How to protect against fraud? - paypal

I have a VoIP calling company for a Russian market with a Russian website where people can sign up for an account, buy credit and make calls. My service is not even popular and I have only ~100 customers. Recently, I had around 10 fraudulent users who used stolen credit/debit card or PayPal accounts to make payments. Even though my website is in Russian, I had fraudulent customers from Somalia who purchased $50 worth of credit with stolen information. Two days later after fraudulent user signed up & used up their credit, I received email from PayPal saying that those transactions were "unauthorized (transactions)." PayPal gave me 10 days to resolve this dispute and make refunds by talking to people whose financial information was compromised. After hours of arguing and debate, I had to make refund and accept the loss. But, is this how it works? What if I had 100 fraudulent customers who purchased $1000.00 worth of credit? How can I insure myself against this? Note that my service was in Russian, what if I had English website for everyone to sign up? How do you protect your service against such things?
Some of the measures I can think of are:
Customer must activate their account via verification email (Already implemented)
Accounts are by default aren't activated, I have to manually
activate them (Customers may not like this)
Calling the new customer at provided phone # to make sure if he
really signed up (I hate this one)
All of your advises and opinions are appreciated!

I worked at a similar company (no names) and the only thing we could do that actually solved the problem was to have the users sign up with a credit card, billing the minimum amount from their card while generating a code that was included in their statement (a'la "VoipMaster (4711)")
They then had to look up their credit card bill (many banks let you do it pretty much immediately online) and enter that code at our site. In other words, the user had to have access to the credit card bill to sign up, not just the credit card information.
I think that pretty much stopped fraud cold, but it's hard without marketing research to tell how many valid users didn't sign up because of it.

Its just the pitfall of accepting online payments. You do not lose $1000 worth of money when you have to refund though. Paypal should not charge you any fee's for reversing the money and therefore you have not lost anything apart from a small amount of time.
There are some things you could do to try and prevent this happening in the first place. The biggest thing would be to chose one or more vectors and then detect any changes on those vectors. A change would then need to have a secondary authorisation.
For example you could say that if you try and use a different paypal account to the last one you used, then you must go through confirmation stage.
Another one could be that if you purchase more than a certain limit then you go through the confirmation stage.
If your IP address changes you go through the confirmation stage (not so good, but its an idea nonetheless).
The confirmation process/stage could be anything you deem suitable to ensure to the best of your ability that they are legitimate. For example you may require email confirmation from them or require them to wait 24 hours for the credit to be given (provide a phone number they can call you on to fast track maybe).
Theres no sure fire way, but the harder you make it the less it will happen. Theres hundreds of things you could do based on the simple theory i posted above. Nevermind more complex things you could possible use. At $50 a time i would assume they are using your site as a test site to ensure the details all work ok, before going on to using them for larger payments elsewhere or transferring money to there own accounts. So if you make it harder for them to do that,, they will find somewhere else to test them.

Related

Handling Paypal transactions as a third party, not sender or recipient

I need to be able to initiate transactions between two unknown parties via Paypal, say donor and recipient, without ever having to be exposed to the money itself - is this possible?
Basically, I want a donor to be able to click the donate button, fill in the amount and then be passed to Paypal to verify their details. My site will also supply the recipients account details to Paypal so the money goes directly to them rather than to my Paypal account. Essentially I want to enable transactions without having any legal or tax responsibilities for the money.
This needs to happen for an unlimited number of donors and recipients.
Can I do this? Paypal haven't been very helpful at all.
I am sorry to hear that you feel PayPal hasn't been helpful at all, but there are many resources at your disposal. It sounds like you have just not been asking the right person, or asking the right questions. Customer service for large corporations are difficult to traverse, but there are many people at PayPal who would have been easily able to answer your questions.
I always say this, though i'm not sure how many times on this forum: It is possible to do whatever you want with PayPal. Give me your idea, I will give you the way. Whatever you want to do can be done with the right coding.
You can use Website Payments Standard (WPS), and you would only need your merchant's email address to create buttons that go to their account. (set the business variable)
You can also use third party API calls for Website Payments Pro (WPP) and Express Checkout (EC) to process direct credit card transactions as well as PayPal payments via API for your merchants. (set the subject variable to the seller you're submitting the API on behalf of)
As for not having any legal or tax responsibilities for offering the service of payment connectivity (marketplace functionality) between sellers and merchants: IMHO you are dreaming. However, you will want to contact your local legal and tax representative to ask what liability you have. Though this should go without saying; this is StackOverflow, where you should ask questions regarding programming, not tax and legal advice.
Your tax and legal concerns are separate concerns, irrelevant to the technical question of whether it is possible to do what you want with PayPal or not.

