactions. This is true whether you use PayPal, another thrid-paty processor or a merchant bank.

Assuming PayPal is ACCURATELY screening the transactions and not rejecting good transactions, then this indicates that fraudulent transactions are getting by your merchant filtering and being reversed by PayPal.

Also note that an immediate reversal is always better (less costly, does not reflect against your chargeback performance, etc.) then a chargeback later.

The chargebacks represent those transactions that got by PayPal's filtering.

I've heard that if your fraud rate on a merchant account is too high then Visa & Mastercard have a blacklist that they'll put you on, making it very difficult for you to get a merchant account again.
This is a very real risk if your chargeback rate gets above 1%-2%.

As an Internet merchant, you absolutely must do whatever it takes to keep your chargeback rate below 1%.

I don't follow ... or you don't follow; I'm not sure which. ;)

I was referring to transactions approved by PayPal and then reversed a few hours later. I don't see that as beefed up screening, rather inadequate and inconsistent screening. They shouldn't be letting those transactions through in the first place, assuming they really are fraudulent as later claimed.

Also note that an immediate reversal is always better (less costly, does not reflect against your chargeback performance, etc.) then a chargeback later.
Agreed. But in the case of immediate delivery of software, either way stings about the same.

Dan

I've heard that if your fraud rate on a merchant account is too high then Visa & Mastercard have a blacklist...This is a very real risk if your chargeback rate gets above 1%-2%.Yikes, I had a feeling those rates were impossibly low. Another reason for me to stay with Kagi, I think I'm hovering at a 1.5% rate at the moment. Guess I won't be getting a merchant account for quite a while.

I was referring to transactions approved by PayPal and then reversed a few hours later. I don't see that as beefed up screening, rather inadequate and inconsistent screening. They shouldn't be letting those transactions through in the first place, assuming they really are fraudulent as later claimed.
Personally, I agree with you. However, this is not the way it works. All fraud auditing performed by banks and processors is performed only AFTER the transactions are submitted by the merchant for settlement.

Really? That's news to me... Certainly goes against everything I've read and been told previously. :\

If that's the case, why do they even provide automatic approval for online transactions (where fraud is the highest)? Or are you saying the fraud screening takes place a week or so down the road after the transaction clears the merchant's bank?

My understanding of the Wells Fargo RiskAssessor program I just signed up for is that it adds extra screening to the transaction process in order to let "only" (the claimed 96% figure) legitimate transactions through. If that screening still comes after the fact, then I just wasted a heck of a lot of time getting my auto payment processing download authorizations setup hacked into osCommerce...

dan

Actually, that would explain some things. There was a case where I wrongfully declined an order, and it was rejected... but the order still appeared on the customers account. Apparently the way it works is that all orders are submitted for processing, but they can be reversed for little or not fee - it just takes some time to do so. (In the end I reapproved the order, so I don't know how long the reversal would have taken.)

That might also explain some of the behaviour in my online credit card statements - one day a transaction is there, next day it's removed (but the cash still deducted), then it's back again and revised with more details.

Wow, we are getting into deep water now... :)

If that's the case, why do they even provide automatic approval for online transactions (where fraud is the highest)?
You have just discovered one of the "top ten mistakes that merchants make." Every new merchant account I have ever seen comes pre-configured to automatically approve, batch, and submit transactions for payment. This is a HUGE mistake. As a merchant, to reduce chargebacks, you must review and selectively approve every transaction that you process. You should establish the habit right now of checking your transactions every single day. Now, go turn this option off right now. :)

Or are you saying the fraud screening takes place a week or so down the road after the transaction clears the merchant's bank?
No. Stop thinking that the bank/processor is doing things to protect you! They only do (free) things to protect themselves. They CHARGE you to do things to protect you. These screenings happen within a few hours after you submit your transactions and BEFORE the transactions are actually sent to the back-end processor for final settlement. THE PROCESSOR IS NOT SCREENING YOUR TRANSACTIONS--THEY ARE SCREENING YOUR ABILITY TO DETECT FRAUDULENT TRANSACTIONS! [Every merchant should post this somewhere where they can see it every day because not understanding this principle is the one of the contributing factors for a high chargeback rate.]

