How do non-profits deal with fraudulent donations?
April 19, 2012 9:14 AM   Subscribe

I'm the volunteer web developer for a local non-profit and we're having a problem with our donation page. It's the problem described in this article and this article - what's happening is that credit card thieves are using our donation page to validate stolen credit cards.

We had this problem with our previous credit card processor and they were no help, our new credit card processor has told us that they only validate addresses when executing the charge, so we would have to issue a refund when the address validation fails (and eat the transaction fee).

I've e-mailed the Red Cross to ask what they do because their donation page looks pretty much like ours (and Obama's, and Romney's) - we don't force people to register first so there's no e-mail verification. It's a one page form to make the process as painless as possible for donors. The Red Cross hasn't written back, maybe they're suspicious of people who ask about their fraud prevention methods. I don't blame them.

So what do you guys recommend?
posted by exhilaration to Computers & Internet (9 answers total) 4 users marked this as a favorite
Response by poster: I've searched Google for guidance on this issue, hoping there's a site out with the "best practices for non-profits accepting online donations" or something like that. I found nothing but if you have any links with this kind of information I'd love to see them.
posted by exhilaration at 9:19 AM on April 19, 2012

Are you guys members of any nonprofit foundation organizations, like Council on Foundations, Foundation Center, or Association of Small Foundations? Their member zones are pretty helpful for a wide range of issues, and you might be able to find useful resources there.
posted by elizardbits at 9:33 AM on April 19, 2012 [1 favorite]

How about notifying donors on the page that there may be up to a four business day delay (or whatever it takes for 90% of stolen numbers to go bad) before final processing of their donation, in order to "help protect them from credit card fraud"?

That might be discouraging enough that you wouldn't even have to do it.
posted by jamjam at 10:00 AM on April 19, 2012 [1 favorite]

It sounds like you should be able to find a payment provider that will allow you to validate the CC address without a transaction.

E.g., it seems like Visa allows this, so some payment providers must implement it in their API:

AVS (Address Verification Service) verifies a cardholder's billing address information in real time and provides you with a results code that's separate from the authorization response code. This, in turn, allows you to make an informed transaction "risk-assessment" decision on whether to continue with the transaction.
posted by SNACKeR at 10:13 AM on April 19, 2012

Could you just outsource the payment processing to an organization like JustGive or Network For Good? They take a percentage of donations; I don't know how this compares to the fees you pay the credit card companies.
posted by evilmomlady at 11:47 AM on April 19, 2012

Where I work, one thing that helped was to set the minimum donation to $2. Part of the reason credit card thieves validate the cards through nonprofit sites is because we often allow donations of $1 or less. If you set the bar higher, a large proportion of thieves will go elsewhere.

I'm sure there are lots of other steps you could take, but that's one I know. Good luck!
posted by Susan PG at 6:10 PM on April 19, 2012

Best answer: Dealing with this myself at the moment. There was a recent breech at a major payment provider and I believe we're in the fallout of that right now.

I've by no means solved it but here are a few steps I've taken:
  1. Determine if the IP geolocation matches the billing address. A large majority of these fraudies have all of the billing information, but they'll be processing them from another country (in my case Vietnam and Indonesia). Most programming languages have some kind of geolocation packages available for you to use.
  2. They will usually use the same email address for multiple billing addresses. If I detect more than one address per billing address I flag it for review. More than two, automatically deny it. You have to be careful with this one as periods (for GMail) and the plus sign are valid characters in email addresses.
  3. Most payment providers will provide responses to your payment requests that indicate that the billing address does not match, the AVS/CVS codes do not match, the BIN number of high risk or a general risk score for the transaction. You need to handle these responses appropriately.
  4. As Susan PG mentioned, watch for transaction amounts that are unusual. If your donation page has suggested amounts, look for transactions that are either much lower or much higher than what is suggested. You could also assemble numbers of valid and invalid transaction amounts to use as a rough statistical guideline to identify probable fraud transactions.
I assign scores to each of the above and based on a threshold, I'll deny the transaction. So, if the country does not match the IP and there is a risky BIN and an unusual amount, I will flag the transaction for review or deny it outright.

It's tricky. As I said, I'm still struggling with it.
posted by purephase at 7:07 PM on April 19, 2012 [2 favorites]

Response by poster: Thanks folks, we've already got a minimum of $10 and we'd really like to keep the payment within our website without having to go anywhere else. Purephrase's suggestion of setting up a score and dealing with it seems like what we'll do, the part about the IP lookup is pretty clever as well.
posted by exhilaration at 8:11 AM on April 20, 2012

Another thing you might do is to use a "CSRF" protection scheme. It sounds complex, but isn't really.

Many times, scammers will just script a call to your form submit page, filling in the fields programmatically.

If you have a "CSRF" token as a hidden field on that page, then the scammers cannot automate using your page. They'd have to visit the page and fill it in manually or via Javascript before submitting. Otherwise, the form will just respond "CSRF validation failed", because the submitted CSRF token was missing, invalid, or has already been used.

This is one thing I really like about Django, which is built-in CSRF protection for all forms by default. But, any decent system should be able to handle adding CSRF.

Here's a reasonable site about the idea:

Personally, I'd think this would be much easier than geolocating the requesting site.
posted by Invoke at 5:01 PM on April 20, 2012

« Older shaving off the time sinks   |   My baby is safe but keeps giving me nightmares. Newer »
This thread is closed to new comments.