Support A2Billing :

provided by Star2Billing S.L.

Support A2Billing :
It is currently Sat May 25, 2019 11:37 am
Hosted Voice Broadcast


All times are UTC




Post new topic Reply to topic  [ 64 posts ]  Go to page Previous  1, 2, 3, 4, 5  Next
Author Message
 Post subject: Re: Fraud with paypal!!
PostPosted: Sat Sep 12, 2009 6:34 pm 
Offline

Joined: Sun Aug 17, 2008 1:52 pm
Posts: 93
middletn wrote:
Were these calls to SL again? If they were, why not rack the cost per minute up as someone suggested? Better yet, bar calls to that location completely on your standard plan

Sorry to hear of your loss

regards



Yes, they were to Siera Leone, and since it happens twice, I would want to share the detail story with paypal to claim our loss back and perhaps we can find a way to track these bastard,

I think they are somehow related SR's telecom.

If anybody else has paypal account and had the same thing happened to him, we can perhaps track and prevent these kind of scan in future.

but I am certain the hacker is china and I could track his original ip address, he used sip protocol this time through a proxy but forgot to disable canreinvite, therefore I got his ip in china, but china telecom is not responding at all.

If anyone can help us to add security features, we are willing to donate some parts as well.


Top
 Profile  
 
 Post subject: Re: Fraud with paypal!!
PostPosted: Sun Sep 13, 2009 9:28 pm 
Offline

Joined: Mon Oct 01, 2007 10:44 pm
Posts: 230
Location: Bovey, Devon, UK
Well a couple of things come to mind with regard to prevention rather that tracking them down. We could black list IP's (spoofing would soon get around that) and in any event, I doubt you'll have much luck with the authorities anyway.

Question: You said they made 70 simultaneous calls, why not limit new accounts to just one call at a time?

Now what would be really usefull is some sort of alerting proceedure that highlights unusual activity. Right now all I can go on is call compare. I need to give it some thought, but it should be possible to build in some throttling system if unusual activity is detected.

For instance some analysis of calls that determine the gap between sucessing calls. Get say 10 that are immediate follow-ons, and raise an alert.

That said, by far and away the simplest solution is to limit all new account to 1 call at a time for a set period.


regards


Top
 Profile  
 
 Post subject: Re: Fraud with paypal!!
PostPosted: Mon Sep 14, 2009 8:02 am 
Offline

Joined: Fri Jun 23, 2006 3:56 pm
Posts: 4065
Hi

We did have a fraud as well, also to Sierra Leone. We did not lose a lot, more by luck, than by any protection measures. In this system, the calls were limited to 1 concurrent call, however, what was done is several accounts were set up over the course of a few weeks, each of which could make one concurrent call, but no credit placed on the account.

Then one evening, payments from stolen credit cards/paypal accounts were placed on all the accounts previously set up, over the course of about 5 minutes, and the calls started flowing to SL.

Fortunately, someone was in the office, and saw all the payments come in from paypal, and stopped all the associated accounts almost as quickly as a payment was received.

I mention this, because in this thread, there is something of a pattern emerging, and the frauds mentioned may be related, and it certainly felt like a well organised and planned fraud.

This kind of fraud is quite difficult to spot and combat, because numerous accounts were created.

So we have to consider a whole raft of measures to combat this. One technique mentioned is to verify all customers in some way before allowing them to make a call, or limiting calls to "in country" or to cheap destinations, until they are verified.

So keep the thoughts flowing, and lets see if we can come up with a list of ideas.

Joe


Top
 Profile  
 
 Post subject: Re: Fraud with paypal!!
PostPosted: Mon Sep 14, 2009 8:53 am 
Offline

Joined: Fri Jun 23, 2006 3:56 pm
Posts: 4065
I know it's poor form to respond to one's own thread, but the act of writing down the fraud has helped me consider one of hopefully many protection measures.

Paypal are pretty quick at clawing back the money, usually within a few minutes. What normally happens is that the fraudulent transaction is made, the owner of the paypal account or credit card, is notified, and stops the payment.

So a system of deferring payments for 24 hours for Unverified customers only may help. So the money arrives, but is not implemented as a refill for 24 hours.