My understanding of the Wells Fargo RiskAssessor program I just signed up for is that it adds extra screening to the transaction process in order to let "only" (the claimed 96% figure) legitimate transactions through.
From the claims make by Wells Fargo, this sounds like an excellent tool assuming that it allows you to see both accepted and rejected transactions. Note, however, that this tool does not fall into the category of a screening tool the bank uses to improve their fraud screening techniques (although they probably USE this very same tool in their screening) but rather into the category of a tool that they CHARGE you for so you can PRE-SCREEN the transactions before the bank sees them. This difference is very subtle but it is an extremely BIG difference.

There was a case where I wrongfully declined an order, and it was rejected... but the order still appeared on the customers account.
I would investigate this situation if it happens again. This should NEVER happen. Transactions you do not approve should never, ever be submitted for settlement!!!

Thanks for that post Rich, very clear and a good thing for me to remember :)

With the order that I didn't approve but it appeared briefly on the customer account anyway, I did ask about it. This is essentially the reply I got (I have edited it slightly):We do not "charge" the customer before the order is approved, we simply ask the customer's bank/credit card company to authorize the funds. The funds are put "on hold" until they are fully authorized. If the order is declined by either us or the customer's issuing bank or credit card company then those funds remain on hold for about 72 hours. After 72 hours the hold is taken off the customer's account.Any thoughts on that Rich? At the time I was satisfied with their response, but I don't know as much about these things as you.

You should establish the habit right now of checking your transactions every single day. Now, go turn this option off right now.
I guess that's the AUTH_CAPTURE vs. AUTH_ONLY x_type option? I don't see any setup option that controls it (still figuring out what all my Authorize.net admin area has controls for), so I'm assuming that's it.

So, your recommendation would be to set it to AUTH_ONLY and go in on a daily basis and approve/decline the transactions? This poses a major dilemna with software delivery (downloads). I'm fearful that the delays this approach necessitates will lead to more angry customers and chargebacks than the fraudulent orders that will slip through with immediate processing.

There's got to be a middle ground somewhere in there, but I'm not sure what it is. :\

Stop thinking that the bank/processor is doing things to protect you! They only do (free) things to protect themselves. They CHARGE you to do things to protect you.
I don't really see the differentiation there. I'm paying for various fraud screening services, so the net effect is that there's a supposed layer of protection there regardless of who it's actually for.

THE PROCESSOR IS NOT SCREENING YOUR TRANSACTIONS--THEY ARE SCREENING YOUR ABILITY TO DETECT FRAUDULENT TRANSACTIONS!
I'm not clear what you mean by the second part. Screening the ability to detect fraudulent transactions? Someone enters a name, address, and CC# that passes basic validity checks ... what else is there prior to submitting it to the gateway for approval? Or is this going back to not allowing purchases from certain countries as a way of pre-screening?

this sounds like an excellent tool assuming that it allows you to see both accepted and rejected transactions.
I only have test transactions so far (haven't gone live yet), and those don't get recorded, so I'm not sure. It looks like it records both, though.

Dan

I believe what your customer saw was the "hold" on the funds and not an actual charge against the account. As your processor explained, these "held" funds are not available for approx. 24-72 hours (depending on back-end processing rules). Here's an example:

Credit card balance: $100
Charge at your site: $50 [new card balance = $50]
(You subsequently decline this transaction. ) [card balance still only $50]
Charge at another site: $80
(This charge is declined because the $50 is still held)
$50 hold finally released (card balance = $100 again)

I guess that's the AUTH_CAPTURE vs. AUTH_ONLY x_type option?
Yes. You will probably find it set to AUTH_CAPTURE now and you want to change it to AUTH_ONLY.

This poses a major dilemna with software delivery (downloads). I'm fearful that the delays this approach necessitates will lead to more angry customers and chargebacks than the fraudulent orders that will slip through with immediate processing.
How quickly (or slowly) you fulfill (ship) your order has nothing whatsoever to do with how quickly (or slowly) you capture the funds for the transaction.

Remember, a fraudulent transaction is a fraudulent transaction regardless of how quickly or slowly you approve and ship the order. However, the more time you spend evaluation the transaction, the better chance you have of rejecting it instead of the bank reversing it or it turning into a chargeback.

I have not had a merchant get complaints from implementing a delay in processing in order to confirm that the order was non-fraudulent. However, you MUST have an excellent fulfillment process and correctly inform your customers why the delay is there and exactly when they should expect their order to be delivered. (If your customer is not receiving at least 3 emails after they have purchased a product from you, your fulfillment process may need to be reviewed for improvement.)

quote:
--------------------------------------------------------------------------------
Stop thinking that the bank/processor is doing things to protect you! They only do (free) things to protect themselves. They CHARGE you to do things to protect you.
--------------------------------------------------------------------------------

I don't really see the differentiation there. I'm paying for various fraud screening services, so the net effect is that there's a supposed layer of protection there regardless of who it's actually for.
The "net effect" is that is costs you less to reject the transaction than if the processor does it. If you decline the transaction you will not fulfill the order and the net cost is zero [or nearly so]. If the processor reverses the transaction, most of the time, you have already fulfilled the order. I believe this is a huge difference.

Someone enters a name, address, and CC# that passes basic validity checks ... what else is there prior to submitting it to the gateway for approval? Or is this going back to not allowing purchases from certain countries as a way of pre-screening?
There are LOTS of things a merchant can do to determine if the transaction is fraudulent. Checking the country of origin is just one of them. Reviewing the IP address, calling the bank or customer are a couple more of them.

You will probably find it set to AUTH_CAPTURE now and you want to change it to AUTH_ONLY.
Just the opposite, actually. I was a bit surprised to see that.

I'm contemplating trying to implement a dual-purpose system that would auto-process orders for all programs except those (D-Man) that have been heavily targeted by fraud. I should be able to do so within my post-transaction processing, but I'm a bit stumped on how to handle the AUTH_CAPTURE/AUTH_ONLY issue, in that case. My attempts to get purchased program info into that section of the code (necessary for conditionally setting x_type) has not met with success thus far. And without being able to conditionally set that, the whole system is a bit sketchy. I suppose I could do everything as AUTH_ONLY, auto-process the purchases likely to be legitimate, and still go into my Authorize.net admin area and manually approve them on a regular basis. But if I'm going to do that, it makes almost as much sense to not do any auto-processing period. Either way is about the same amount of work... Only advantage to the auto-processing would be if I'm away from the computer for any length of time when an order is received. Maybe I should set it up with a conditional flag that can be turned on or off easily.

More questions than answers at this point. :)

How quickly (or slowly) you fulfill (ship) your order has nothing whatsoever to do with how quickly (or slowly) you capture the funds for the transaction.
I was referring to the period after the transaction is accepted until it is processed (screened), and ultimately until it is settled with the customer's bank. Not knowing how long that process takes, I would think the delay in fulfilling/shipping the order would be equally due to awaiting immediate reversal of the transaction as to inspecting the validity of it.

There are LOTS of things a merchant can do to determine if the transaction is fraudulent. Checking the country of origin is just one of them. Reviewing the IP address, calling the bank or customer are a couple more of them.
But how many people really do all that on low ticket items? The cost to sell becomes higher than the benefit of selling...

Dan

There are LOTS of things a merchant can do to determine if the transaction is fraudulent. Checking the country of origin is just one of them. Reviewing the IP address, calling the bank or customer are a couple more of them.But how many people really do all that on low ticket items? The cost to sell becomes higher than the benefit of selling...

And that's why software prices are so high :) But seriously, you should be able to automate a lot of that and set thresholds for what should be sent for manual approval, let the rest continue to go through automatically. On the shareware & Kagi groups I'm hearing of more people shifting to manual approval - but there are also some people who claim to have increased sales just by offering immediate fulfillment. If you check transactions each day there should only be a 24-hour lag at most, which should be acceptable in most cases. And if a fraud does slip through your automated processing, you can always refund it ASAP to avoid the chargeback.

