Please help!!! Over 265,000 fraudulent constituent accounts created in less than a month

Options
2»

Comments

  • Raj Ajyer, we also use iATS and experienced a similar assault and iATS were the first to alert us to the problem. They do in fact offer us the ability to block transactions based on credit card BIN number (basically which country the card is issued from) and/or based on IP address from where the transaction occurs. I know that IP addresses can be spoofed but it is a starting point. For both of these filters you just specify the country codes for the countries that you want to block. It seems to work pretty well for us. At least we have not had any problems since we set it up.


    The problem of fraudulent accounts being added to LO without financial transactions, which started this discussion going, is a separate one and one that we have also experienced. Sadly Blackbaud did not have much in the way of suggestions of how to stop this.
  • Good Day Robert, when the carding stared we asked IATS to implement AVS but they told they don't have any thing like it to stop the cards based on their billing address. it was shocking. The carding we faced this month on a Friday evening, came from an address in NY, "237 Austin Avenue" with different country codes, different IP addresses and different email addresses. IATS cannot be contacted after 6pm pacific time, on that fatal Friday we could not reach them till Monday Morning 9am. we are disappointed.
  • Raj - it appears you're now part of Luminate Online's "Yaphank - Holtsville" club! Welcome! Our CVV settings stopped these guys.

    a39f62e06ce551950d5cb6c1da1fe1b3-huge-20


     
  • IATS screwed us big time by not implementing the security features ! now the blame game is going high.
  • Robert, on the issue of Fraudulent constituents created in LO after carding, BB will run a script and remove them immediately. We got it done the same day.
  • Oddly enough, we ran into this too -- we found that all our providers had implemented security features but at extremely relaxed rules. 

    We suspect this happens to clients because strictness does sometimes cost you some business -- as a user could get frustrated entered credit card data or being out-of-area or forgetting their billing zip. Impact depends on your foot traffic to the site(s) -- or lack of, and this might be a non issue.


    I'd suggest anyone who's reading this thread --  to go through your provider(s) settings and make sure they're optimal. And that you have a process in place.

    Locate those shut-off valves before you get flooded!
  • Erin LevineKrynock:

    Just wanted to add an update to this.


    We eventually did halt whatever script was running on our donation forms by adding and additional required field to the form, the CAPTCHA was unsuccessful. However, this does not prevent the same thing  from happening in the future if the script is updated, and unfortunately since records can never truly be deleted from Luminate, we do now have close to 380,000 records that are "marked as removed."


    I agree with Jessica's idea that was submitted (https://luminateonline.ideas.aha.io/ideas/LUM-I-1730 ) to prevent accounts from being created as a result of failed transactions.

    We're nowhere close to your level of fraudulent attempts... not yet. But the attempts have really ramped up this year. I was just curious about the additional required field? What was the field? Was it visible to the user? What it a honeypot?


    Thanks in advance for any feedback you might be able to provide!

Categories