防止市场应用程序欺诈的最佳方法?

发布于 2024-07-16 07:27:28 字数 750 浏览 12 评论 0原文

我正在开发一个市场网站,导师和学生可以在其中找到彼此。 我正在建立一个在线支付系统(很像 elance 或 guru.com),导师可以在其中获得报酬,我们也可以从中提成。

几个问题:

  1. 阻止来自尼日利亚等某些国家/地区的 IP 地址的最佳方法是什么? (请注意,我正在使用 Ruby on Rails,因此任何专门针对该问题的建议会更好,但如果不是也没关系。)

  2. 除了阻止某些 IP 之外,我还可以使用哪些其他技术? (我已经在进行 AVS 和正常网关检查)。

  3. 我需要检查哪些常见诈骗?

例如,我能想到的是有人使用该系统为自己付款,他们收到资金作为付款(减去​​我们的费用),然后对信用卡进行退款。

我想这些与 Paypal 或 Google Checkout(有些人称之为聚合网站)等网站所面临的问题类似,因为它们只收取一小部分费用 - 因此,如果原始资金来源丢失,那将是巨大的损失(是资金来源的许多倍)所涉及的利润与正常的高利润产品不同)。

几个附加说明:

  1. 我的用户帐户已经需要电子邮件验证 - 这是最低要求,我正在寻找除此之外的东西
  2. 直接存款有 3-5 天的等待期 - 这是银行要求的 - 但仍然如此没有回答如何在这 3-5 天内确定是否是欺诈的问题,以便可以取消它
  3. 我宁愿避免一种惩罚好人和坏人的解决方案 - 例如收费注册或他们将资金留在账户中,直到提出提款请求(如 Paypal)

I'm developing a marketplace website where tutors and students can find each other. I'm building an online payment system (much like elance or guru.com) where the tutor can get paid and we take a cut.

Couple questions:

  1. What's the best way to block IP addresses from certain countries like Nigeria? (Note, I am using Ruby on Rails so any recommendations specific to that would be even better but if not thats fine too.)

  2. What other techniques can I use besides blocking certain IP's? (I'm already doing AVS and normal gateway checks).

  3. What common scams do I need to check for?

For example, one I can think of is someone using the system to pay themselves, they receive the funds as payment (minus our fee) and then do a chargeback on the credit card.

I imagine these are similar to problems faced by sites like Paypal or Google Checkout (some call these aggregation sites) since they are taking a small percentage fee - so if the original source of funds is lost it's a huge loss (many time multiple of the profit involved unlike normal higher margin products).

Couple additional notes:

  1. My user accounts already require email validation - this is a bare minimum, I'm looking for something beyond this
  2. There is a 3-5 day waiting period on the direct deposit - this is required by the bank - but still does not answer the question of how to determine during those 3-5 days whether it is fraud or not so it can be canceled
  3. I'd prefer to avoid a solution which punishes the good people along with the bad - such as charging to signup or having them leave their funds there account until a withdrawal is requested (like Paypal)

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

无语# 2024-07-23 07:27:28

这是我到目前为止所做的,如果人们有更多建议,请回复:

  1. 设置一个“欺诈审查”标志,如果设置,则需要有人(我)在发送直接存款资金之前手动查看它
  2. 如果发送的金额是> $300 然后自动欺诈审查
  3. 如果导师的 IP 地址和 学生的请求是相同的,然后欺诈审查
  4. 检查他们的姓名和地址,看看他们是否“基本匹配” - 即他们的名字都可以是“约翰”,因此有一个阈值,即有多少“匹配”构成标记的理由用于欺诈审查

该函数看起来有点像这样(注意这不包括检查 IP 地址的代码)

  def fraud_review invoice
    return true if invoice.total > 300

    #try to find out if they are the same person!
    client = invoice.client
    tutor = invoice.tutor

    count = 0
    client.full_name.split.each do |piece|
      count += 1 if tutor.full_name.include? piece
    end
    client.name_on_card.split.each do |piece|
      count += 1 if tutor.full_name.include? piece
    end
    client.street.split.each do |piece|
      count += 1 if tutor.street.include? piece
    end

    return true if count > 2
    false
  end

Here is what I have done so far, if people have more suggestions please respond:

  1. Setup a "fraud review" flag which if set requires someone (me) to look at it manually before the direct deposit funds get sent
  2. If the amount being sent is > $300 then automatic fraud review
  3. If the ip address of the tutor & student requests are the same, then fraud review
  4. check their names and address and see if they "substantially match" - i.e. they could both have the first name "John" so there is a threshold of how many "matches" constitute a reason to flag for fraud review

The function looks a bit like this (note this doesn't include the code to check the IP addresses)

  def fraud_review invoice
    return true if invoice.total > 300

    #try to find out if they are the same person!
    client = invoice.client
    tutor = invoice.tutor

    count = 0
    client.full_name.split.each do |piece|
      count += 1 if tutor.full_name.include? piece
    end
    client.name_on_card.split.each do |piece|
      count += 1 if tutor.full_name.include? piece
    end
    client.street.split.each do |piece|
      count += 1 if tutor.street.include? piece
    end

    return true if count > 2
    false
  end
上课铃就是安魂曲 2024-07-23 07:27:28

我认为有几种方法可以添加额外的层来消除这些行为的激励。

  1. 所有付款均通过已确认的用户帐户进行(通过电子邮件确认)
  2. 付款延迟基于银行清算 3 - 5 天。
  3. 付款不是直接存入用户的信用卡/银行帐户,而是可以以类似于 PayPal 的方式“在线”存储,并且用户必须手动请求提款。
  4. 对于 IP 阻止,我实际上会进入服务器级别并设置 IP 表。 我不是系统管理员,所以我不知道细节。
  5. 我读过并参与过一些网站试图通过收取象征性的注册费来减少恶意行为。 它令人惊讶地降低了现场存在的克汀病水平。