I guess it's a case of, if you don't screen carefully for fraud and get a 5% chargeback rate one month, is the sales benefit worth the potential blacklisting?

If you check transactions each day there should only be a 24-hour lag at most, which should be acceptable in most cases.
I have a really hard time believing that. When I go even a couple hours between receiving an order and processing it, I invariably have several emails asking when they will be able to receive their software. And that's despite a post-purchase message stating the local time and that order processing is done manually, so please be patient. Maybe my customers are unique from everyone else's (unlikely), but I just don't see it working.

Dan

I'm contemplating trying to implement a dual-purpose system that would auto-process orders for all programs except those (D-Man) that have been heavily targeted by fraud. I should be able to do so within my post-transaction processing, but I'm a bit stumped on how to handle the AUTH_CAPTURE/AUTH_ONLY issue, in that case.
For development purposes, in addition to the AUTH_ONLY trans type, Anet also has the PRIOR_AUTH_CAPTURE type. You can use this by checking the returned AVS results (and the returned CVVx results if Anet supports them now) and then immediately issue a capture transaction and fulfill these orders. Orders that do not return approved AVS/CVVx results can then be held for manual review. This allows you to immediately deliver orders that have low probability of fraud.

Originally posted by dank:
When I go even a couple hours between receiving an order and processing it, I invariably have several emails asking when they will be able to receive their software.
I forgot that you don't have a trial version that customers can use. That would probably account for it - my customers can continue using the trial to do work until the unlocking code arrives. But even then I did get one complaint for not shipping within two hours.

That's a good point though, the time to ship has to be part of the balance equation between fraud protection & customer service.

I forgot that you don't have a trial version that customers can use ... the time to ship has to be part of the balance equation between fraud protection & customer service.
Alas, that's the part that seems to be left out of the equation in all the recommendations. If only it weren't the single most important part from the customer's perspective...

Anet also has the PRIOR_AUTH_CAPTURE type. You can use this by checking the returned AVS results (and the returned CVVx results if Anet supports them now) and then immediately issue a capture transaction and fulfill these orders. Orders that do not return approved AVS/CVVx results can then be held for manual review. This allows you to immediately deliver orders that have low probability of fraud.
That's an interesting suggestion. It wouldn't be particularly easy to work into the osCommerce code from what I've seen so far, but it might open up some possibilities worth exploring.

I would need to change the x_version to 3.1 according to the documentation, which means making some changes in the osCommerce module. I'm a bit hesitant to do that, because my Authorize.net admin instructions say you cannot go back once you set it to a higher version...

Dan

Bittersweet morning, to say the least. I got my first order through the new cart/Anet setup (a seemingly very legitimate French order for D-Man, no less), but also got another $75 PayPal chargeback for a fraudulent order from 9/25. :( IP address from the downloading shows a Madrid, Spain location through an Amsterdam provider (?).

http://ws.arin.net/cgi-bin/whois.pl?queryinput=62.81.236.25
http://www.ripe.net/perl/whois?form_type=simple&full_query_string=&searchtext=62.81.236.25&do_search=Search

One step forward, two steps back...

Dan

Have you done a careful search for your domain name (or other key words) to see if these fraud instructions may be posted somewhere?

It won't stop them from trying but may provide some clue for better screening.

I googled abledesign and got ~4600 results, but you'd be better able than I to scan through these to perhaps find the culprits.

If you search http://www.google.com/ie with 100 results per page it will be easier.

Andi

I look through that sort of stuff from time to time, but I haven't found anything of note. Mostly just script directory links to my programs and links to my free tutorials. Searching just now, I even found links to this thread!

http://softsearch.ru/programs/7-616-d-man-download.shtml

Anyone read Russian? I assume that's just another script directory, but I can't figure out any of what it's saying. I don't like that chart that looks like the dipping stock market...

