I have a small ecommerce website that sells a downloadable product
over the Internet. I accept credit cards online but can only verify
the card number and expiration date, not the name, address, or CVV2
code.
There is a guy who has been returning almost every day, and uses
stolen credit cards to download the product (which changes every day).
Whenever I block him he simply switches to another card (he has
thousands) and uses a different email address (all free accounts) and
screen name.
I tried to track his IP address but it is always different (he must be
using anonymizer or something similar). I do have a lot of personal
information he leaves behind, as well as screen names he used, email
addresses he registered with, IP addresses, and lots of stolen credit
card numbers. I also have the URL of his personal website, and I even
know what he looks like!
My question is:  is there something that can be done to stop this guy?
He returns to my website almost every day for months now, and the FBI
won't do a thing about it (I contacted them several times in the
past). He caused overall damage of thousands of dollars so far, and it
goes on.
Thank you.

Hello googlefan1-ga

I have a similar problem but not as severe or persistent as your guy.
Here are my suggestions:

1. Only allow purchases to customers who use an ISP email address.
(supplied by their internet provider) 
- this prevents people hiding behind hotmail or yahoo type free email
addresses. (Also reject email addresses from domain names if possible,
as I've found some fraudsters register domain names which don't
actually point anywhere for an anonymous email... and checking the
smartwhois for their domain name reveals just garbage information.
However this does cut out business domain names too and this depends
on the type market you are in consumer or b2b. If you can't cut out
registered domain name email addresses, you can at least check if they
are 'fake' or a 'hiding ground for a fraudster, and be extremely
suspicious if the whois details reveals registration emails from free
Taiwanese, Indonesian or other far eastern email address.
2. By logging their IP address you can track if this is the same ISP
as their email address that they have used e.g. using the smartwhois
from All Net tools
http://www.all-nettools.com/tools1.htm 
Also a non U.S. IP address will normally mean it is a suspicious
transaction
3. Do not process the transaction in real time, by all means send
email confirmation of order, but manually check out the details above
before you debit the card. Some merchant accounts let you defer the
transaction so you can verify credentials.
4. Change your credit card merchant account or bureau to one that does
support CVV2 - hassle, perhaps time consuming but at least it adds a
layer of security. Could be worthwhile switching as the more
chargebacks you get, the more likely your card acquirer will revoke
your ability to accept card card payment.
5. Add the request for date of birth, so you can use it as security
check. Check online at 1800 US Search the supplied person’s age
http://www2.1800ussearch.com/search/start.cgi?adID=4010013008
(the fraudster usually uses the name on the card and will probably not
know the age of the person)
6. I find that fraudsters usually order the most expensive products
which is a sign of suspicious activity
7. They do not usually supply a full name or is a weird name or
handle, - a sign of suspicious activity
8. Request a contact phone number, so you can perform spot checks if
needed, a fraudster will be reluctant to give a real number.
9. If you switch your merchant account to Worldpay you could also use
their WorldAlert service which is designed to combat fraud by
screening purchases
WorldPay
http://www.worldpay.com/usa/index.html
10. If you believe it is a suspicious transaction you can email them
to ask a routine security question as a ‘spot check’ like the name of
their issuing card company or to confirm their address, they usually
do not bother to reply!
11. Try to track and define the browser they are using from your
server logs, or implant more environment data on your order webpage
like they do with the anonymizer test:
http://www.anonymizer.com/snoop/test_os.shtml
if your're in luck it 'may' give out a fairly unique identification.
If he is using anonymous proxies or anonymizer type services this will
be invisible of course.

Unfortunately it will involve some manual work, but as you said you
are a small e-commerce site so this shouldn’t be too excessive. If
this guy finds out your site is not an easy target anymore, he will
move on. As he seems to be the main root of your problems if he’s gone
then you can revert back to automated transactions.

I’m surprised you have the URL of his personal website and even more
surprised you know what he looks like! I suppose you have already have
done a smartwhois check on his domain name (that is if he has his own
domain name). If he is using his ISP free webspace you might be able
to file a complaint to his ISP. If he is using free webspace then that
will be tricky.

I hope that helps in some way,
if you need any clarification, just ask!
kind regards
lot-ga

Why not ask for the CVV2 number, even if you can't confirm it.  It may
dissuade crooks from using credit card numbers at your site if they
don't have a CVV2 code as well.

Hi


Did you try contacting the Secret service?  They also handle computer
crimes.
Also, have you contacted the credit card companies?  They are the ones
who are also loosing money, they may have more of a pull.  You can set
up a sniffer such as snort and figure out where this guy is coming
from (since he's using TCP traffic for web traffic) then do a tracert
to his address, find out who the ISP is and send off an e-mail to
abuse@ISP.com (where ISP is the ISP's domain).



Oh,


One other thing. If he's causing that much trouble, you can hire a
consulting firm that specializes in security to try and track him
down. Of course if it's going to cost you more for the consulting firm
then what he's costing YOU in damages this isn't a good Idea.

You may also consider ugrading your credit card processing
software/provider.  There are 3rd party providers that integrate
relatively easily with small ecommerce sites.  Validating the credit
card number (I assume you actually validate that the number and exp
date are valid rather than just use a Mod 10 algorythm that anyone
could generate 'valid' credit numbers).  One that I have run across is
http://www.2checkout.com/index.html via an on line purchase that I
made.  It appears that they check credit card number, exp date, AVS
(billing address verification), and fraud scoring (I am assuming this
since they advised to avoid using free email accounts which would
raise an orders score).  It also appears that 2checkout is very easy
to integrate into an existing site.

If you would like more info or a comparison between 3rd party
processors, I am sure a fine Google Answers researcher would be happy
to help with a follow-up question.

Also, as a last resort for enforcement, you could also try the local
authorities.  Not necessarily what they do but you may find a deputy
that would take interest and at least discourage repeat business.

almost forgot, http://www.2checkout.com/index.html also checks cvv2

Hi

If you are selling high value low volume products than it may be wise
to do offline processing using something like:

http://www.ishopbuilder.co.uk


With this method you can reject an order without incurring any losses.

I have been able to combat fraud with this method for quite some time.

Regards
G,