A user is stealing from us right now and I don’t mind

As I write this, some guy in Florida is using stolen credit cards to successfully steal tens of thousands of dollars of products from us. Or at least, that’s what he thinks he’s doing.

When someone steals, buys, or generates a credit card number with the intention of committing purchase fraud, the typical first step is determining if the card is valid. A stolen number runs the risk of being cancelled at any moment, and nothing stops a promising career in white collar crime in its tracks quite like a decline in the Walmart checkout aisle with $5000 of merchandise in the cart.

The preferred method then is to run a small online transaction on each stolen card. Once you’ve found a valid card number, you re-magnitize a card and the shopping spree begins! This is why if you’ve ever had your card stolen, you’ll almost always see a smaller test transaction at an online retailer before the large purchase at a retail store.

As an online retailer dealing in micro transactions (<$5), we have to be especially cautious about this form of credit card fraud. Most of our products aren’t especially tempting to fraudsters given their customizability (i.e. you can’t resell an Ink card) - but the low transaction amounts are ideal for testing stolen cards. Undetected fraudulent transactions result in chargebacks and rising merchant account fees.

My favorite way ( by far ) of combating this type of fraud is called the hellban. If you’re not familiar with the concept, it’s pretty straightforward and totally insidious: once a user is hell-banned, the site or app behaves normally for them - but none of their actions have any effect. It’s a popular method of forum moderation - if a user starts trolling your members or posting spam, you just hellban them. They’ll eventually give up on your site when no one seems to respond to their posts.

The same concept can be applied to credit card fraud prevention: a user who is hell-banned by our system (either through automated or manual means) sees their purchases go through (with some declines mixed in for realism) and receives ‘fake’ credits that let them buy products we never send. Of course, we’ve completely blocked all credit card transactions from going through at this point - protecting us from the liability of chargebacks.

Couldn’t you just delete the user account or ban their IP?

We sure could! This would effectively boot them off our system - but for how long? We are a tempting target for credit card fraudsters, and they expect to be banned for their bad behavior. They’d likely just switch to another VPN, sign up for another free account, and do it all over again, which means I now have another user account I need to hunt down and ban.

A hell-banned user as a rule sticks around for longer, all the while collecting especially poor empirical data on their credit cards. This in turn allows us to collect logs that are helpful in identifying them (and other fraudsters) in the future and reporting their activity to authorities.

Most importantly, it’s especially good sporting fun!

Continue the discussion on Hacker News and follow me on Twitter

 
2,226
Kudos
 
2,226
Kudos

Now read this

I break stuff all the time

Continuous integration as a development practice already feels pretty magical. Imagine writing code and then deploying it to production in one seamless step, all the while knowing that your tests have run and your application is good to... Continue →