The Internet is a powerful tool. And like most other powerful tools, it’s one that can be used for both good and bad ends. Just as in the real world, there are all sorts of dodgy characters you can run into online. And when it comes to the world of online fundraising, far too many nonprofits are running into a particularly cagey group of bad actors—credit card fraudsters.
This article is the product of our ongoing efforts to stamp out credit card fraud from our site. Just to be clear, we are not talking about people stealing credit cards from our clients or their donors, or in any way compromising the integrity of our platform. We are talking about organized criminal groups that take already-stolen credit cards and then test them through nonprofit checkout pages.
Over time, we have learned a lot about the issues at play and have taken many steps behind the scenes to help address them. Since it’s an area that isn’t often talked about, and it’s one that can wreak havoc on nonprofits, we figured we’d give you the behind the scenes on our experiences.
A Tale of Two Forms
Sophisticated credit card rings love nonprofits. They love, love, love them. And the reason why is obvious if you think about it for a while.
Nonprofits have some of the simplest checkout pages on the web.
If you were in the business of testing stolen credit cards, which would you prefer: a simple one-page checkout form, or a complicated multi-step “shopping cart” checkout? Obviously, you’d prefer the former.
And that’s why nonprofits get targeted so often by credit card rings. Unlike other e-commerce applications, donation forms are designed to be simple and static. There’s no dynamic shopping cart functionality to contend with, which means that it’s a lot easier for credit card rings to write automated scripts that can churn hundreds or thousands of stolen cards through a page every day. Plus, visitors can input any donation amount that they want on a nonprofit checkout form. This lets fraudsters easily test transaction limits on stolen cards.
In short, the very features that make nonprofit donation pages easy to use for legitimate donors also make them attractive targets for credit card rings.
Portrait of a Nonprofit Victim
A little over a year ago we were approached by an existing client. At the time, a credit card ring was targeting this client heavily. Aside from the ethical problem of not wanting to accept contributions that were not freely given, there were other major problems caused by the card testing. When the real card owners discovered the unauthorized charges, they would issue chargebacks with the credit card companies. This would reverse the original transactions and the merchant service would then impose extra fees on the nonprofit for the reversals (standard in the payments industry). The nonprofit was losing money from reversals, having a very tough time keeping legitimate transactions separate from fraudulent ones, and was facing the constant threat of damage to its reputation because of the unauthorized transactions.
When the organization approached us, it was only using StayClassy for peer-to-peer fundraising. It had a separate donation page up on its main website; this was the page that was getting hit continuously by the ring. As the influx of fraudulent charges swelled, the organization decided to try replacing its existing donation form with a StayClassy form. The hope was that the fraudulent charges might abate. Unfortunately, they did not.
Pete vs. the Internet
It was at this point that we got our first real glimpse into the shadowy world of organized credit card theft. It was also when our VP of Engineering, Pete Nystrom, decided he was going to spend some time working on a fix for the problem.
We use a service called Cloudflare at StayClassy. Cloudfare essentially acts as a CDN (content delivery network) that sits between our site and the end user. There are a number of site performance and speed benefits you can get from using a service like Cloudflare, but there are also security benefits.
The initial hope was that some of the security features within Cloudfare would be enough to deter the credit card ring. Among other things, these security features include the ability to automatically block IP addresses and IP ranges that are associated with known threats and to manually block specific IP addresses, ranges, or even entire countries if you want to.
When Pete first started looking into the problem, he immediately noticed that the fraudulent charges weren’t emanating from “known threats” in Cloudflare’s system (there was essentially no drop off in the rate of fraudulent charges when the client switched its donation page to StayClassy). So, as a logical next step, he began blocking IP addresses and ranges that repeatedly surfaced in connection with false charges.
With a little time, a picture of where the attempts were coming from began to emerge. Most of the IPs associated with the fraudulent charges were located in northern Africa, the Middle East, and Eastern Europe. At this point, Pete started blocking whole countries in an effort to further decelerate the problem.
As we put these security features to use, the attempts did start to slow down. The only problem was that it was a very manual process. Pete would have to get up every morning, refund hundreds of charges , and then block all of the IPs associated with those charges, only to get up and do it again the next day. Still, progress was progress and the charges were slowing down. Then the card rings gave us a little taste of their sophistication.
Those Slippery Little Devils
As soon as we thought that we’d started to solve the problem, the credit card ring adapted its tactics. They started using IP proxies to make it appear like the donation attempts were originating from “low-risk” countries and they paid closer attention to the fake names they were using on the transactions, taking greater care to make them sound real.
Not one to back down from a challenge, Pete adapted to their adaptations. Adding scripts to check the country the IP was located in against the country the credit card was associated with. Again this worked for a little while. The problem was that it was also causing a lot of false positives and the process was still far too manually intensive to operate at scale.