Paypal to paypal payments

I want to provide a question and answer service (I know there are thousands of such sites on the internet) to my users where someone can ask a question by specifying how much money they will give the person who provides a good answer.
When a good answer is provided, is it possible to take the money from the questioners paypal account and send it to the answering persons account automatically?
Basically, what I don't want to do is take payments from the questioner and hold it in my paypal account, then pay the answering person when his/her answer is accepted.
I will be using a LAMP configuration to make the service.
Neither the PayPal API nor the PayPal service in general provides for automatic person-to-person payments that are initiated by a third party. In other words, you must either be the payer or the payee in order to participate in a transaction; you cannot do it on behalf of another user.
Have you looked into PayPal Adaptive Payments API? From what I know it supports person-to-person money transfer. For more info visit
https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_api_APIntro
Hope this helps.
You can use the PayPal Adaptive. Using this you can transfer money from one account to another account. Download the sample source code from GutHub https://github.com/paypal/adaptivepayments-sdk-php
I'd like to think wildly here (meaning not thoroughly so forgive me if there are mistakes). I think there are a few PayPal products you can consider. They do not perfectly fit, but here they are for your reference:
Auth / Order, Reference Transaction (aka RT), and Adaptive Payment (aka AP, but it doesn't fit your situation very much).
As I understand, your scenario would be like this:
The questioner posts a question, and agrees to pay a certain amount of money, say $5.
You don't want to hold the money. (hmm this is hard)
When a responder answers the question, and the question is selected as the best, the money is paid automatically from the questioner via PayPal.
With Auth / Order, it works like this:
The questioner "auth" you to take the $5. This money is NOT charged yet, but is still in the questioner's account. The amount can be honored too, just like you book a hotel. (Note you can honor the money for at most 29 days.)
When an answer is selected as the best and the responder is to be paid, you capture the money from the questioner. This way, they money is now in your account. (I know you don't like this...)
Then you pay the responder immediately. You can transfer money, you can use Mass Pay API, you can use PayPal Payouts API.
Well I know the best case would be that the money never appears in your account, not even a millisecond. But this is what I can think of, "immediately" is the closest to "not at all". Another problem with this way is, it's done in two steps, and in each step you or someone has to pay the fee. When you as the platform gets the money, you pay the fee, and then when you send it out, it depends on which product you use. But the good thing is, the money is never charged until it has to be charged. And it doesn't have to be charged if there is not a good answer at all.
With RT, it's similar to Auth / Order, it's an agreement between the questioner and you (the platform). The agreement lasts longer (2 years I think), but you still have to pay the responder, and you can't honor the money, meaning when you capture it, you may fail. Good thing is (or maybe this is the bad thing), you can charge the questioner many times with only one agreement.
With AP, it provides "Parallel" payment, meaning the questioner pays you AND the responder with only one payment, and you can share the payment with the responder, and you can decide who receives how much. You can also decide who pays the fee. But the problem is, the questioner has to be present to make the payment, so it's not done automatically without the questioner. (Express Checkout / EC does parallel payment too with some differences, also on the fee thing. So if you want to go AP way, you may also want to consider EC because it's a lot easier to integrate.)
I would go for Auth / Order. But maybe you can get in contact with PayPal merchant technical services and ask for more details.
https://ppmts.custhelp.com/
Or, here is the website of their documents:
https://developer.paypal.com/
Hope this helps.
Many posters have said that AP is a good choice. This is correct. You will need to request an application which provides an app ID once your app is approved by the vetting team. You apply here:
https://www.paypal-apps.com/
Provide as much detail as you can so that they don't have to come back to you with questions about your business, etc. Once it is approved, you can use the app ID provided and start development in a live environment.
If you want to get the API working while they review your app, you can use sandbox. https://developer.paypal.com/docs/classic/lifecycle/ug_sandbox/ I believe that the vetting team requires that you have a sandbox account / setup so that they can test your implementation once you are done.
Don't be fooled because you have ALL API permissions in sandbox. So if you forget to request a needed method like mass pay, you will not have that feature in live, even though it worked for you in Sandbox. If you need a feature, request it WHEN YOU APPLY. Otherwise, you will need to start a new app request. This isn't a big deal, but if time is of the essence, you will have to wait (usually 24 - 48 hours or so) for the app to be approved, barring any questions / requests that PayPal has for you.
Integration guide for AP:
https://developer.paypal.com/webapps/developer/docs/classic/adaptive-payments/integration-guide/APIntro/
API operations and operations for Adaptive Payments:
https://developer.paypal.com/webapps/developer/docs/classic/api/#ap

