PayPal Community

Just noticed that you have posted another reply. So just wanted to address it.

Its possible that a user holds multiple emails so that's going to be a bit complicated when multiple emails are found. Same holds true for IP. User may access our website from office, while he accesses the CC website from home. In this case, IPs are going to be different. I don't mean to say that it has to be this way, but just that it's possible to see this kind of situation.

IP logging is already in place. We can extend our system to record all IPs that download the software, as you have suggested. But considering the situations mentioned above, what do you think can be a more efficient solution?

Many thanks!

---

@me_dev wrote:

Just noticed that you have posted another reply. So just wanted to address it.

 

Its possible that a user holds multiple emails so that's going to be a bit complicated when multiple emails are found. Same holds true for IP. User may access our website from office, while he accesses the CC website from home. In this case, IPs are going to be different. I don't mean to say that it has to be this way, but just that it's possible to see this kind of situation.

 

IP logging is already in place. We can extend our system to record all IPs that download the software, as you have suggested. But considering the situations mentioned above, what do you think can be a more efficient solution?

 

Many thanks!

---

Yes - tell the user that they may ONL:Y download to the computyer they signed up with.  Possibly provide an option for them to sign up one additional computer.  Let them be responsible for how they transfer the programs around.

The idea here is to channel them into proving that they actually did authorize the transaction.  If they're using the same email and the same IP addres, they aren't going to be able to build a convincing case that an unauthorized user did this.

Thank you so much again, for your reply. 

I guess we will wait up on implementing the stricter methods of verification but at the same time, would have to rule out the payment methods which do not provide enough safety against chargebacks. We do have some security implementations in the website which can even lead us to the location of the scam artist when we use proper channels. We will then prosecute and fine such users many-fold than the cost they have costed us in the process(includes attorney fees, etc.) That will set an example for such similar scammers and that will teach them that it's not worth it.

It's against our policy rules to implement backdoors and as such, so seller can actually write such a code and sell it to a Buyer. If it's done and the Buyer finds it and gets it to our knowledge, staff will review the information and evidence available onsite and ban and even prosecute the seller and recover costs from them related to damages. So although the idea of backdoors sound good, they are not allowed as we dont want genuine buyers to be disappointed with such findings. I will look into the insurance thing that you mentioned about.

You are right about the trap. It cannot actually stop from committing  the crime, but can possibly lead us to who is responsible for it. Also our verification system requires providing details like some form of Identification which carries the photo of the user (Driver's license, Passport, etc). Personally, do you think this is good enough?

I also hit upon another plan. Assume that we are ready to accept credit card payments. Now when we have our own processor or hire an agency to carry out the credit card processing for us, we would like to call the CC company of the user and confirm with them over the phone regarding the payment made and to see if the user has filed for a lost credit card complaint already or such. You know, just exchange information with the CC company to make sure the user is genuine.

Can we take the phone number from the CC company and call the user to confirm the payment method? This way, we will know that on the day the payment was made, the user was still in possession of the card and hence we can be sure that it was this user who made the payment. Also we will seek a verbal confirmation from this user as to the payment and ask the user some questions about the work they are getting done. So this way, a 5-10 minute conversation every time a payment is made using CC will help avoid scam users. Do you think this idea will work up to my expectations?

Look forward for your reply.

Thank you.

You are right about the trap. It cannot actually stop from committing  the crime, but can possibly lead us to who is responsible for it. Also our verification system requires providing details like some form of Identification which carries the photo of the user (Driver's license, Passport, etc). Personally, do you think this is good enough?

What if the person lost his wallet with his CC and driver's licence in it?

You might try some sort of security questions on registration that the buyer has to re-answer correctly before downloading - that might work.

Too bad you can't implement the Paypal security key system - that thing is foolproof.

I also hit upon another plan. Assume that we are ready to accept credit card payments. Now when we have our own processor or hire an agency to carry out the credit card processing for us, we would like to call the CC company of the user and confirm with them over the phone regarding the payment made and to see if the user has filed for a lost credit card complaint already or such. You know, just exchange information with the CC company to make sure the user is genuine.

