Peter Beckman <beckman@angryox.com> writes:
If you are taking card-not-present credit card transactions over the ...snip "hard to charge fradulent customers" and also "verifying customer identity annoys the customer"... points-
The goal here is to give abuse a negative expected return. One way to do this is to charge (and collect) a fee that is greater than what the spammer can earn between when they sign up and when you shut then down. There are two ways to do this - 1. raise (and collect) the abuse fee, or 2. lower the amount they can earn before you shut them down. I am suggesting that we put some effort into 2- If we can reduce the amount of time between when a spammer signs up and when they are shut down, we raise the spammer's costs. I think there is low-hanging fruit in this area. I believe that the 'strongly authenticate customer, then take legal action' model is dictated by the fact that most abuse incidents are not actually reported to your abuse desk- some abusive customers can go days or weeks before you receive a complaint. to give abuse a negative expected return, then, you need to make the consequence expensive. (to say nothing of covering the costs of trying to get good logs/evidence out of those who are complaining, or trying to figure out if your customer is a spammer or if your customer was owned by a spammer, and the costs of collecting the fee.) I wanted to point out another option providers now have. IDS technology has matured. Snort is free and pretty standard. Personally, I find monitoring incoming traffic to be... of limited utility. However, I believe snort is an excellent tool for lowering the cost of running an abuse desk, if you run it on the outgoing traffic. Snort is pretty good about alerting you to outgoing abuse before people complain. Heck, if you trust it, you can have it automatically shut down the abusive customers.