Verified customers can make immediate payments.

Joe


Top
 Profile  
 
 Post subject: Re: Fraud with paypal!!
PostPosted: Thu Sep 17, 2009 9:55 am 
Offline

Joined: Sun Aug 17, 2008 1:52 pm
Posts: 93
limiting person to one call is buggy in A2Billing and people who are not making phone calls are likely not able to make a second call because in the database it is still set as 1 call which means the database is not updated after the last call is disconnected.

secondly the callback will not work as well because the person needs to make two concurrent calls, at the same time we defined a family package where the whole family are using callerID function and they have sip phone at home so they may need to make 3 to 5 phone calls (maximum) at the same time.

Based on this experience we had, we are considering following actions:

1. Upon registration before activating the account the a2b must make phone call to user and announce a security code to verify the user's phone number. this is extremely good for marketing as well.

2. when the activation email is sent to user, there must be a gif or png image hidden in the email and verify the user's IP while opening verification email and the registration email.

3. hold Paypal payment that the email does not match the account email for at least 24 hours of working day until it is effective.

4. to captcha verification on callback through website.

5. limit the number of call to one destination to one call only, for instance (+1-223-223-2232) can be dialed once and user cannot make second calll to the same destination. the second call cannot be initiated unless the first call is hanged-up.



Please update if you have any other ideas.

Thanks


Top
 Profile  
 
 Post subject: Re: Fraud with paypal!!
PostPosted: Thu Sep 17, 2009 10:07 am 
Offline

Joined: Sun Mar 12, 2006 2:49 pm
Posts: 954
Location: Barcelona
1. Upon registration before activating the account the a2b must make phone call to user and announce a security code to verify the user's phone number. this is extremely good for marketing as well.

I had something like this in mind but using an SMS, so at least you are sure it didn't get a DID to subscribe, he have a proper cell phone.

2. when the activation email is sent to user, there must be a gif or png image hidden in the email and verify the user's IP while opening verification email and the registration email.

most of modern mail client doesn't open those (thunderbird, gmail, etc...) so there is no point to this, but you could capture his IP at signup time.

3. hold Paypal payment that the email does not match the account email for at least 24 hours of working day until it is effective.
Keep in mind there is charge back happening after 24 hours.

4. to captcha verification on callback through website.

5. limit the number of call to one destination to one call only, for instance (+1-223-223-2232) can be dialed once and user cannot make second calll to the same destination. the second call cannot be initiated unless the first call is hanged-up.
I dont think this is relevant, someone trying to fraud won't necessarily send call to a same phone number.


Yours,
/Areski


Top
 Profile  
 
 Post subject: Re: Fraud with paypal!!
PostPosted: Thu Sep 17, 2009 10:31 am 
Offline

Joined: Sun Aug 17, 2008 1:52 pm
Posts: 93
areski wrote:
1. Upon registration before activating the account the a2b must make phone call to user and announce a security code to verify the user's phone number. this is extremely good for marketing as well.

I had something like this in mind but using an SMS, so at least you are sure it didn't get a DID to subscribe, he have a proper cell phone.

2. when the activation email is sent to user, there must be a gif or png image hidden in the email and verify the user's IP while opening verification email and the registration email.

most of modern mail client doesn't open those (thunderbird, gmail, etc...) so there is no point to this, but you could capture his IP at signup time.

3. hold Paypal payment that the email does not match the account email for at least 24 hours of working day until it is effective.
Keep in mind there is charge back happening after 24 hours.

4. to captcha verification on callback through website.

5. limit the number of call to one destination to one call only, for instance (+1-223-223-2232) can be dialed once and user cannot make second calll to the same destination. the second call cannot be initiated unless the first call is hanged-up.
I dont think this is relevant, someone trying to fraud won't necessarily send call to a same phone number.


Yours,
/Areski



Using www.readnotify.com you can get exact ip address of the user, even in hotmail and gmail, simply because they load the image but they win't display it.


Top
 Profile  
 
 Post subject: Re: Fraud with paypal!!
PostPosted: Thu Sep 17, 2009 10:37 am 
Offline

Joined: Sun Aug 17, 2008 1:52 pm
Posts: 93
there are also some javascript method to find out the user's local ip address and then external ip address even though the user may user a hacked proxy server to browse the site. but I'm not quite familiar with javascript.