As a next attempt, Pete began using the API’s provided by the major email clients to verify the email addresses that were coming in with each transaction. This solution suffered from the same defects as the previous one. It was causing too many false positives (people often inadvertently mistype their email addresses) and the fraud group adapted quickly by shifting to Yahoo email addresses. As it turns out, Yahoo has the most lax standards for verification and the ring quickly identified this.
At this point things were getting frustrating. It was a lot like that old arcade game whack-a-mole; we’d fix an issue in one spot, only to see it pop up in another. Despite Pete’s best efforts, the card ring kept right on hammering our client with fraudulent attempts.
What Does the FBI Have to Say?
Not really knowing what to try next, we turned to the law enforcement community to see if they had any sage advice to pass on. We reached out to the FBI’s online fraud protection group hoping that they would be able to point us in the right direction. They were able to school us on why nonprofits were targeted so often (as described above) but at the end of the day they made it clear that there was very little they could do to help. Because of the size of the groups and their overseas locations, it was next to impossible to try and track them down and prosecute them.
Around this same time, our client decided to switch back to its old donation form. They hoped that that ring wouldn’t follow them back to the old form, but that proved not to be the case. They kept getting hit. From our end, we were just glad to have a brief respite from the problem. This step back also gave Pete some time to develop a more calculated approach to addressing the problem.
From Manual to Automated Systems (& Vice-a-Versa)
During the lull in fraudulent activity, Pete was able to spend some time studying the data from the previous attacks to try and uncover patterns that might be helpful for developing automated scripts to prevent future attacks. After reviewing the data, a number of conclusions began to emerge.
First, it seemed that most of the fraudulent charges were associated with Yahoo email addresses, so those were earmarked for extra scrutiny. Second, the attackers tended to stay on the same IP address until they were blocked, only then moving on to a new one. Because the blocking process was so manually intensive, the attackers had virtually free reign at night when no one was around to proactively monitor activity and block IPs. Third, it became clear that the attackers were using automated scripts to quickly fill out checkout pages and that they often reused the same email addresses.
Armed with more information, Pete began building processes that would run in the background of our site looking for probable fraud patterns and automatically blocking suspicious IP addresses. He also experimented with different methods to deter bots from running on our checkout pages.
As these features were being developed though, another client got attacked. This ring seemed even larger than the previous one, as they were pretty much running card attempts 24 hours a day without stop.
In an attempt to slow down the pace of fraudulent charges, Pete released the first series of updates to the checkout page for this client. These updates included the use of CAPTCHA images and other techniques to prevent bots from completing the checkout process. The updates worked and the charges slowed down, but sure enough, within a few days they ramped right back up again.
As it turns out, this particular credit card ring had the resources to employ real people to test cards. This group of people would just manually input cards all day and night, seeing which of the stolen numbers worked. In essence, as we increased our ability to automate fraud prevention, the attackers did the reverse by shifting to a more manual process.
The next wave of updates Pete released included automated fraud detection processes to block suspicious IP addresses in real time. This worked for a while, but the ring adapted to the new measures once again. Before long, they started automatically shifting IP addresses after every transaction.
After a while we noticed that they tended to stay within the same IP ranges for long periods of time even though they were shuffling through different individual IP addresses. The next update Pete rolled out included automated blocking of suspicious IP ranges. And finally, with that new release, the attacks started to sharply decline.
Moving Beyond IP Addresses
While the automated IP range blocker has helped deter attacks, if there’s one thing that our previous experience has taught us, it’s that these groups are nothing if not persistent. In an effort to add additional protections for our clients we’ve recently implemented another service started by a bunch of ex-Googlers. Their product, Sift Science, uses large-scale machine learning and multivariate analysis to make it even more difficult for fraudsters to succeed.
Using the Sift Science service, we’ve been able to move beyond just identifying suspicious IP addresses or ranges (which can be manipulated by attackers using proxies). Now we can drill down to actual device IDs and use the Sift Science algorithms to proactively detect patterns unique to our user data, which are predictive of fraudulent activity.
As we move forward we intend to rollout many of the backend features we’ve implemented (like IP blocking, range blocking, and country blocking) to individual client accounts. This will give our clients the ability to respond directly if they face an attack. It will also enable organizations to “white-list” IPs that may have been falsely blocked by the background fraud prevention measures we’ve put in place. On top of this, we will continue to invest time into leveraging the full power of the Sift Science system to make fraudulent charges as difficult as possible to consummate on our platform.
All of this being said, we are sure there are more chapters to this story, not just for us as a company, but for the sector as a whole. When it comes to a group of people that are determined to do the wrong thing in order to benefit themselves financially, you can be sure that they aren’t going to stop without a fight. They will do whatever they can to keep profiting. Our job is to do our best to stay one step ahead.
If your organization has been targeted by one of these rings please feel free to reach out to us. We are happy to collaborate and share insights with you directly. Ultimately, as an industry, we need to work together to make sure that a group of people so intent on doing good doesn’t remain a persistent target of those so intent on doing bad.
Want to Raise More Money Online?
Photo Credit: Flickr User grafixtek