ruby-on-railsaggregationmarketplacefraud-prevention

Best way to prevent fraud in marketplace app?

I'm developing a marketplace website where tutors and students can find each other. I'm building an online payment system (much like elance or guru.com) where the tutor can get paid and we take a cut.

Couple questions:

  1. What's the best way to block IP addresses from certain countries like Nigeria? (Note, I am using Ruby on Rails so any recommendations specific to that would be even better but if not thats fine too.)

  2. What other techniques can I use besides blocking certain IP's? (I'm already doing AVS and normal gateway checks).

  3. What common scams do I need to check for?

For example, one I can think of is someone using the system to pay themselves, they receive the funds as payment (minus our fee) and then do a chargeback on the credit card.

I imagine these are similar to problems faced by sites like Paypal or Google Checkout (some call these aggregation sites) since they are taking a small percentage fee - so if the original source of funds is lost it's a huge loss (many time multiple of the profit involved unlike normal higher margin products).

Couple additional notes:

  1. My user accounts already require email validation - this is a bare minimum, I'm looking for something beyond this
  2. There is a 3-5 day waiting period on the direct deposit - this is required by the bank - but still does not answer the question of how to determine during those 3-5 days whether it is fraud or not so it can be canceled
  3. I'd prefer to avoid a solution which punishes the good people along with the bad - such as charging to signup or having them leave their funds there account until a withdrawal is requested (like Paypal)
Solution

  • Here is what I have done so far, if people have more suggestions please respond:

    1. Setup a "fraud review" flag which if set requires someone (me) to look at it manually before the direct deposit funds get sent
    2. If the amount being sent is > $300 then automatic fraud review
    3. If the ip address of the tutor & student requests are the same, then fraud review
    4. check their names and address and see if they "substantially match" - i.e. they could both have the first name "John" so there is a threshold of how many "matches" constitute a reason to flag for fraud review

    The function looks a bit like this (note this doesn't include the code to check the IP addresses)

      def fraud_review invoice
    return true if invoice.total > 300

    #try to find out if they are the same person!
    client = invoice.client
    tutor = invoice.tutor

    count = 0
    client.full_name.split.each do |piece|
      count += 1 if tutor.full_name.include? piece
    end
    client.name_on_card.split.each do |piece|
      count += 1 if tutor.full_name.include? piece
    end
    client.street.split.each do |piece|
      count += 1 if tutor.street.include? piece
    end

    return true if count > 2
    false
  end