Top
 Profile  
 
 Post subject: New fraud with Paypal ?!
PostPosted: Sun Oct 04, 2009 3:18 pm 
Offline

Joined: Sun Oct 04, 2009 2:10 pm
Posts: 1
Hi all!

we just experienced what looks like a new kind of fraud via Paypal!

It looks like someone found a way to send themselves (or someone else) some money via paypal, mascarading as a payment to our a2b.

I received this morning an email from a2b saying that one of our customer recharged their account with 200Euros.
What was strange is that, normally, I first receive an email from Paypal saying that I received money, and a little later I receive the email from a2b.

I went to my paypal account, and nope! No money received...

So I had a look at the logs, and it just got stranger!

in a2billing_epayment.log, the transaction details looked OK at first glance (customer email is the same than in a2b).

[BTW, I use A2B v1.3 yellowjacket]

So I had a look at Apache's logs :

66.211.170.66 - - [04/Oct/2009:05:08:26 +0000] "POST / HTTP/1.0" 302 -
66.211.170.66 - - [04/Oct/2009:05:08:27 +0000] "POST /customer/index.php HTTP/1.0" 200 11312
141.76.45.34 - - [04/Oct/2009:07:20:28 +0000] "POST /A2BCustomer_UI/checkout_confirmation.php HTTP/1.1" 200 8520
141.76.45.34 - - [04/Oct/2009:07:20:29 +0000] "GET /A2BCustomer_UI/templates/default/images/animated_favicon1.ico HTTP/1.1" 404 388
141.76.45.35 - - [04/Oct/2009:07:20:30 +0000] "GET /A2BCustomer_UI/templates/default/images/animated_favicon1.gif HTTP/1.1" 200 1160
141.76.45.34 - - [04/Oct/2009:07:20:30 +0000] "GET /A2BCustomer_UI/templates/default/css/menu.css HTTP/1.1" 200 4784
141.76.45.34 - - [04/Oct/2009:07:20:30 +0000] "GET /A2BCustomer_UI/templates/default/css/style-def.css HTTP/1.1" 200 1169
141.76.45.35 - - [04/Oct/2009:07:20:30 +0000] "GET /A2BCustomer_UI/templates/default/css/main.css HTTP/1.1" 200 23230
141.76.45.34 - - [04/Oct/2009:07:20:30 +0000] "GET /A2BCustomer_UI/images/company_logo.png HTTP/1.1" 200 2098
141.76.45.35 - - [04/Oct/2009:07:20:30 +0000] "GET /A2BCustomer_UI/templates/default/images/plus.gif HTTP/1.1" 200 836
141.76.45.35 - - [04/Oct/2009:07:20:30 +0000] "GET /A2BCustomer_UI/templates/default/images/button_confirm_order.gif HTTP/1.1" 200 642
141.76.45.34 - - [04/Oct/2009:07:20:30 +0000] "GET /A2BCustomer_UI/templates/default/images/flags/fr.gif HTTP/1.1" 200 366
141.76.45.34 - - [04/Oct/2009:07:20:31 +0000] "GET /A2BCustomer_UI/templates/default/images/bg5.jpg HTTP/1.1" 200 704
141.76.45.34 - - [04/Oct/2009:07:20:31 +0000] "GET /A2BCustomer_UI/templates/default/images/key-point_bl.gif HTTP/1.1" 200 160
141.76.45.35 - - [04/Oct/2009:07:20:31 +0000] "GET /A2BCustomer_UI/templates/default/images/key-point_tl.gif HTTP/1.1" 200 159
141.76.45.34 - - [04/Oct/2009:07:20:31 +0000] "GET /A2BCustomer_UI/templates/default/images/menu_tr.gif HTTP/1.1" 200 107
141.76.45.35 - - [04/Oct/2009:07:20:31 +0000] "GET /A2BCustomer_UI/templates/default/images/menu_br.gif HTTP/1.1" 200 384
141.76.45.34 - - [04/Oct/2009:07:20:31 +0000] "GET /A2BCustomer_UI/templates/default/images/blueshade.png HTTP/1.1" 200 246
141.76.45.34 - - [04/Oct/2009:07:20:31 +0000] "GET /A2BCustomer_UI/templates/default/images/flags/gb.gif HTTP/1.1" 200 382
141.76.45.35 - - [04/Oct/2009:07:20:32 +0000] "GET /A2BCustomer_UI/templates/default/images/asterisklogot_blue.gif HTTP/1.1" 200 2074
