The Incredible Tale of the PCI DSS SAQ
By rorie 84 Comments
People often ask me what I do around here, and it's a valid question, since so much of what I do is not publicly visible. Needless to say, there's a lot of weird stuff that Giant Bomb has going on in the background that other sites in the CBSi family don't have to deal with, largely because many of them don't feature subscription services, nor do they have storefronts through which they sell merchandise. So I figured I'd start writing the occasional blog about what keeps me busy on a day to day basis.
Lately it's been monitoring our store. You may have used the store in the past to get a t-shirt or poster or something, and if you did, then thanks! We don’t make a huge amount of money from the store, since we generally try to offer merchandise of a decent level of quality without making the prices too crazy, which means our costs are pretty close to the list price of most of the items we offer. We make some money on each order, but no one’s taking baths in Cristal or anything.
Normally, that’s all fine and good, except when we start getting people trying to make fraudulent orders, as has been happening with increasing frequency of late. Our store is run through Shopify, which automatically takes a look at each order and pops up various flags based on suspicious activity, such as billing address not matching where the credit card’s registered and CVVs not matching.
EDIT: To be clear, none of the below should be taken as an indicator that Giant Bomb has any kind of security issue with its store. We don't even have access to your credit card numbers; everything we do is through third-party vendors that keep all that stuff locked up good and tight. People are using credit card numbers they've stolen elsewhere; felt like a good idea to make that clear.
Those are both pretty good indicators that someone’s using a stolen credit card to place an order, especially the mismatched CVV. The CVV’s the little three-digit code on the back of the card that you’re usually asked to enter when placing an order online; the Payment Card Industry Data Security Standard prevents it from being stored, so when credit card records are breached, hackers usually just get the card number but have to make a guess at the CVV. It’s pretty rare that anyone using a valid card won’t know or be able to access their CVV, since it’s right there on the back of the card, so mismatched CVVs are usually an excellent indicator that an order is fraudulent.
(As an aside, I’m also the guy who has to report on our PCI compliance, which involves wonderful things like payment data flow diagrams and something called a PCI DSS SAQ. It’s pretty thrilling stuff.)
Anyhow, there are enough steps in our ordering chain that sometimes a fraudulent order will slip through, which will generally lead to a chargeback later on down the line. Since we keep records of where we ship, we can supply those to Paypal to prove that an order was shipped and signed for, which usually result in Paypal contesting the chargeback with the credit card company, after which I have no idea what happens. I presume that credit card companies simply eat a certain number of fraudulent charges as part of the cost of doing business.
Recently, though, there’s been a bit of an uptick in fraudulent orders to the store, mostly being placed from Venezuela with shipping addresses in southern Florida. From what I can tell, it looks like there’s some kind of well-organized credit card scamming gang that rip off tons of credit card numbers and convert them into physical goods before the numbers are shut down. That might sound paranoid, but googling some of the shipping addresses have led to things like Yelp listings for the businesses there, which in turn lead to plenty of reports of other merchants reporting the addresses being associated with stolen CC numbers. I guess someone in Venezuela or Miami really likes Giant Bomb, because they’ve been ordering plenty of merchandise over the past few months. Or they just use it to smuggle cocaine, or something. Edit: Someone on Twitter suggested that they might just be trying to place small orders to see which credit card numbers were still active before using them for large purchases elsewhere, which makes sense.
So, I’ve been trying to keep track of all the orders that are coming in and have been manually cancelling anything that looks suspicious. That hasn’t stopped the orders from coming in, of course, even though I make sure to send emails back indicating that the orders were cancelled because they’re suspected to be fraudulent. Not that anyone’s reading them; I’m pretty sure the email addresses are as fake as the orders themselves.
What’s interesting is that the orders from southern Florida have mostly subsided (with a few exceptions) in favor of orders from places like Lithuania, Tunisia, Albania, and other exotic locales. It’s interesting to see the purchasing habits of people who’re playing with other people’s money. One order was for a single t-shirt and a hoodie, but still managed to be $236 thanks to a mammoth $181 shipping charge. (If you’re ordering from eastern Europe, you might want to opt for something cheaper than overnight shipping.) What’s curious is that a lot of these new orders are passing the CVV checks. Presumably this means that these orders are being placed from credit cards that were actually physically stolen, or perhaps issued by legitimate vendors based on fraudulent applications.
I’ve been refreshing the orders page pretty regularly lately, examining all of the orders coming in, and cancelling all the fraudulent ones; at this point I'm pretty sure that I've pissed someone off, because the frequency has increased to the point where over half of all orders coming in are fraudulent, with over $1200 in fraudulent orders in the last couple of days alone. I’m not going to go into the criteria I use to detect suspicious orders, but suffice to say that the “is this order legitimate” game is pretty fun sometimes, especially since I rarely play actual games at work nowadays. Undoubtedly there’ll be a legitimate order that I accidentally cancel at some point, so if you wind up getting an order cancelled mysteriously, let me know and I’ll look into it. I'm looking into some Shopify apps that add a second level of protection against fraudulent orders in the meantime.
And that’s one of the things that I've been up to. So there!
84 Comments