Privacy violation.  The CC company won't disclose the information.

And, getting information on the registered card holder doesn't help you at all if it's a fraudulent card user.

Can we take the phone number from the CC company and call the user to confirm the payment method? This way, we will know that on the day the payment was made, the user was still in possession of the card and hence we can be sure that it was this user who made the payment.

Doubtful that the CC company will provide it - privacy issues again.

But you could call the registered user's phone number that YOU have to confirm that he is downloading and record the call.  Since I assume it takes a while to write a program, the user would have to stick around to get it.  Scammers generally like to hit and run - they get nervous when they have to wait.

Keep in mind that a lot of CC chargebacks my be done to buy the card-holder time to pay the CC balance.  They file a dispute and they get 90 days of free credit while the dispute is being evaluated.  You just have to put a significant barrioer up to that - you likely won't face fraud from someone who has stolen the cc number because they aren't aware that the buyer has ever placed the order for software in the first place.

Make sure you read my post about the email address and the IP address above your last post - it's a critical issue, I think, and it may allow you to win the dispute.

What if the person lost his wallet with his CC and driver's licence in it?

For how long? If a user lost his CC, he would issue a stop command with this CC company. Wouldn't he? The payment would be declined. Wouldn't it?

You might try some sort of security questions on registration that the buyer has to re-answer correctly before downloading - that might work.

Very good suggestion. I think I will implement this.

Too bad you can't implement the Paypal security key system - that thing is foolproof.

What exactly is this security key system? Never head of it!

Scammers generally like to hit and run - they get nervous when they have to wait.

Yes, but this is online, so the user is not directly exposed. That gives them courage to commit a fraud (until they are caught). Don't you think so?

They file a dispute and they get 90 days of free credit while the dispute is being evaluated.  You just have to put a significant barrioer up to that - you likely won't face fraud from someone who has stolen the cc number because they aren't aware that the buyer has ever placed the order for software in the first place.

You are right, we won't face a chargeback from a thief. But what if the user actually owns the card files a false chargeback?? This has been my main concern right from beginning. The software that can be sold on the website can even be a six figured $$$. So if the user gets a software done, say, for $250,000 and files a false chargeback, then the problem starts for everyone and I wanted to avoid this. Of course, we are not going to let the user get away with such a fraud. We will also take legal actions as needed. Well if that was a genuine user who really lost their card and is filing a chargeback rightfully, too bad, they should have been careful enough not to lose their CC in the first place! They may have not committed the fraud, but they would have to go through the turmoil of proving their innocence. Otherwise every card holder will resort to such means and try to get free software and this is really unacceptable.

Sellers work hard and their livelihood depend upon what they earn from selling software & we are providing a medium for this to happen. So I don't think, none of us should ever go though this. This is just a precaution against such scammers. Unfortunately, its possible in this IT industry and some of the big websites were already targeted. So we want to be secure and keep our users secure.

Your comments?

Thanks.

For how long? If a user lost his CC, he would issue a stop command with this CC company. Wouldn't he? The payment would be declined. Wouldn't it?

Yup.

And someone that steals a credit card wouldn't know that the specialized software has been ordered or who it was ordered from, nor would they likely have any use for it - thieves buy stuff they can fence.

So the "unauthorized user" must be a family member.  You might want to make this point to the CC Company - if you can reuce the number of suspects from 25,000 to 2 or 3, you're more likely to win, especially if the customer has already claimed tht his card number was stolen.  It would be somewhat difficult for the buyer to explain how a stranger knew to pick up and pay for the software.  Stating that it was only used for this purchase isn't going to go over well with the CC Company - they also know how thieves operate.

What exactly is this security key system? Never head of it!

The security key is a small instrument that generates a six-figure number that changes every 30 seconds.  You either enter this number on a page after you enter your password or enter it tacked on to the end of your password.

The effect is that your password changes every 30 seconds.  Impossible to crack.

Costs $5 - you can order it in the security center of your paypal account.

Yes, but this is online, so the user is not directly exposed. That gives them courage to commit a fraud (until they are caught). Don't you think so?

No.