Does anyone know of discussion groups where fraud targets might be discussed? That would probably be my best chance of zeroing in on what's going on. I would guess most such places wouldn't allow SE indexing, so this approach may be a fruitless one.

Someone suggested I close off my PayPal account so as to avoid more chargebacks 2 months after the fact, but I'm not sure that's a good idea for business/credit rating type stuff and the fact that all my primary email addresses are connected to it and wouldn't be re-usable for eBay stuff, direct PayPal payments by certain clients, etc.

Dan

Originally posted by dank:
http://softsearch.ru/programs/7-616-d-man-download.shtml

Anyone read Russian?
An AltaVista's Babel Fish (http://babelfish.altavista.com/) link (draft quality translation) for that Russian page is the following:

http://babelfish.altavista.com/?url=http://softsearch.ru/programs/7-616-d-man-download.shtml&lp=ru_en

Cool, I didn't know that could translate entire pages.

Looks to be just a script directory, so no leads there.

Dan

Does anyone know of discussion groups where fraud targets might be discussed? That would probably be my best chance of zeroing in on what's going on. If it's not an obvious and indexed posting, I think "going undercover" to find this would be a bad idea and I would discourage it.

But if you were to do such a thing, start by googling things like "warez" and "cRaCkZ."

There are a lot of well known underground sites but I think linking them here would be a TOS violation.

Andi

Yeah, I wouldn't suggest posting them publicly. I had private message or email in mind.

I doubt it is anything obvious. Most likely a warez-type discussion group where people toss around ideas for stealing various things.

Dan

Well the search I suggested will return all that I know about, I've never really gone much further than that.

Andi

I dunno. Why would a gang of script kiddies target your site en masse? They only need one copy of the program to post it to a warez site or newsgroup.

Unless they get a thrill out of hitting the same ecommerce sites their buddies have already ripped off, these frauds may be unconnected.

Randall

That's a legitimate question, but it seems way beyond coincidental. 1/10th the frequency might pass as coincidence... It's one program being hit every time -- my second most popular one at that -- and all in a very short period of time.

This is where I wish my old AXS site logging hadn't died (called via PHP) from recent server upgrades. Until I get something new installed, I can't really track where these people are coming from.

Dan

...these frauds may be unconnected. If connected it is by a one-to-many relationship. Some newsgroup, message board, mailing list, etc., that has some common interest in Dan's program happens to discuss the means of the fraud as a hypothetical and then they all independently use it for the same purpose unknown to each other.

Possibly a widely visited site where the individual members don't interact much or wouldn't admit to being theives. But when presented with the scam template they all use it.

It is the "rip-off Dan" meme, an interesting, if perplexing mystery.

Andi

It's one program being hit every time -- my second most popular one at that -- and all in a very short period of time. I see what you mean. That would be hard to explain away, unless fraud levels in general were on the rise.

Randall

Another Kagi chargeback today from 7/26. D-Man, of course. Sweet.

I'll be lucky if I pull half of minimum wage this month...

:(

Dan

I know we've established that it's fraud but... you do make it clear on your site that your customers are purchasing from Kagi, right? It isn't possible that some of the chargebacks are from people who saw Kagi on their bill and thought "I didn't buy no stinkin' Kagi"? :)

I think I'm way off track (and we probably covered this already) but I thought I'd mention it.

Well, I no longer offer it, but it was made pretty clear, in my opinion.

"Purchase securely through Kagi..."

But yes, I can say with 99.999999999999% certainty that each of these cases were intentional fraud. They all fit the same pattern, which unfortunately did not become clear until hindsight kicked in. :\

Dan

So you've dumped Kagi's services? OMG that's a good move, they just announced they're upping the chargeback fee to $25 for transactions after December 1st. That's a massive increase... I think there's going to be a lot of complaints about Kagi now.

they just announced they're upping the chargeback fee to $25 for transactions after December 1st.
I just got that email a couple minutes ago...

I haven't officially cancelled my Kagi account -- I have a negative balance as a result of all the chargebacks -- but I'm no longer directing anyone to them for purchases and don't advertise Kagi as a payment option anywhere on the site.

