I have always known there is high risk selling digital delivery items. I knew someday it would become problematic and that it was just a matter of time. Thankfully most of these transactions are instantly reviewed by Google and/or PayPal and never complete. Additionally I add each name and email addresses to the Block Buyers / Transactions list. While the percent of my fraudulent transactions remain low, the number is increasing as do my overall sales and site traffic. A few transactions have completed, but they are relativity inexpensive and not worth loosing sleep over. I would like to be proactive and share my experiences and get feedback from management and other users in similar situations. I fear this is only going to get worse which is what ultimately brought me here today.
On my site I sell a combination of stored codes and tangible items. I work from home so I am able to monitor the site and sales as they come through. Last month someone made a purchase (1 item, stored code) for $275 through PayPal with a credit card. This transaction was instantly sent to review by PayPal and as expected, the code was not sent. I did not think much of it as it is not uncommon for high dollar purchases get flagged for review. Five minutes later the same buyer made two more purchases for $27 (1 item, stored code) and $90 (1 item, stored code) in two transactions, both of which completed and codes were sent. To make a long story short, this buyer made five more separate purchases from my site only now they were buying the entire inventory for each stored code item. At this point I realized something was not right as legitimate buyers typically buy 1-3 of any given item. I immediately added the name and email address to the blocked buyers / transactions list as sales continued to come through. Each purchase totaling over $100 was instantly sent to review by PayPal and soon the buyer caught on and was keeping purchases under the review amount. Thankfully no more codes were sent because of both PayPal reviews and the block feature. They eventually gave up once the codes were no longer being sent.
The credit card belong to someone in the US and the IP address was registered somewhere in the Russian Federation. I called the credit card holder and told them what was going on and they informed me that they had just received a call from Bank of America regarding some fraudulent activity on the card. Luckily I was able to claim for myself all but one of the sent codes. After all was said and done, I ate $75 in codes and the thief ended up getting away with a whole $27 in items.
To lower the chance of this happening again, I now deny access to my website from any IP not located in the US, Canada, UK or Australia. The collateral damage is minimal as the vast majority of my customers reside in these countries. While this reduces the potential for fraud from the amateurs, it does nothing to protect against those who how to get around the system or are located inside the permitted countries.
For the past five days, my site has again been under attack by someone using PayPal and Google Checkout with multiple stolen credit cards with different names. I am certain it is the same person as the IPs for every transaction resolve to AOL dial-up. It is no coincidence that my last six purchases have been made by six different people all on AOL dial-up. It is pointless to ban dial-up IPs, so for the time being I have banned the entire AOL IP range.
Last night this person made another purchase through Google Checkout for $6.99 with another credit card and yet another name. Google checkout processed the transaction and in less than one minute canceled it due to high risk, but because it had gone through, the e-junkie system sent the stored code. I tried to claim the code for myself, but it was too late.
This is the first time I have seen anything like this and I do not know why for less than 60 seconds it was clear and processed through the e-junkie system. I’m sure they are now plotting their next heist which includes a new people pc dial-up account and this checkout flaw. I am contemplating ditching Google Checkout anyways and this may just be the final straw.
Since the first notable incident, I decided I can no longer store large quantities of codes in the e-junkie system and I no longer digital deliver higher dollar (above $20) items. Instead I now must keep only 2 or 3 of each item in the system and replenish as necessary. What steps do others take to lessen the likelihood of being ripped off or lessen the blow? What other measures are in place from an e-junkie administrative standpoint to help counter the fraud. Personally I would like to see some of the following implemented.
• Ability to set a quantity limit on stored codes regardless of quantity in inventory. This is not currently available with stored codes and while it would not prevent someone from completing multiple transactions, it would slow them down and possibly allow enough time to intervene.
• Add adjustable time delay to delivery after completed payment. It seems some transactions are not immediately flagged for review which results in items being sent right before the review. A delay could possibly allow the PayPal or Google and the credit card systems time to catch up and flag the transaction prior to e-junkie sending product.
• Ability to manually review and approve all stored code orders regardless of payment status. Similar to the Blocked Buyers / Transactions list, but for every transaction. Currently I only know who to block AFTER the fact.