Even online, scammers hit and run - their idea of long-term is measured in days, not weeks.  They never know whether you've called the cops and you can trace email address instantly as well, if you're a cop - all you need is a warrant.  Scammers cannot use disposable emails for obvious reasons.

That's why scammers want you to send money by Western Union - it's instant and they'll be waiting for the funds as soon as they can get them.

But what if the user actually owns the card files a false chargeback??

Well, I think that should be the next step here and for that, I need more information about this chargeback.

Who is the buyer claiming fraudulently used the card?

What sort of software is this?  Business?  What does it do?  Is this a specialized application?

Have you Googled the person's name to see if he is involved in this type of business?

How long did it take for the software to be written?

Where exactly are you in the chargeback process?  What have you submitted to Paypal so far?

I'll probably think of more questions as time goes on, but those are the immediate critical ones.

Thank you very much for your detailed reply. Please find below my responses for some of the questions:

Yes - tell the user that they may ONLY download to the computyer they signed up with.  

That looks like a good solution but not without it's inconveniences. Say a user is at Kinko's, comes across my site, signs up for an account (only 1 account allowed per individual) to get a feel of the system. He feels comfortable, decides to get the custom software done later on. He then posts such requirement, say from his office/house, in which case, the computer used will be different. We cannot really expect user to go back to Kinkos & to the same terminal that they used, just to download the software. Can we? I am thinking we will have lots of frustrated customers by the end of the day. Do we agree here?

Possibly provide an option for them to sign up one additional computer.  Let them be responsible for how they transfer the programs around.
One additional computer... it's possible that a team of users are accessing the website. Only one individual per account is the requirement but at the same time, the user is given the flexibility to represent their company and multiple users (belonging to the same company) can login from their own terminals to use the website. In this case, the option to add only additional computer restricts them.

And someone that steals a credit card wouldn't know that the specialized software has been ordered or who it was ordered from, nor would they likely have any use for it - thieves buy stuff they can fence.
Right. The thief did not know. But yet, the thief might have come across the website and planned on using the stolen credit card to order the software. So likely they seem to have an opportunity to misuse the card here and thus commit a fraud. This is what I wanted to avoid in the second place (the first place being occupied by the fact that I want to avoid a Buyer from filing a false chargeback)

So the "unauthorized user" must be a family member.  
Yes. My real life observations have shown me that this is mostly either a family member or a frequent visitor. But how can that be proved?

The security key...
Will look into this.

Scammers cannot use disposable emails for obvious reasons.
Isn't this actually the other way round? It's convenient to have a disposable email when committing such fraud. Why would anyone want to use their regular email to commit fraud?

But what if the user actually owns the card files a false chargeback??Well, I think that should be the next step here and for that, I need more information about this chargeback.Who is the buyer claiming fraudulently used the card?
The Buyer is the actual owner of the credit card. Let's say some Buyer wishes to get a software done. He has a good intent (or a bad one, right from start). Comes to my website, finds a seller, gets the work done, pays $100,000, waits for a week or two and then files a chargeback (because the Buyer is now overcome by greed and hence a bad intent or his bad intent kicks in and wishes to keep the software/work and get back the amount he paid for it as well). $100,000 is a good amount and trying to get this back could be worth it for scammers. So this is really the main concern of my business. How to avoid such users who may appear to be genuine in the first place, but they are not. If they cannot be totally avoided, how can they be dealt with effectively, when they file for false chargebacks . Legal issues follow such cases, but I would definitely like to avoid such cases so that we can concentrate on providing and improving our services for genuine users. What to do in such a case? (I hope I was able to explain it clearly)

What sort of software is this?  Business?  What does it do?  Is this a specialized application?
It could be any software/computer related software service that you can virtually find a use for. Yes, it could also be a specialized application. It could be an application in VB, or an e-commerce website or a next generation email service, clone of your favorite website, etc.
If you want a service like Paypal, you could request it on our website and a qualified seller will contact you (via our website) to discuss details and get the work done. The list goes on. Yes, it could be for a Business or individual use. Users pay for it so they can use it whatever way they want it. 

