How to protect against fraud?

Question

I have a VoIP calling company for a Russian market with a Russian website where people can sign up for an account, buy credit and make calls. My service is not even popular and I have only ~100 customers. Recently, I had around 10 fraudulent users who used stolen credit/debit card or PayPal accounts to make payments. Even though my website is in Russian, I had fraudulent customers from Somalia who purchased $50 worth of credit with stolen information. Two days later after fraudulent user signed up & used up their credit, I received email from PayPal saying that those transactions were "unauthorized (transactions)." PayPal gave me 10 days to resolve this dispute and make refunds by talking to people whose financial information was compromised. After hours of arguing and debate, I had to make refund and accept the loss. But, is this how it works? What if I had 100 fraudulent customers who purchased $1000.00 worth of credit? How can I insure myself against this? Note that my service was in Russian, what if I had English website for everyone to sign up? How do you protect your service against such things?

Some of the measures I can think of are:

1. Customer must activate their account via verification email (Already implemented)
2. Accounts are by default aren't activated, I have to manually activate them (Customers may not like this)
3. Calling the new customer at provided phone # to make sure if he really signed up (I hate this one)

All of your advises and opinions are appreciated!

Answer 1

I worked at a similar company (no names) and the only thing we could do that actually solved the problem was to have the users sign up with a credit card, billing the minimum amount from their card while generating a code that was included in their statement (a'la "VoipMaster (4711)")

They then had to look up their credit card bill (many banks let you do it pretty much immediately online) and enter that code at our site. In other words, the user had to have access to the credit card bill to sign up, not just the credit card information.

I think that pretty much stopped fraud cold, but it's hard without marketing research to tell how many valid users didn't sign up because of it.

Answer 2

Its just the pitfall of accepting online payments. You do not lose $1000 worth of money when you have to refund though. Paypal should not charge you any fee's for reversing the money and therefore you have not lost anything apart from a small amount of time.

There are some things you could do to try and prevent this happening in the first place. The biggest thing would be to chose one or more vectors and then detect any changes on those vectors. A change would then need to have a secondary authorisation.

For example you could say that if you try and use a different paypal account to the last one you used, then you must go through confirmation stage.

Another one could be that if you purchase more than a certain limit then you go through the confirmation stage.

If your IP address changes you go through the confirmation stage (not so good, but its an idea nonetheless).

The confirmation process/stage could be anything you deem suitable to ensure to the best of your ability that they are legitimate. For example you may require email confirmation from them or require them to wait 24 hours for the credit to be given (provide a phone number they can call you on to fast track maybe).

Theres no sure fire way, but the harder you make it the less it will happen. Theres hundreds of things you could do based on the simple theory i posted above. Nevermind more complex things you could possible use. At $50 a time i would assume they are using your site as a test site to ensure the details all work ok, before going on to using them for larger payments elsewhere or transferring money to there own accounts. So if you make it harder for them to do that,, they will find somewhere else to test them.