Recently we set up payment processing on our website which are flexible and robust. We wanted to lower our maintenance effort and make things easier for buyers and lowered our guard that was used straight away.
One of our first orders was what I suspect an online shopping buyer fraud. It was fairly easy to detect as when a buyer makes a purchases, we record the data in our database as "Purchase Attempt" with a secret authentication key that is encrypted so when an order arrives we can match it precisely to the purchase attempt and the all details for this one attempt and validate the secret authentication key.
This case was easier as straight away I could see we don't sell our membership for such a low price and the purchase attempt confirmed my suspicions.
The person generated the payment link but it was "adjusted" for a higher payment frequency which made it very cheap.
My action was to do a full refund and deactivate the account, fortunately we don't sell physical products so our cost is only administration.
I replied to the user saying it failed authentication process, I wanted to say it failed "fraud detection" process but that would be too hash, we all make mistakes and some think that it is ok to do it online, I don't think many people have an idea to go to a shop pick up a 1.5l bottle of water and stick on it 500ml bar code and say look I should pay for 1.5l the same as for 0.5l water but this is online so it seems some think it is not the same?
What surprises me is the fact that someone would do it in such an obvious way and provide their full details that are required to make a payment.
I've made a search to check what is available on the internet on that but mainly it focuses on buyer protection, not seller protection which is not surprising. The website I came across are:
I've been reading PayPal Wars book for a while now and fraud was also a big problem for PayPal that almost caused it to collapse and although I was aware of the problem and made fairly robust authentication process, I didn't suspect someone would try to do it in such an obvious way.
Unfortunately this incident means that this morning I'll be working on preventing this situations instead of introduce new feature and content on our website but I always new it would happen at some point I just didn't know it would be so quickly.
The second unfortunate thing is that I will have to pay several % for the refund (Time cost was actually much higher) which means I will have to re-think my prices and potentially increase them to cover for these unnecessary costs.