Ticket processing system

Is paypal a suitable system for handling event ticket payments. All I want to do is create a page with event details, a list of hOw many tickets are left and a secure payment handling. Systems like eventwax seem to charge for use of there system and then paypal charges you too. I just dont get why people are paying twice. Also does anyone have any other recommendations for similar sites like eventwax
Google Checkout lets you do something that will work for you. Basically you create a Google Docs spreadsheet that follows a special format and contains the items that you sell and the quantities remaining. Then, you can make an HTML button that you can embed in your page. When a user clicks the button, it processes the selling of a specific item from that spreadsheet. Google handles everything else automatically - it subtracts one from the quantity field in the spreadsheet, processes the payment and sends you an email with the purchase and shipping details. Little to no programming required.
Of course, this can't work with PayPal.
First off, paypal comes in many different flavors. From the simple they host the order form and process payments way on up to all you do is pass them the credit card info and charge amount and they process it.
With that in mind I don't believe they support selling a limited quantity of items. This is something you would have to provide with your site.
Which leaves us with: are you asking a "how do I code this" type of question or something more general. If the former then please provide language and what you have so far. If the latter, then you might try at http://webmasters.stackexchange.com
Now regarding eventwax charging for usage, that is a perfectly legit thing to do. They are providing a service which allows people to sell a limited number of things, ensure that those things aren't over sold (which can be difficult depending on your db transactional experience), and handle payment processing.
All said and done there are really several companies which will get a piece of the action so to speak. Paypal is one, the credit card companies are another. If you are using paypal's payflow pro gateway then there is at least two other companies involved: your bank and the transaction processor themselves.
Which leads us to why people pay companies like event wax. Quite frankly, it's easy they don't have to screw around with programming something, and it works right now. There's a lot that can be said about doing things this way. Usually you just include all of this into the cost of doing business.

Encoding amount in paypal payment

I'm having trouble figuring out how to prevent people from editing the amount in my shopping cart with tools such as firebug. How do I make sure users can't edit the hidden field? Can I encode the amount before sending it to paypal?
Thanks!
Francois
Okay, turning comment into answer...
Don't encode the hidden file! When a customer makes a payment, PayPal will handle the transaction and tell your automated system that it has received the payment. It should also tell you how much the customer paid you! You then compare the amount paid with the original invoice and if there's a difference, you just tell the user that the payment is incomplete. (Unless they paid too much, of course.)
As Chris Lively tells you, don't trust the customer! Always check the amount that has been paid. Once you do this, it doesn't matter if the user hacks into any hidden fields, since you check it afterwards.
If your security depends on keeping your users away from hidden fields, your security will fail! Your security should depend on your contact with PayPal directly. Only when PayPal confirms the payment, you should send the product.
I'm sorry to say, but you can not prevent people from fiddling with the html / post variables. One common security mantra is "Don't trust the client".
The process should be to have the client post back to your server. It recomputes the totals or whatever, then send that to paypal. Obviously there should be some sanity checks like preventing zero or negative quantities; however, the client itself should NOT have control of the totals.

How to implement payment to multiple suppliers

I'm trying to integrate a payment mechanism to my site. The scenario that I need is not trivial and can be explained by the following example:
User pays upfront for a subscription program (i.e. receiving Netflix). User is able to make changes to the subscription (i.e. change number of movies checked out each time from 4 to 2)
User is able to buy additional one time purchases via the provider's site (Netflix) supplied by 3rd parties. These items (i.e. popcorn, snacks) get billed to the same credit card as the subscription without having to go through the process of resubmitting the credit card information.
Of course, my site takes also a small fee for the transactions :-)
I was wondering if this is supported by PayPal, Google Checkout or someone else.
Thanks.
The Paypal api can handle all of those processes.
I seem to have dropped the ball on what kind of answer you wanted so I'll leave it at that.
If you have some feedback, more direct questions I will try to answer as much as I can
--
The money would best go through you first, unless somehow you can convince your customers its normal to bill them per item. Also if they pay by credit card you should only bill them once as you would incur fees on every payment. I don't know of anyway to bill once but distribute the payments.
As for the paypal docs..
Very good resource, there is also some sample code for most major web languages
Also this will get you started if you don't have a developer login
Their developer support is also pretty good. One thing a lot of people seem to screw up when starting out with the paypal api is not setting the latest version in the configs so don't forget to update that to the latest release. :)
Disclaimer..
Yea I know there is a lot of bad press about paypal and crazy stuff happening, but they do get the job done most of the time, its not my fault the customers love to use it.