What is Transaction Fraud?
Transaction fraud is a growing issue for online payment services and companies that collect payment online. In a nutshell, online transaction fraud is when a fraudster attempts to steal the identity of another person and conducts a transaction in their name—like stolen credit cards.
One of the main reasons that fraud is so prevalent online is because verifying the identity of a person online is quite challenging. Traditionally, successful identity verification processes are high-friction and time-consuming which can dramatically reduce revenue through a payment form. If you make your payment flow challenging enough to block fraudsters, you’re going to make it challenging for non-fraudsters as well.
In the case of nonprofit organizations, it’s not usually the case that a stolen credit card is used to make a big donation. More commonly, a list of stolen credit card numbers is run at high rates against a donation form so that fraudsters can test each card.
For example, a fraudster might have a large list of stolen credit cards—some of these cards may have already been reported stolen and have become inactive. To see if any cards are still active, these cards are run against a payment form at small payment amounts. If the donation is successful, the fraudster knows this card can be used for more fraudulent transactions. In many cases, fraudsters are quite sophisticated and use bots to conduct the testing.
It’s important to note that online transaction fraud is unrelated to the security of your data. Transaction fraudsters are not attempting to break into your database and steal your information—they are simply trying to conduct a transaction on your public-facing payment tool. The data hosted in your Funraise database is not at risk in the context of transaction fraud.
Online transaction fraud can expose your organization to chargebacks and fees. Besides financial losses, the amount of time it takes to deal with a large-scale fraud attack is significant.
While fraud is, and forever will be, an aspect of online payments, Funraise offers several strategies to mitigate the risk of online transaction fraud.
Ways that Funraise is reducing your exposure to fraudulent activity
There is no silver bullet tool to eliminate transaction fraud online. Just like any security protocol, it requires a collection of risk mitigation actions that target specific aspects of fraud attempts. Here are several methods we use to prevent fraud. Please note, not all methods are available for all payment configurations.
Rate limiting and IP banning
To limit fraud bots, Funraise bans IP addresses that exceed our set rate limits. Rate limiting can knock out IPs that are part of bot nets.
We also have a layer of fraud mitigation for Stripe transactions that bans IP addresses based on signals from Stripe.
Preventing fraud requires active monitoring from humans along with the use of automated tools. Our systems team monitors the logs and transaction success rates across all of our customers to proactively mitigate fraud.
Enhanced Fraud Mitigation with Machine Learning
Funraise utilizes machine learning technology to automatically fail transactions that appear to be fraudulent. After (machine) learning the behavior patterns of your online donors, we can identify behaviors that fall outside the norm. The benefit of this method is that your donation experience is easy and seamless, while top-tier fraud detection is running behind the scenes.
This method cannot stop fraud attempts altogether, but it can reduce your exposure to risk by automatically failing risky transactions.
We will be rolling out Enhanced Fraud Mitigation to organizations who experience higher rates of fraud before making this feature available more widely. We hope it's so good, you'll never know it's there.
Web Application Firewall (WAF)
The WAF has sophisticated listening capabilities that detect constantly shifting signals from HTTP traffic sources, determining the trustworthiness of the source as well as the validity of the request, and blocking them appropriately.
While Funraise’s WAF was intended to mitigate carding attacks, it also offers protection against malicious hackers—the WAF filters out web traffic by detecting the fingerprints of known vulnerabilities, such as SQL injection, cross-site scripting (XSS), file inclusion, and improper system configuration.
Funraise Giving Forms (V2) have a built-in integration with Google reCAPTCHA. This integration is automatically enabled and does not require configuration. The basic concept of a reCAPTCHA is to ask a human to complete a task that is particularly difficult for a basic bot to accomplish, like identifying objects in pictures.
reCAPTCHA is dynamically displayed on the Giving Form when Funraise detects fraud patterns (high volume of donations coming from a single IP address). reCAPTCHA is removed from the form after detected fraud patterns cease. By dynamically displaying reCAPTCHA, your forms provide the most efficient donation process and experience for your donors while still mitigating bot attacks.
Gateway Level Fraud Prevention
Funraise's preferred payment processor is Stripe.
Funraise's form is configurable so you can collect the information required for the gateway level verification methods appropriate for your use case. These include Address Verification Service (AVS) and Card Verification Value (CVV).
Within Stripe you can activate Stripe Radar which is a fraud prevention tool managed by Stripe. It offers another layer of protection behind the scenes that doesn't interfere with your organization's donation experience.
Additionally, Funraise passes over the IP address of each online transaction, along with other transaction data. In the case of Stripe, you can use this to manually block a specific IP address that has repeated fraudulent activity. Blocking an IP address is a short-term method to quickly stop a high volume fraud attempt, but without other mitigation strategies, it might be a cat and mouse game; it is possible for the fraudster to change their IP address.
So, no more carding fraud?
Unfortunately, carding fraud attacks will continue to occur. Like all security strategies, our goal is risk mitigation—it’s impossible to be free from risks online. Our team is consistently monitoring and enhancing our fraud protection strategies and technologies.