> We’ve resorted to just cancelling the order quietly once we find out, without informing the fraudster. When they invariably call an hour later inquiring about their delivery (with a voice totally not matching the name), we either tell them we’re sending cops or cuss them out loudly. The silver lining is that it’s fun to witness their reactions on the phone when they realize they’ve been caught.
Don't do this. Just give an automated message that you've canceled the order due to being unable to process their payment, without elaborating on what was wrong with the payment. If they call, give them the same information and nothing more.
Every piece of additional data you give them about how your anti-fraud system works helps them to evade it. Also, as you grow, speaking to them on the phone will become a larger and larger risk as some fraudsters will be very skilled at convincing your customer service people that they are legit.
An automated message arrives every time, one time. For this specific type of fraud where they are trying out many cards to figure out which works, getting an automated message is perfect.
Leaving the fraudster in the dark - excellent. Forcing the fraudster to call if they want more information - excellent. Both of these increase the time investment from the fraudster. They need to spend more time per card.
Cussing - doesn’t make a difference either way from an information perspective.
I worked with the fraud team implementing the security for a real time data ingestion pipeline at a major bank partner. I am a bit more informed on this than the average hn poster :)
It's literally less information versus directly letting them know. One message lets them know you know, and the other doesn't.
> Forcing the fraudster to call if they want more information - excellent.
But there's something else you're not taking into account, which is innocent people who trigger your fraud detection.
>Cussing - doesn’t make a difference either way from an information perspective.
Well it certainly lets the fraudster know you know. A legitimate customer receiving that kind of abuse would be pretty unusual, don't you think?
> I’m a bit more informed than the average HN poster
You’ve mistaken me for the average. I’ve worked in Integrity for a FAANG company and in FinCrime for a bank. I have a very good idea of how to mask information from bad people automating things. That’s literally all I’ve done for more than half a decade.
It doesn't change that this is basic logic. One yields less information than the other, and you didn't grasp that. Sorry if I came off as condescending. I don't really see a point in continuing this conversation.
Don't do this. Just give an automated message that you've canceled the order due to being unable to process their payment, without elaborating on what was wrong with the payment. If they call, give them the same information and nothing more.
Every piece of additional data you give them about how your anti-fraud system works helps them to evade it. Also, as you grow, speaking to them on the phone will become a larger and larger risk as some fraudsters will be very skilled at convincing your customer service people that they are legit.