66.211.170.66 - - [04/Oct/2009:07:26:39 +0000] "POST /A2BCustomer_UI/checkout_process.php?transactionID=197&sess_id=b27ccb87c24815dac8314591a918841e&key=cac554432195b192e3cf6b828788a375 HTTP/1.0" 200 -
141.76.45.35 - - [04/Oct/2009:07:26:47 +0000] "GET /A2BCustomer_UI/userinfo.php?section=1 HTTP/1.1" 200 9387
141.76.45.35 - - [04/Oct/2009:07:26:48 +0000] "GET /A2BCustomer_UI/templates/default/images/animated_favicon1.ico HTTP/1.1" 404 388
141.76.45.35 - - [04/Oct/2009:07:26:48 +0000] "GET /A2BCustomer_UI/templates/default/images/kicons/personal.gif HTTP/1.1" 200 2963
141.76.45.34 - - [04/Oct/2009:07:26:48 +0000] "GET /A2BCustomer_UI/templates/default/images/kicons/help_index.gif HTTP/1.1" 200 2182
141.76.45.35 - - [04/Oct/2009:07:26:49 +0000] "GET /A2BCustomer_UI/templates/default/images/background_cells.gif HTTP/1.1" 200 376
141.76.45.35 - - [04/Oct/2009:07:26:49 +0000] "GET /A2BCustomer_UI/templates/default/images/kicons/paypal_logo.gif HTTP/1.1" 200 1081
141.76.45.34 - - [04/Oct/2009:07:26:49 +0000] "GET /A2BCustomer_UI/templates/default/images/orangeshadet.gif HTTP/1.1" 200 749
141.76.45.34 - - [04/Oct/2009:07:26:49 +0000] "GET /A2BCustomer_UI/templates/default/images/kicons/gnome-finance.gif HTTP/1.1" 200 1989
141.76.45.35 - - [04/Oct/2009:07:26:50 +0000] "GET /A2BCustomer_UI/userinfo.php?section=1 HTTP/1.1" 200 9387
141.76.45.34 - - [04/Oct/2009:07:26:51 +0000] "GET /A2BCustomer_UI/templates/default/images/animated_favicon1.ico HTTP/1.1" 404 388
141.76.45.35 - - [04/Oct/2009:07:30:47 +0000] "GET /A2B_entity_ratecard.php?form_action=list&ratesort=A HTTP/1.1" 404 350
141.76.45.35 - - [04/Oct/2009:07:30:47 +0000] "GET /favicon.ico HTTP/1.1" 404 338
141.76.45.35 - - [04/Oct/2009:07:30:49 +0000] "GET /A2BCustomer_UI/templates/default/images/animated_favicon1.ico HTTP/1.1" 404 388
141.76.45.35 - - [04/Oct/2009:07:31:00 +0000] "GET /A2BCustomer_UI/userinfo.php?section=1 HTTP/1.1" 200 9387
141.76.45.35 - - [04/Oct/2009:07:31:00 +0000] "GET /A2BCustomer_UI/templates/default/images/animated_favicon1.ico HTTP/1.1" 404 388
141.76.45.35 - - [04/Oct/2009:07:31:01 +0000] "GET /A2BCustomer_UI/templates/default/css/main.css HTTP/1.1" 304 -
141.76.45.34 - - [04/Oct/2009:07:31:01 +0000] "GET /A2BCustomer_UI/templates/default/css/menu.css HTTP/1.1" 304 -
141.76.45.34 - - [04/Oct/2009:07:31:01 +0000] "GET /A2BCustomer_UI/templates/default/css/style-def.css HTTP/1.1" 304 -
141.76.45.34 - - [04/Oct/2009:07:31:01 +0000] "GET /A2BCustomer_UI/templates/default/images/plus.gif HTTP/1.1" 304 -
141.76.45.35 - - [04/Oct/2009:07:31:01 +0000] "GET /A2BCustomer_UI/images/company_logo.png HTTP/1.1" 304 -
141.76.45.35 - - [04/Oct/2009:07:31:01 +0000] "GET /A2BCustomer_UI/templates/default/images/flags/gb.gif HTTP/1.1" 304 -
141.76.45.35 - - [04/Oct/2009:07:31:01 +0000] "GET /A2BCustomer_UI/templates/default/images/flags/fr.gif HTTP/1.1" 304 -
141.76.45.34 - - [04/Oct/2009:07:31:01 +0000] "GET /A2BCustomer_UI/templates/default/images/kicons/personal.gif HTTP/1.1" 304 -
141.76.45.34 - - [04/Oct/2009:07:31:02 +0000] "GET /A2BCustomer_UI/templates/default/images/kicons/gnome-finance.gif HTTP/1.1" 304 -
141.76.45.35 - - [04/Oct/2009:07:31:02 +0000] "GET /A2BCustomer_UI/templates/default/images/kicons/help_index.gif HTTP/1.1" 304 -
141.76.45.34 - - [04/Oct/2009:07:31:02 +0000] "GET /A2BCustomer_UI/templates/default/images/kicons/paypal_logo.gif HTTP/1.1" 304 -
141.76.45.35 - - [04/Oct/2009:07:31:02 +0000] "GET /A2BCustomer_UI/templates/default/images/menu_br.gif HTTP/1.1" 304 -
