Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I use this exact method for fraud detection. 99% of the time, carders " " will simply load up a proxy in Firefox/Chrome (usually a socks5) and fire away. They typically don't tunnel their whole connection through the proxy, just their browser.

If their request IP doesn't match up with this IP, there's a very high chance that the order will is fraudulent.



Interesting. We check to see if Javascript timezone matches GeoIP and/or billing/shipping address. Also Canvas fingerprinting works well. Lastly measuring latency is another good one since you can't cheat the speed light.


GeoIPing billing/shipping is always a good idea, but there are plenty of use cases (particularly depending on what industry you're in) where that will throw false red-flags. e.g. corporate card, registered to corporate office, etc. Unfortunately, it's also very trivial for a carder " " to find a SOCKS that geolocates back to the card's billing address.


As much as I'm happy that you're able to detect fraudulent transactions, I am really disappointed that there's not a Content Security Policy rule to prevent WebRTC :-(


Very heard. I'm quietly pushing for this.


edns-client-subnet (if present) can catch some frauds, too.


Sh you'll ruin my startup!!!!!!!

;)


That's clever, thanks. Implemented.

Another useful heuristic is to check if the client is coming in from a public Tor exit. YMMV depending on the nature of goods being sold, but in our case not a single legit purchase came in this way and nearly all fraudulent purchases were through Tor.


If you -- or anyone reading this -- needs any help on identifying fraudulent transactions, preventing fraudulent transactions, etc., I'm always available. It's the one bright spot of having the history that I unfortunately do, is that now that I'm on the "good side", I can help companies prevent this from happening. Since I wrote the book, I can help better than, say, MaxMind can (I'm biased).


Not that i'm a expert. But i think only amateurs would be so foolish. Nearly all open proxys out there forward the clients real IP in the HTTP X-FORWARDED-FOR header.


In a former life, I was an expert.

HTTP proxy is not a SOCKS4 is not a SOCKS5. :)

What they'll do is buy from a proxy shop " " - usually someone(s) with a botnet and a lot of clients on that botnet - so the IPs are residentials. vip72.com is a popular one. They do provide a client which will allow you to tunnel your entire system through the proxy, but it's not required for use (and some people are wary of it)


    > i think only amateurs would be so foolish
When I think of people using stolen credit cards to buy goods, I'm not envisaging a `leet hacking squad... That there are highly sophisticated cyber criminals in no way implies that all - or even most - are.


not really - theres a bunch of anonymous proxies. also socks proxy dont have any control over that anyway




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: