Best way to prevent fraud in marketplace app?

Question

I'm developing a marketplace website where tutors and students can find each other. I'm building an online payment system (much like elance or guru.com) where the tutor can get paid and we take a cut.

Couple questions:

1. What's the best way to block IP addresses from certain countries like Nigeria? (Note, I am using Ruby on Rails so any recommendations specific to that would be even better but if not thats fine too.)

2. What other techniques can I use besides blocking certain IP's? (I'm already doing AVS and normal gateway checks).

3. What common scams do I need to check for?

For example, one I can think of is someone using the system to pay themselves, they receive the funds as payment (minus our fee) and then do a chargeback on the credit card.

I imagine these are similar to problems faced by sites like Paypal or Google Checkout (some call these aggregation sites) since they are taking a small percentage fee - so if the original source of funds is lost it's a huge loss (many time multiple of the profit involved unlike normal higher margin products).

Couple additional notes:

1. My user accounts already require email validation - this is a bare minimum, I'm looking for something beyond this
2. There is a 3-5 day waiting period on the direct deposit - this is required by the bank - but still does not answer the question of how to determine during those 3-5 days whether it is fraud or not so it can be canceled
3. I'd prefer to avoid a solution which punishes the good people along with the bad - such as charging to signup or having them leave their funds there account until a withdrawal is requested (like Paypal)

Answer 1

Here is what I have done so far, if people have more suggestions please respond:

1. Setup a "fraud review" flag which if set requires someone (me) to look at it manually before the direct deposit funds get sent
2. If the amount being sent is > $300 then automatic fraud review
3. If the ip address of the tutor & student requests are the same, then fraud review
4. check their names and address and see if they "substantially match" - i.e. they could both have the first name "John" so there is a threshold of how many "matches" constitute a reason to flag for fraud review

The function looks a bit like this (note this doesn't include the code to check the IP addresses)

  def fraud_review invoice
    return true if invoice.total > 300

    #try to find out if they are the same person!
    client = invoice.client
    tutor = invoice.tutor

    count = 0
    client.full_name.split.each do |piece|
      count += 1 if tutor.full_name.include? piece
    end
    client.name_on_card.split.each do |piece|
      count += 1 if tutor.full_name.include? piece
    end
    client.street.split.each do |piece|
      count += 1 if tutor.street.include? piece
    end

    return true if count > 2
    false
  end

Answer 2

I think there are several ways to add additional layers to deincentivize these acts.

1. All payments are made by confirmed user accounts (confirmed via email)
2. Delay in payments based on banks clearing for 3 - 5 days.
3. Rather than payments being directly applied to a user's credit card/bank account, it can be stored "online" in a similar way PayPal does and users must manually request a withdrawal.
4. For IP blocking, I'd actually go to the server level and an IP tables set up. I'm not a sysadmin so I don't know the ins and outs.
5. I've read about and been part of several sites trying to reduce malicious efforts by instituting a nominal sign-up fee. It surprisingly reduces the level of cretinism present on a site.

In general, where there's a will there's a way. Keep a very close eye on activity on the site and have some systematic rules for flagging that tips site administrators to take a closer look at accounts or activity.

Answer 3

For country blocking, you'll want an IP geolocation database, of which there are numerous free and commercial ones available. I recommend evaluating potential candidate databases based on how well they're maintained.

Answer 4

I'm about to answer this question from a general fraud detection strategy rather than Ruby-On-Rails focused answer. Relatively current fraud detection systems usually include some of the following:

1. Persistent cookies - Store cookies in a user's hard drive. You could use this to compare traffic coming in from the same device pretending to be different people.
2. Fingerprint the device - This can be solved only using JavaScript. You could use this to compare traffic coming in from the same device pretending to be different people.
3. Look for signatures for automated scripts. This might help if someone is trying to stuff stolen credentials from another service into your service. As I'm sure you know, users never reuse credentials!
4. IP reputation - Tor exit node? (Open source information). Depending on your application, there could be a legitimate case to allow traffic from tor but if the user is required to tell you who they are to use your service then there isn't a case to be anonymous.
5. Obfuscation Attempts - Does UA match the machine? If someone is attempting to obfuscate their origination, they're likely up to no good. You could block this traffic depending on your comfort level.

The advantage of this solution over the accepted answer is that this would be agnostic to the user account. The disadvantage is that this is far more complex to build if you're the only one building an entire app. In my experience, persistent cookies are usually easy to implement and can thwart some low level fraudsters.

Something to think about: You mentioned that you're setting a hard coded barrier of $3,000. I imagine that a determined fraudster would figure it out and try something like $2999.99 to get around your control.