Removing test CC number

[tacimala]

I'm fairly disappointed that I have to ask this question, but does anyone know how to remove the test CC number from osCommerce so that people can not take advantage of the system?

I received a call from a client tonight about an order that looked "fishy" and I was disappointed to find out that someone had used the test credit number to abuse the system. Only someone that knows how osCommerce works would know to try this credit card number. I am really disappointed that someone else supporting the open source platform would abuse a live store like that. I'm off on a tangent, but I know some of you would understand!

On a related note, once I have the IP of the guilty party, is there anything that can be done?

Thanks for the help!

[IanS]

Quote:

Originally Posted by tacimala

On a related note, once I have the IP of the guilty party, is there anything that can be done?

Thanks for the help!

You can block that particular IP address, but this will probably not do much good. It is likely that the abuser is not on a fixed IP anyway so the next 'visitation' would be from a different IP. If they are on a fixed IP, then they're probably connecting via zombie machines and leaving the IP of the zombie - again, blocking wouldn't do much good.

[stevel]

There is no point to this - the numerical test that allows the test number is simply a guard against mistyping. It in no way authenticates that the number and expiration date are valid. If you are not using a payment gateway, you MUST independently validate the charge before delivering the mechandise. If you are using a payment gateway, it does the authorization for you.

[YvetteKuhns]

Quote:

I received a call from a client tonight about an order that looked "fishy" and I was disappointed to find out that someone had used the test credit number to abuse the system. Only someone that knows how osCommerce works would know to try this credit card number.

Are you sure that this was not a test by one of the credit card companies, the payment gateway or the client's bank? If this is a new shopping cart, any of these parties may be testing the shopping cart.

Unfortunately, this could have been an attempt to abuse the system. A client of mine had a customer who claims that his/her credit card was used without permission to make a purchase. This sounds fishy to me as the customer contacted Echo, the payment gateway, instead of his/her credit card company Visa or whatever he/she used. Echo did a chargeback to refund the money to the customer and my client already shipped the product. She verified the credit card info BEFORE shipping the product.

It shows that there are people who know too much and will abuse the system. That is when PayPal is nice. The merchant gets paid and if the check bounces, PayPal has the hassle of collecting the money. Too bad everyone isn't more honest.

What YOU can do is add code that checks to see if the credit card number entered is the test account. If so, send an email to yourself or post a message on the website in real time for the person entering it to see. I will let you be creative about what the message will be.

[stevel]

Again, there is no point in doing this. It doesn't prevent an equally invalid number from being used. You are fooling yourself if you think such a check will protect you.

All the default credit card module does is run a mathematical checksum designed to catch transcription errors. It is NOT, in any way, a guarantee that the card number is a valid account. The test number is simply a number that passes the mathematical test. If you deliver produict based on this test only, you will be guaranteed to lose money.

Again, if you use the default CC module, it assumes that you are doing your own offline authorization of the charge. DO NOT use this for "instant download" prodiucts. If that's your offering, you MUST use a payment gateway (PayPal IPN, authorize.net, etc.) that does real-time processing of the charge.

[YvetteKuhns]

I didn't see any mention that tacimala was using the default cc module instead of a payment gateway. PayPal is safe for merchants, since merchants are paid by PayPal and the customers pay PayPal. My mind is still on authorize.net since I have been doing many of those lately. They, VeriSign and others have test accounts that are for testing only.

No matter how you accept payments, you need to verify the information. If the shipping and billing addresses do not match, that looks suspicious. Never ship products without verifying suspicious orders. Email isn't good enough; phone calls are better.

Example: My sister could order something with my credit card and have the purchased items sent to her address. If you sent an email, she may also have access to my email account. She could confirm the order and I would pay for something she gets. Then I would complain when the bill appears on my credit card. If you would call me, I could say I didn't order the product. If my sister put HER phone number, but my billing address, you would call HER! She would verify the order and get the purchase.

So... what is the best thing to do? You could check to see if the phone number belongs to the billing address. I was a cashier before everything was automated. We used to call the credit card company to verify suspicious credit cards and they would decline a transaction or approve it. Now we hope that computers can do this for us, but they cannot.

Be sure to ask for the three-digit card verification number on the back of the credit card, the billing address and phone number, and possibly a birthdate or something that only the card holder could answer. But my sister could answer these questions. You can try to protect yourself, but there is no perfect solution.

[stevel]

The "test number" would not pass a payment gateway transaction.

There is a great contribution that analyzes the info supplied and matches the card number's bank against the buyer's IP address and location, and country. Search the contributions for "maxmind".

If you use a payment gateway, then at least you know it's a valid account. There is still a potential for fraud due to a stolen number - the maxmind.com site has some useful tips.

[tacimala]

Yes this client is using the default CC module. They have a business that they run credit cards through and they just hand punch the orders on that machine. I let my client know that the number was the test number and can bypass the system and with a customer name of "abc def" he was correct in guessing that it was fake. I guess it is just more disappointing to me that someone would do that. They didn't ship anything so that wasn't the problem I just wanted to know if there was a way to stop allowing the test CC number to stop working.

Yvette so are you suggesting that a phone call be made to the credit card company for every order to verify the phone number to the account?

Thanks for all the responses!

[stevel]

Here's my suggestions:

1. Install one of the contributions that also asks for the CVV number from the back of the credit card (on Amex cards it's on the front). This is intended to demonstrate that the buyer has the actual card.

2. Install the Maxmind credit card fraud protection contribution. This gives you additional data that can help you detect fraud.

3. Never deliver merchandise until the transaction has been processed through your merchant account. Record all the information in case of a dispute.

4. Be aware of the common types of fraud. As I mentioned earlier, the maxmind.com site has a good article on this.

5. Use common sense.