Glad I jumped ship when I did. That chargeback fee increase would have been a real back breaker.

Dan

Hey, I think I just had my first fraud attempt with the new cart and merchant account!

I was in the middle of adding some new features to my visitor tracking program, and I noticed someone was in the middle of completing the checkout after having played with the demo of one of the programs (not D-Man, for once). I watched as they followed along, right up to the payment page, then they abruptly hopped over to the contact form and I got the following a few minutes later:

i PURCHASED THE CODE FOR IMAGE DYNAMIC FRAME. Please send the code to
[@yahoo.com address]
Wow, how convincing. All caps, wrong name for the program, obviously not having followed through the checkout (it would have been made clear how the code would be delivered), and using an always suspicious email address... I double checked and no order was logged, nor was any record of a declined transaction showing up in my Authorize.net account. I wrote back saying it appears he did not complete the final checkout step and asked if there was a problem. I'll be one shocked dude if I get a reply.

Oh, and the name given looks to be SE Asian, and the address provided during checkout is Westminster, CA, Uganda. :\ Color me skeptical.

Nothing particularly interesting about the IP Address (http://ws.arin.net/cgi-bin/whois.pl?queryinput=66.14.94.178). Verizon block out of Massachusetts.

All this over an $11 program...

Dan

I watched as they followed along, right up to the payment page....
Dan, I know you mentioned a few tracking programs in another thread...what program were you using for this real-time tracking?

Since you asked... :)

http://AbleDesign.com/programs/AbleLogger/

My motto seems to be, if I can't find anything I like ready-made, build it myself. Most of my scripts have come about that way.

Dan

Finally stopped a definite fraud attempt in its tracks (ridiculously obvious), and of course, it was for the old D-Man/Plugin package (roughly 100% correlation with fraud instances). The part of interest this time is that I actually have a referer, assuming it wasn't forged ... The PHP Resource Index (http://php.resourceindex.com/detail/01045.html). Can't say I expected that. Of course, that doesn't mean all the previous ones originated from there, but it does make the trend quite a bit tougher to explain. If it's more than coincidence, you wouldn't expect people to be stumbling across one listing out of many with criminal intents. Strange.

Oh, and I sent a not so friendly email to the $#@! in question. German Yahoo account used on each attempt, despite the New York address and various English names given. Although, the IP resolves to Vietnam...

Dan

Congratulations on finally catching one, though as you say these clues seem difficult to tie into a trend...

A backlink search on the detail/01045.html page returns only another php.resourceindex.com URL. But doing more searches on keywords from the detail page may turn up a lead.

Andi

I don't think I'll turn up any leads on the PHP Resource Index site, as that's a perfectly valid listing (my #2 source of traffic behind HotScripts). The key would be knowing how people are arriving there, assuming there is some sort of pattern to be found.

A head scratcher, indeed. But at least I can vouch for the Wells Fargo SecureSource / Authorize.net fraud prevention!

Dan

It seems Frauds are there everywhere. Where there is a will, there is a way. People find all possible ways of committing frauds. I use Paypal and till date seems fine for me. Don't know what happens next. :-(

Well, even Wells Fargo's SecureSource isn't perfect... I just sent this note to support:

Re: Transaction #xxxxxxxxx

I just voided this transaction, as it appears to be fraudulent and made it through the fraud screening.

The IP address (219.130.21.54) resolves to China, despite the New Jersey address provided. Shouldn't the fraud screening have caught that? The email address is also a Chinese one and is someone's name clearly different than the billing/shipping name given.

The main thing that caught my attention was the user's odd behavior on the site, but the above flags clued me into something actually being wrong.

No damage was done, as I caught it before the person was able to download the software.

Does your system have an automated means of notifying card holders when a transaction has been voided because of fraud?
If anyone wants to send hate mail to the piece of $@#!, the address is james@wong.com.cn ... if nothing else, maybe some email harvester will come along, pick up the address, and spam him to death, assuming it's even a legit address with that format...

Dan