Tutorials

How to detect and prevent credit card fraud with PHP

Credit card fraud

Credit card fraud is a wide-ranging term for theft and fraud committed using or involving a payment card, such as a credit card or debit card, as a fraudulent source of funds in a transaction. Credit card fraud is also an adjunct to identity theft.

Card fraud begins either with the theft of the physical card or with the compromise of data associated with the account, including the card account number or other information that would routinely and necessarily be available to a merchant during a legitimate transaction. The compromise can occur by many common routes and can usually be conducted without tipping off the cardholder, the merchant, or the issuer at least until the account is ultimately used for fraud.

When a credit card is lost or stolen, it may be used for illegal purchases until the holder notifies the issuing bank and the bank puts a block on the account. Most banks have free 24-hour telephone numbers to encourage prompt reporting. Still, it is possible for a thief to make unauthorized purchases on a card before the card is canceled. Without other security measures, a thief could potentially purchase thousands of dollars in merchandise or services before the cardholder or the card issuer realizes that the card has been compromised.

As part of your financial obligations to the card networks, you must ensure that disputes (also called chargebacks) and fraud are kept to acceptable levels. If these exceed the thresholds dictated by each network (e.g., Visa or Mastercard), you are placed into one of their monitoring programs. As part of a program, you can be subject to monthly fines and additional fees until your dispute or fraud levels have been reduced.


Fraud detection

In this article we will focus on 3 ways to detect possible fraud :

  • Compare billing address with visitor location
  • Detect Tor, VPN, anonymous proxy usage and hosting providers
  • Check for known cyberattack vectors

Compare billing address with visitor location

The billing address is verified by card networks so perpetrators tend to fill in the real cardholder address when making fraudulent orders online. A visitor that is located in a country different from their billing address could be suspected of using a stolen card.

<?php
// The free open source DB-IP API client is available on GitHub : https://github.com/dbip/api-client
require "dbip-client.class.php";

// Uncomment the line below and fill in your API key
//DBIP\APIKey::set("YOUR_API_KEY_GOES_HERE");

// Sample order data with amount and country of billing address
$orderData = [
	"country" => "US",
	"totalAmount" => 100,
];

// Get IP address from the $_SERVER global array, catch forwarded address from proxies
if (isset($_SERVER["HTTP_X_FORWARDED_FOR"]) && $_SERVER["HTTP_X_FORWARDED_FOR"]) {
	$ipAddress = $_SERVER["HTTP_X_FORWARDED_FOR"];
} else {
	$ipAddress = $_SERVER["REMOTE_ADDR"];
}

// Lookup IP address information
$addrInfo = DBIP\Address::lookup($ipAddress);

// Compare with billing address
if ($orderData["country"] !== $addrInfo->countryCode) {
	echo "Warning: visitor is not located in {$orderCountry}";
}


Add check for Tor, VPN or anonymous proxy usage and known attack vectors

<?php
// The free open source DB-IP API client is available on GitHub : https://github.com/dbip/api-client
require "dbip-client.class.php";

// Uncomment the line below and fill in your API key
//DBIP\APIKey::set("YOUR_API_KEY_GOES_HERE");

// Sample order data with amount and country of billing address
$orderData = [
	"country" => "US",
	"totalAmount" => 100,
];

// Get IP address from the $_SERVER global array, catch forwarded address from proxies
if (isset($_SERVER["HTTP_X_FORWARDED_FOR"]) && $_SERVER["HTTP_X_FORWARDED_FOR"]) {
	$ipAddress = $_SERVER["HTTP_X_FORWARDED_FOR"];
} else {
	$ipAddress = $_SERVER["REMOTE_ADDR"];
}

// Lookup IP address information
$addrInfo = DBIP\Address::lookup($ipAddress);

// Simple scoring
$score = 0;
if ($orderData["country"] !== $addrInfo->countryCode) {
	// Warning: visitor is not located in billing country
	$score++;
}
if ($addrInfo->isProxy) {
	// Warning: visitor is actively hiding their true IP address
	$score++;
}
if ($addrInfo->usageType === "hosting") {
	// Warning: visitors do not usually come from hosting providers IP space
	$score++;
}
if ($addrInfo->threatLevel == "high") {
	// Warning: visitor IP is a known source of cyberattacks
	$score++;
}
if ($orderData["totalAmount"] >= 1000) {
	// Warning: this is an unusually large order
	$score++;
}

if ($score >= 3) {
	// Reject order
} else if ($score >= 1) {
	// Queue the order for manual review
} else {
	// Process order automatically
}


Compatibility

API DB
Free Basic Core Extended IP to Country IP to City IP to Location IP to ISP IP to Location+ISP

See also : Get visitor country with Javascript

Was this article helpful ? Share it with others by clicking the social media buttons !