An update on fraud with PayPal

So far, so good. It will take at least 2-3 months to find out whether anything’s actually changed after switching to PayPal as the sole payment provider for new customers; stolen credit cards used without a PayPal account won’t show up on the rightful owner’s billing statement any faster. But I can say that the cart abandonment rate seems to have changed very little compared to previous weeks. It looks like that 53% that choose credit cards are perfectly happy to use those credit cards on PayPal’s site as well.

On the expected downside, fraudsters are willing to run their cards through PayPal almost as willingly as real customers. On the expected upside, PayPal puts a hold on those payments within hours, so I know about it before I’ve lost a penny. And PayPal refunds fees for reversed payments, so that protection comes at a huge savings compared to voiding large credit card charges.

I’m still running orders through my home-grown fraud scoring code, which I updated again today. The most effective factor in identifying an order as fraudulent? Passwords. It works again and again, better than address checks, IP lookups, phone number location checks, and BIN location lookups.

For example, there’s someone in Russia (I know nothing more about who it is) who continually buys advertising for sites with stolen cards. His sites usually try to forcefully install some software on a computer.. often it claims to be an adware scanner, while it’s probably adware itself. He uses different URLs, different IP addresses (always U.S. IP addresses according to MaxMind GeoIP), different U.S. billing addresses that match the credit cards with each order. But every time he creates an account, he uses the same password, and no legitimate account has ever used that password. It’s easy to pick him out and he probably has no clue how.

I wonder if IGOR takes passwords into account?