一般来说,有志者事竟成。 密切关注网站上的活动,并制定一些系统的标记规则,提示网站管理员仔细查看帐户或活动。

I think there are several ways to add additional layers to deincentivize these acts.

  1. All payments are made by confirmed user accounts (confirmed via email)
  2. Delay in payments based on banks clearing for 3 - 5 days.
  3. Rather than payments being directly applied to a user's credit card/bank account, it can be stored "online" in a similar way PayPal does and users must manually request a withdrawal.
  4. For IP blocking, I'd actually go to the server level and an IP tables set up. I'm not a sysadmin so I don't know the ins and outs.
  5. I've read about and been part of several sites trying to reduce malicious efforts by instituting a nominal sign-up fee. It surprisingly reduces the level of cretinism present on a site.

In general, where there's a will there's a way. Keep a very close eye on activity on the site and have some systematic rules for flagging that tips site administrators to take a closer look at accounts or activity.

风吹过旳痕迹 2024-07-23 07:27:28

对于国家/地区封锁,您需要一个 IP 地理定位数据库,其中有许多免费和商业数据库可供使用。 我建议根据潜在候选数据库的维护情况来评估它们。

For country blocking, you'll want an IP geolocation database, of which there are numerous free and commercial ones available. I recommend evaluating potential candidate databases based on how well they're maintained.

心奴独伤 2024-07-23 07:27:28

我将从一般的欺诈检测策略而不是 Ruby-On-Rails 的重点答案来回答这个问题。 一些内容:

  1. 相对较新的欺诈检测系统通常包括以下 ">持久 cookie - 将 cookie 存储在用户的硬盘中。 您可以使用它来比较来自同一设备的流量,假装是不同的人。
  2. 对设备进行指纹识别 - 这可以只能使用 JavaScript 来解决。 您可以使用它来比较来自同一设备的流量,假装是不同的人。
  3. 寻找自动化脚本的签名。 如果有人试图将从其他服务窃取的凭据填充到您的服务中,这可能会有所帮助。 我相信您知道,用户永远不会重复使用凭据!
  4. IP 声誉 - Tor 出口节点? (开源信息)。 根据您的应用程序,可能存在允许来自 tor 的流量的合法情况,但如果用户需要告诉您他们是谁才能使用您的服务,那么就没有匿名的情况。
  5. 混淆尝试 - UA 与机器匹配吗? 如果有人试图混淆自己的出身,他们很可能不会有好结果。 您可以根据您的舒适程度阻止此流量。

与已接受的答案相比,该解决方案的优点在于,这对于用户帐户来说是不可知的。 缺点是,如果您是唯一构建整个应用程序的人,那么构建起来要复杂得多。 根据我的经验,持久性 cookie 通常很容易实现,并且可以阻止一些低级别的欺诈者。

需要考虑的事情:您提到您正在设置 3,000 美元的硬编码障碍。 我想,一个坚定的欺诈者会想出办法并尝试 2999.99 美元之类的东西来绕过你的控制。

I'm about to answer this question from a general fraud detection strategy rather than Ruby-On-Rails focused answer. Relatively current fraud detection systems usually include some of the following:

  1. Persistent cookies - Store cookies in a user's hard drive. You could use this to compare traffic coming in from the same device pretending to be different people.
  2. Fingerprint the device - This can be solved only using JavaScript. You could use this to compare traffic coming in from the same device pretending to be different people.
  3. Look for signatures for automated scripts. This might help if someone is trying to stuff stolen credentials from another service into your service. As I'm sure you know, users never reuse credentials!
  4. IP reputation - Tor exit node? (Open source information). Depending on your application, there could be a legitimate case to allow traffic from tor but if the user is required to tell you who they are to use your service then there isn't a case to be anonymous.
  5. Obfuscation Attempts - Does UA match the machine? If someone is attempting to obfuscate their origination, they're likely up to no good. You could block this traffic depending on your comfort level.

The advantage of this solution over the accepted answer is that this would be agnostic to the user account. The disadvantage is that this is far more complex to build if you're the only one building an entire app. In my experience, persistent cookies are usually easy to implement and can thwart some low level fraudsters.

Something to think about: You mentioned that you're setting a hard coded barrier of $3,000. I imagine that a determined fraudster would figure it out and try something like $2999.99 to get around your control.

青春如此纠结 2024-07-23 07:27:28

要阻止来自特定国家/地区的 IP,您必须弄清楚该国家/地区的 IP 地址范围。 然后您所要做的就是配置防火墙以拒绝来自这些范围的流量。

To block ip's from a specific country, you'll have to figure out what the ranges of ip addresses are from there. Then all you have to do is configure your firewall to deny traffic from those ranges.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文