Have you Googled the person's name to see if he is involved in this type of business?
Person's name? Sorry if I missed anything, but who is this "Person"?

How long did it take for the software to be written?
Depends entirely on the sellers quote. It could be as quick as 5 minutes - 1 hour or even few days / weeks / months. The complexity of the requirement is taken into consideration and the time taken for it's completion is notified by each seller to Buyer before the Buyer can decide which seller to hire for the purpose. Once the Buyer hires a seller, he is required to make a deposit equal to the estimate provided by the seller. Once staff receives payment, seller is allowed to start work. Once the seller finishes work, he submits it to a Buyer. The Buyer can then look through the product and release the payment to the seller if all the work was finished as agreed. If any changes are required, Buyer may request seller to make them. In an event of dispute, staff will intervene & act like a judge to decide whose right and whose wrong and release the deposit amount accordingly to the winning party at the end of the dispute.

Where exactly are you in the chargeback process? 
Very good question. As mentioned above, when the Buyer makes a deposit via Paypal, equal (or more) to the estimate provided by the seller, the seller is not immediately paid. Rather, the amount is held in our company's Paypal account (for all payments received via Paypal). When Buyer wishes to release payment from his side once the work is completed, then the seller gets paid from the funds in our Paypal account. So we act a as a mediator/safety bank. We assure the Buyer that their deposit is safe with us and will be refunded back to them, in an event the seller does not fulfill his share of comittment. At the same time, we assure the seller that the Buyer has deposited the funds and the company is holding the funds, thereby providing a sense of security to the seller that the Buyer isn't just going to run away with the software and not pay, once the work has been delivered. The seller is asked to start working on the requirement, once the staff verifies that the amount has been deposited (in our company's Paypal account). In an event of dispute, staff conducts an Arbitration process and releases amount to the winning party or as the outcome may be.Does this make sense? 

What have you submitted to Paypal so far?
I am not sure what this really means, but on a general note, all I have submitted to Paypal, are the details of the company and bank at the time of registration for a Paypal account. Our company's Paypal account will receive the amount/deposit from the Buyer and we hold the funds in our Paypal account until the work is completed and the payment is released by Buyer.

I'll probably think of more questions as time goes on, but those are the immediate critical ones.
Please do hit me with questions if anything is unclear & I will try to explain it clearly.

We cannot really expect user to go back to Kinkos & to the same terminal that they used, just to download the software. Can we?

No, that's impractical.  But you can require him to sign up a new account on the computer where he intends to download if he's going to be spending 4, 5 or 6 figures on software, I think that's quite reasonable.  And, if it's reasonable for larger amounts, it's reasonable for smaller ones as well.

Perhaps 2 levels of accounts should be required - a browsing account and a buying account.  ebay does something like that - you can sign in as a guest, search for items, wtch items, do everything but buy, sell and participate in the forums without activating an account.   When you're ready to buy, then you open an account.

In this case, the option to add only additional computer restricts them.

Meanwhile, if you get a chargeback for $300,000, it could very well kill you.  You have to strike a "balance of convenience" here, as the Courts put it - this has to work for buyers, sellers and the website owner.  Right now, it isn't.  Maybe the balance has to be tweaked.

Again, you're in a similar position to ebay.  ebay had to massively increase security on the site from 4 years ago - the site was a licence to steal for scammers.  Not everybody liked all the changes and some left - the ones that remain are much safer.

Right. The thief did not know. But yet, the thief might have come across the website and planned on using the stolen credit card to order the software.

I am assuming that this software takes time to create - the thief would have to steal a platinum-level software to charge a 5-figure charge, wait around and hope that the cardholder didn't notice a $30,000 charge on his card and deal with the risk that, when he went to download the software to a computer whose location you would know from the IP address, the police wouldn't be knocking on his door 2 minutes later.  How much of a risk are you really running here?

My real life observations have shown me that this is mostly either a family member or a frequent visitor. But how can that be proved?

It may not need to be proven.  A parent is legally and civilly responsible for the misuse of his card by his underage children.  And, in the case of an underage child, what use would they have for custom-made business software?  Kids buy apps, usually because their friends have them and they want to feel part of the group.  They don't go out and order custom-made software.

