Dealing with credit card fraud

Short version

Protecting yourself from being used by credit card thieves boils down to two steps:

  • Protect yourself by setting a minimum contribution amount of $10 (or better yet $20 if that makes sense for your campaign)
  • During events when you have a public computer or pad available for people to make donations, temporarily disable the fraud restrictions (see below for how to do it)
  • If you are seeking unusual contribution amounts (that are not even dollar amounts), temporarily disable the fraud restrictions (see below for how to do it)


As with many computer related issues, we have to balance two competing interests:

  • Make it as easy as possible for our donors to give us money online
  • Stop credit card fraudsters from abusing our online donation tools

Most of us our familiar with the first interest, but what about the second?

Turns out, there is a huge black market in stolen credit card numbers. Every time you hear about a major corporation making a stupid mistake resulting in thousands or millions of credit cards being stolen, those card numbers go straight to the black market to be sold. However, before selling them some of the more "ethical" criminals need to know which credit card still actually work.

That's where your Powerbase contribution page comes in. The criminals use automated programs to submit credit card contributions over and over again to see which ones work and which ones don't.

How to stop them

We try to interrupt this process using a few methods.

  1. The fraudsters often pick random amounts that don't have an even dollar total (e.g. $20.43). So, if we detect an uneven dollar amount, we reject it.

  2. In addition, we keep track of which computer is submitting contribution requests and if we notice that the same computer is submitting more than 4 requests per hour, we stop them.

  3. And, we detect if a contribution page is submitted less than 5 seconds after it was loaded and block the submission if it was.

This works pretty well - because even if your contribution page is on fire, it's highly unusual to get four contributions from the same IP address in the same hour.

Another effective method is to modify your contribution pages to either disable the ability for donors to contribute their own amount OR if you do enable this feature, set a minimum contribution amount that is $10 or more (most fraudsters don't want to test with a high amount because that would increase the odds of the credit card owner to see the charge and cancel their card).

But what about if...

There are always special circumstances when the fraud protection measures screw things up for you.

The most common case is if you have a fund raiser and you have a public tablet computer available for people at the party to make their own contribution. Since everyone is sharing the same computer, the contributions will all come from the same IP address and after four have been made in the same hour, you will be blocked.

To address this problem, we have made it possible for you to turn on and off this feature - so you can disable it before your fundraiser and enable it after words.

To adjust the settings, click on the "Adminstration" link in your left side bar (not the Administer link at the top).

Then click PowerBase Configuration -> Disable credit card flood control