141.76.45.35 - - [04/Oct/2009:07:31:02 +0000] "GET /A2BCustomer_UI/templates/default/images/key-point_bl.gif HTTP/1.1" 304 -
141.76.45.34 - - [04/Oct/2009:07:31:02 +0000] "GET /A2BCustomer_UI/templates/default/images/blueshade.png HTTP/1.1" 304 -
141.76.45.34 - - [04/Oct/2009:07:31:03 +0000] "GET /A2BCustomer_UI/templates/default/images/orangeshadet.gif HTTP/1.1" 304 -
141.76.45.35 - - [04/Oct/2009:07:31:03 +0000] "GET /A2BCustomer_UI/templates/default/images/background_cells.gif HTTP/1.1" 304 -
141.76.45.34 - - [04/Oct/2009:07:31:03 +0000] "GET /A2BCustomer_UI/templates/default/images/asterisklogot_blue.gif HTTP/1.1" 304 -
141.76.45.34 - - [04/Oct/2009:07:31:03 +0000] "GET /A2BCustomer_UI/templates/default/images/bg5.jpg HTTP/1.1" 304 -
141.76.45.35 - - [04/Oct/2009:07:31:03 +0000] "GET /A2BCustomer_UI/templates/default/images/key-point_tl.gif HTTP/1.1" 304 -
141.76.45.35 - - [04/Oct/2009:07:31:03 +0000] "GET /A2BCustomer_UI/templates/default/images/menu_tr.gif HTTP/1.1" 304 -
141.76.45.34 - - [04/Oct/2009:07:32:07 +0000] "GET /favicon.ico HTTP/1.1" 404 338
141.76.45.34 - - [04/Oct/2009:07:32:38 +0000] "GET /A2B_entity_ratecard.php?form_action=list&ratesort=A HTTP/1.1" 404 350
141.76.45.34 - - [04/Oct/2009:07:32:38 +0000] "GET /favicon.ico HTTP/1.1" 404 338
141.76.45.35 - - [04/Oct/2009:07:33:15 +0000] "GET /A2BCustomer_UI/userinfo.php?section=1 HTTP/1.1" 200 9387
141.76.45.35 - - [04/Oct/2009:07:33:15 +0000] "GET /A2BCustomer_UI/templates/default/images/animated_favicon1.ico HTTP/1.1" 404 388
141.76.45.34 - - [04/Oct/2009:07:33:29 +0000] "GET /favicon.ico HTTP/1.1" 404 338
141.76.45.35 - - [04/Oct/2009:07:34:40 +0000] "GET /A2BCustomer_UI/userinfo.php?section=1 HTTP/1.1" 200 9387
141.76.45.35 - - [04/Oct/2009:07:34:44 +0000] "GET /A2BCustomer_UI/A2B_entity_password.php?atmenu=password&form_action=ask-edit&stitle=Password&section=12 HTTP/1.1" 200 9156
141.76.45.35 - - [04/Oct/2009:07:34:44 +0000] "GET /A2BCustomer_UI/templates/default/images/animated_favicon1.ico HTTP/1.1" 404 388
141.76.45.35 - - [04/Oct/2009:07:34:45 +0000] "GET /A2BCustomer_UI/templates/default/images/kicons/connect_to_network.gif HTTP/1.1" 200 2084
141.76.45.35 - - [04/Oct/2009:07:34:46 +0000] "GET /A2BCustomer_UI/callback.php?section=7 HTTP/1.1" 200 7664
141.76.45.35 - - [04/Oct/2009:07:34:47 +0000] "GET /A2BCustomer_UI/templates/default/images/animated_favicon1.ico HTTP/1.1" 404 388
141.76.45.35 - - [04/Oct/2009:07:34:48 +0000] "GET /A2BCustomer_UI/A2B_entity_callerid.php?atmenu=callerid&stitle=CallerID&section=8 HTTP/1.1" 200 7989
141.76.45.34 - - [04/Oct/2009:07:34:51 +0000] "GET /A2BCustomer_UI/call-history.php?section=2 HTTP/1.1" 200 20654
141.76.45.34 - - [04/Oct/2009:07:34:53 +0000] "GET /A2BCustomer_UI/templates/default/images/btn_top_12x12.gif HTTP/1.1" 200 138
141.76.45.35 - - [04/Oct/2009:07:34:53 +0000] "GET /A2BCustomer_UI/templates/default/images/clear.gif HTTP/1.1" 200 43
141.76.45.34 - - [04/Oct/2009:07:34:55 +0000] "POST /A2BCustomer_UI/call-history.php?s=1&t=0&order=t1.starttime&sens=DESC&current_page=0&terminatecause=ANSWER HTTP/1.1" 200 20699
141.76.45.35 - - [04/Oct/2009:07:34:55 +0000] "GET /A2BCustomer_UI/templates/default/images/animated_favicon1.ico HTTP/1.1" 404 388
141.76.45.35 - - [04/Oct/2009:07:35:53 +0000] "POST /A2BCustomer_UI/call-history.php?s=1&t=0&order=t1.starttime&sens=DESC&current_page=0&terminatecause=ALL HTTP/1.1" 200 20699