Scammers cannot use disposable emails for obvious reasons.
Isn't this actually the other way round? It's convenient to have a disposable email when committing such fraud. Why would anyone want to use their regular email to commit fraud? 

If you require someone to use the same email for downloading as you do for signing up ( perhaps, as Paypal does, by making the email the acount name), it defeats the purpose of a disposable email.  Just send a confirming email every time the person opens up their account - you could sell it as a 'high-security feature'. 

You're trying to create an environment here where scamming is impractical and unsafe for the scammer - you have to disable their tools to do it.  Show them by the setup that they're likely to get caught and they won't make the attempt. 

I need more information about this chargeback. 

Those questions regard the actual chargeback that you're facing, not a hypothetical case.  Might as well try to win this one while we're at it, so I need the actual information about the buyer that has initiated the hargeback.

$100,000 is a good amount and trying to get this back could be worth it for scammers

I wonder about that.  Nigerian scammers are after money, not specialized software.  They go after electronics because they're relatively expensive and easily saleable.  Even at that, they only receive a fraction of the item's worth when they sell it, because it's 'hot' goods.

Specialized software is not easily sold, so it's difficult to see whether a professional scammer would be attracted by it.

You may only be dealing with amateurs and they're easier to catch because they don't think through the implications of their actions.

Perhaps 2 levels of accounts should be required 

Well this was never thought of. I would have to really think over this to see how practically it can work in our case. I am not sure how much more development time this change will demand so I would have to brainstorm this.

 this has to work for buyers, sellers and the website owner.  Right now, it isn't.  Maybe the balance has to be tweaked.

What could possibly get the right balance? Letting users operate two accounts - one for buying and other for browsing? Recording their IP on download? These seem to be the extra information that could help later on. I am trying to implement a rock-solid system so that a false chargeback never gets entertained. What can possibly achieve this?

Ok I guess the attention is deviating away from the main point if I use the word scammers. So let me rephrase it. An example of specialized software could be to develop an application that encrypts & decrypts exe files so that no reverse engineering can be done on it. This can cost a 4 -5 figured cash. Let's say that genuine Buyer wants to get the software done & he discusses this proposal with a friend of his. His friend suggests my website and also gives him an idea to get the work done and file a chargeback once it is done. So now, the Buyer initially  reluctant, now gives in to the idea and the idea of saving a 5 figured cash really gets him going. So now he operates away from his home (lets say kinkos just to get this software done) and uses his own information. You would really not expect anything fishy from this Buyer and yes indeed, he does not do anything fishy. He even order the software gets it done, downloads the software, pays and just disappears for about 2 weeks. After 2 weeks, he files a (false) chargeback either with CC company / Paypal stating that he does know how the charges appeared and disputes it.

In the above case, we can see that although the Buyer was genuine at first, he later turned out to be evil. He got the software that he wanted, paid the seller after completion so that there could not be an instant Arbitration and filed for a chargeback after 2 weeks, so that he can now even get back the money that he paid. A very good excuse for not checking the statement earlier would be that either he was away on holiday or did not have time or that he just checks it every month/ every 2 weeks only. (You get the idea of excuses, I believe). If the Buyer does really win this case, then the results would be devastating as follows:

1. Buyer gets software.

2. Buyer gets back all the money he paid (from our Company's account).

3. Seller is paid when the Buyer released it.

4. Our company's account gets deducted of the chargeback amount.

It would not be right to ask Seller to pay for the loss and absorb it themselves as many of them feed their families based on what they earn by selling such software. An amount of $30,000 could mean that a seller and his family would starve for an year if he is asked to absorb the loss. At the same time company is providing A1 services for virtually nothing / the lowest price on the market. So who should really bear the loss? The company? The seller? None, I say. It should be the Buyer for having to file a false chargeback. Law suits, fines and imprisonments follow such users, but as I mentioned earlier, I would like to have rock-solid proof to prove such. You don't allow chargebacks and hence you can avoid lot of fraud from such Buyers.

I hope at least now I was able to convey what I was really trying to.

Please let me know.

Thank you.