One more simple thing to do to thwart fraudsters
2 min read

One more simple thing to do to thwart fraudsters

Thwarting fraud requires many different tactics working together. Sometimes, it requires attention to details and exploits you might not have thought about.
One more simple thing to do to thwart fraudsters

Running a business has many moving parts. The more you can automate, the more it frees you up to address higher level and strategic problems of your business. This is a newsletter about automating aspects of your business.

Story and Problem

Until I was hired onto Pebble's[1] e-commerce team, I didn't understand the prevalence of online fraud. At the time, Pebble was losing lots of money to fraud, and it was our job to mitigate it.

While Shopify did exist at the time, we built our own e-commerce platform in-house (for a variety of reasons). I was paired with an online fraud expert, and we went to work. He taught me about the ways fraudsters would defraud online stores, and I built out the tools and the system for him to detect fraud.

The more savvy fraudsters would have a dropshipping scheme on eBay, where they would sell a Pebble on eBay, but then use stolen credit cards to make the purchase with us. When the owner of the stolen credit card noticed a purchase they didn't make, they would make a chargeback. Fraudster gets paid through eBay. New Pebble owner would get their Pebble through eBay, none-the-wiser. And we'd be left holding the bag.

But the list of stolen credit cards weren't always valid. Credit card companies are quick to cancel cards used in a suspicious manner. In order for the con to work, the credit cards have to be valid.

How do they know if a card is valid? They place an order with an e-commerce store (maybe yours!), and watch how quickly you reject the card. If the order is rejected immediately, then they know it's a bad card. But if it takes a little while to process, then it's probably a good card. [2]

One thing we did to thwart timing attacks was to randomize when we would send out our order confirmation emails and update our order status page. It could be a couple minutes to a couple hours. In the meantime, the order status page would just say "processing order". Fraudsters would find they'd have to wait random amounts of time, and wouldn't know if a particular card was good or not.

This wasn't our sole tactic, but the combination of this and other things we did, we dropped the chargeback rate significantly. We knew we were successful, because fraudsters started targeting other channels, which was easier to tackle than our e-commerce platform!


While you probably didn't build your own e-commerce platform, you can still use the same tactic to help prevent fraud against your own store. If you use Shopify, there are event webhooks that notify you when an order has been created. You can use that webhook to queue a job to send an order confirmation email at a randomized time.

For example, if you're using Rail's ActiveJobs, you or your developer can write something like following to wait anywhere between 10 minutes and 2 hours to send a confirmation email:

# Note: SendConfirmationEmail is a Job class you have to write
class OrdersController < ApplicationController
  def webhook
    order = params[:order]
      wait: (Random.rand(10...120)).minutes

Happy automation!

  • [1] Pebble is the now-defunct smartwatch maker. They were acquired by Fitbit later on.
  • [2] It's analogous to a timing attack in programmer security circles.

Photo by Nugroho Wahyu

Enjoying these posts? Subscribe for more

Subscribe now
Already have an account? Sign in
You've successfully subscribed to Automation Cookbook.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info is updated.