First, what can be those 2 request from Paypal's IP, standing there all alone ?
The previous log was yesterday night, and the next is 2h later, so it was not generated by a legitimate user transaction.
My guess is the fraudster tested his script with bad parameters.

Also, did you noticed how the client went straight from login to checkout_confirmation.php (in record time, no less!) ?

Also indicative of fraud, the source IP resolves to an open proxy in germany :

[email protected]:~$ nslookup 141.76.45.34

Non-authoritative answer:
34.45.76.141.in-addr.arpa name = proxy1.anon-online.org.

Authoritative answers can be found from:
76.141.in-addr.arpa nameserver = ns.ripe.net.
76.141.in-addr.arpa nameserver = deneb.dfn.de.
76.141.in-addr.arpa nameserver = rnadm.urz.tu-dresden.de.
76.141.in-addr.arpa nameserver = ws-koe1.win-ip.dfn.de.
ns.ripe.net internet address = 193.0.0.193


So I checked some more the paypal return string in a2billing_epayment.log, and I noticed :
- the customer country is RO (Romania), and in a2b it's France (with what looks like a real address in Paris and a real french, parisian phone number)
- the receiver_id parameter does not match my receiver_id (for all the previous, legal paypal payments, this parameter is identical - looks logical, it's kind of like my account number @paypal)
- the transaction ID is off by 1 (i.e 2340, and the previous on is 2338). This might be a side effect of a modification I did to block a recharge in certain cases (see below).

So, basically, someone received 200Euros, the payer should have a paypal transaction to my company, but the funds are in another person's account!

Lastly, I see that the fraudster checked the callback page - I'm really lucky he/she/they didn't use it, otherwise they could be profiting twice (receive the funds in what I presume is their account; PLUS the callback / overcharging fraud described elsewhere in this thread).
Or maybe I just reacted in time (~3h since the recharge this morning) and the fraudster planned on calling at night, when noone looks?

What I don't know is, what will paypal do if (when!) the defrauded customer cancels this transaction.
Will they withdraw 200Euros from my account, even if I never received the funds ?
In which case, the fraudster just found the "perfect Paypal Fraud" (tm) !!!!!
But I doubt it - after all, I can prove I never received the funds in my account!

As hinted above, I have personnally implemented a few months back a hack where the paypal transaction completes, but the a2b account isn't charged - instead, I receive an email telling that a transaction is pending, and I have to validate it and charge the account manually (I happen to know most of our real customers, that helps!).
This because we had a series of fraudulent transactions cancelled by the owners, and the resolution process with paypal is too cumbersome.

But I really don't know what to do to prevent a case like this (apart from the obvious: add a parameter for my paypal receiver_id, check tre transaction return against it, send me an email and block the a2b account recharge if it doesn't match).

Anyone has an idea of how the fraudsters are able to go to paypal from my site, and persuade paypal to send the funds to another account - while still notifying my site of the transaction ?
I'm looking into specially-crafted web requests by a script (I won't even bother looking at the User-Agent, it can be faked) which stores and modifies A2B's session cookies, and uses that to confuse paypal. What do you think ?

Best regards,
--
Nicson


Top
 Profile  
 
 Post subject: Re: Fraud with paypal!!
PostPosted: Thu Nov 12, 2009 11:24 pm 
Offline

Joined: Sat Sep 27, 2008 8:06 pm
Posts: 23
There are quite a bit of good ideas, and there's no 'one size fits all' apporach to this as fraud morphes over time.

I am currently using MaxMind's Open Proxy detection ($0.004/transcation) along with their free GeoLite City db with great success. More info here: http://www.maxmind.com/app/ip-location. Basically using this to check the IP address - decline any open proxies and only allow specific countries where I have local access numbers. This has stopped most of my fraudulent transactions.

I also like the suggestion on putting some limitation on new accounts, limiting amount of purchase, or number of calls in a specified period. Put it in a different way, have no restrictions for 'tried and true' customers.

Good luck!


Top
 Profile  
 
 Post subject: Re: Fraud with paypal!!
PostPosted: Sun Dec 13, 2009 3:07 am 
Offline

Joined: Wed Mar 15, 2006 11:58 pm
Posts: 325
I wonder why areski never acted on the security features he mentioned on this thread since 2006?


Top
 Profile  
 
 Post subject: Re: Fraud with paypal!!
PostPosted: Sun Dec 13, 2009 11:06 am 
Offline

Joined: Sun Mar 12, 2006 2:49 pm
Posts: 954
Location: Barcelona
Hi Bruce,

I was just replying to the previous thread, so those suggestions didn't came from me at first
and I didn't share the idea to implement most of them, all aren't relevant.

Having saying so, we are open to integrate some of them into A2Billing but someone would provide a patch
or contract us for development.

Yours,
/Areski


Top
 Profile  
 
 Post subject: my solution against paypal fraud
PostPosted: Mon May 17, 2010 7:41 pm 
Offline

Joined: Fri Feb 27, 2009 5:43 pm
Posts: 33
Location: Germany, Berlin
First of all (as i opened this topic): thanks for discussing my posting so intensive.

Now, after one year without paypal i figured out a solution which seams to work for me.
Basically it is a check against the paypal account email-address.

Here are my steps:

I used the normal "Paypal Basis" method with the NVP API and php curl which is described here: https://www.paypal.com/de_DE/html/IntegrationCenter/ic_home.html (unfortunately in german - i was not able to find the english version quickly, but i'm sure there is one)

The good thing with that is, that there are 3 steps of communication with paypal (which is harder to manipulate:
1. customer chooses paypal and the amount at my website - at this step my site communicates with paypal and get a unique token from paypal.
2. the customer will be forwarded to paypal (with the token and some other transaction details of a2b) to login and confirm the payment details (no payment is made at the step)
3. After that step the customer comes back to my site to initiate the payment (so i can make some checks on the paypal-details)

This scenario is a bit better then simply forward the user with some data (amount, ... and a return-link), because the real payment ist made on your site. But surely that alone is not really an improvement for stolen paypal accounts, but it maybe helps against situations "nicson" had to deal with.

And now my security implementation:
Now, as the user pays on your server within a php script in "step 3", i was able to implement a checkup i long had in mind before. The important thing is, that paypal gives us some information back like the Paypal customers name and the paypal-account out customer wants to use.

First i made a simple check if the paypal account matches the email adress which the customer has registered.
(something very simple like "if (paypalaccount == $customeremail) { DoPayment... }"
As A2B checks the email at the time of customer registration I think you can be pretty sure, that the owner of the paypal account is in fact the same person which registered at your site.

So with this method you can be quite sure, that no one pays with stolen paypal accounts. But unfortunately a lot of customers use different email-addresses for paypal and your service. (i normally do that too ;-) )

So the second step was a possibility to use different paypal accounts as well.
I created a additional mysql database with two table (whitelist_paypalaccounts and blacklist_paypalaccounts). Naturally you also can just create two more tables within the a2b db, but i wasn't that sure, that i just wanted to use this db just for a2b and even for a2b-updates i think it is cleaner this way.
For now i just use the "whitelist_paypalaccounts" table, but maybe it makes sense in any way in the future to blacklist paypal accounts as well. (I'm sure there are scenarios for that)

Now, if the customer tried to use a paypal account which differs from the registered email address he gets a dialog instead of the final payment step to verify this paypal-account.
After confirming this my system sends a email to the paypal-account email-address (not the one from the customer in the system) with an activation link (random 30character string) which i also stored in the db.
After clicking the activation link in the email the paypal account is verified an ready to use. (also for further payments)
The point is, that only the real paypal account owner should be able to read the verifcation email.

Naturally there is a possibilty, that the email account of the paypal account owner is also hacked an the bad guy is able to verify the link to.
But i think that is not the normal fraud situation as i guess that 99% of the paypal fraud just uses stolen paypal accounts with passwords to do the fraud. In many cases this people has just bought the stolen paypal accounts from any other bad guy....

So i guess (and hope) this secures my paypal payments enough for now.

The downside surely is that my customers have to make this additional step to verify there paypal account (if its not the same as there a2b-email) the first time they uses paypal to pay at my site. I tried to explain why it has to be like this to my customers (with a information link) and as i can see, my customers uses it quite normal.

But i have to say, that i also have some other payment methods my customers can use if they don't like that (credit card, direct-banking and normal bank transfer)

I really would appreciate to get feedback from you guys if i made a logical failure with this or someting.

I cannot publish the code right now as it is really dirty! :-( I am not a developer or something.
But if anyone wants advise or has questions you are welcome!!


Top
 Profile  
 
 Post subject: Re: Fraud with paypal!!
PostPosted: Mon May 17, 2010 8:13 pm 
Offline

Joined: Sun Aug 17, 2008 1:52 pm
Posts: 93
I'm interested to apply this patch.


Top
 Profile  
 
 Post subject: Re: Fraud with paypal!!
PostPosted: Mon May 17, 2010 11:40 pm 
Offline

Joined: Fri Feb 27, 2009 5:43 pm
Posts: 33
Location: Germany, Berlin
Hi hellbound,

as i said, it's not really a patch. And it's not ready to deliver.

It is already installed on our secondary site. Let us first see if it is working smoothly over a short time. I'll try to make the code a bit nicer to give it to the forum.

@hellbound: Do you already implemented paypal in the way i did? Or do you just use the standard a2b way?

And maybe one important thing: I'm still on A2B 1.3.4 because i adjusted so many things... ;-)

And still: I would be very glad to hear other opinions if my solution is logical correct or if i missed something...

Cheers


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 64 posts ]  Go to page Previous  1, 2, 3, 4, 5  Next
Predictive Dialer


All times are UTC


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group