# Fraud Record



## LimestoneNetworks (Oct 27, 2014)

In your experience, how effective has Fraud Record been at avoiding fraudulent orders?


----------



## rds100 (Oct 27, 2014)

In my experience - more effective than MaxMind.


----------



## LimestoneNetworks (Oct 27, 2014)

Do they tend to have a lot of false positives? We've noticed that happens quite a lot with Maxmind.


----------



## rmlhhd (Oct 27, 2014)

You should know, your advertised on their site  :wacko:

http://prntscr.com/4zxrb6

https://www.fraudrecord.com/api/?showreport=dd553053532f94c7


----------



## Steven F (Oct 27, 2014)

It's not really something that (currently) has any false positives. It is what you make it. It provides information, sometimes, about certain fraudsters. I know Harzem had plans to really improve on it, but I don't know where he is at with that. Right now, you would need to review the FraudRecord cases yourself. You could run it automatically, but there's no way to see how credible a report is without viewing it (though, there are exceptions).


----------



## LimestoneNetworks (Oct 27, 2014)

It's true that we do advertise with them, but this thread is to get some opinions on the efficacy of their service in general.


----------



## Awmusic12635 (Oct 27, 2014)

I would highly recommend it. Has stopped a large number of fraud signups that maxmind allowed through


----------



## ndelaespada (Oct 27, 2014)

If several different companies report the same user for spamming then I definitely don't want that user as a client; I've seen other cases where the user is reported for not making the initial payment after signing up.. that's not necessarily a user I would ban...

Fraud Record is very useful and we use it in conjunction with maxmind as well.


----------



## Xeepi (Oct 27, 2014)

It helped us alot, we use both Maxmind fraudcheck and FraudRecord as second, sometimes Maxmind just let some suspicious orders go through, FraudRecord just report that.

I would recommend every provider to use it, it's totally free and you have no reason not using it.


----------



## Enterprisevpssolutions (Oct 27, 2014)

Use them with maxmind and common sense, you should be ok.


----------



## M-HSN (Oct 28, 2014)

We are using Maxmind but it seems Fraudrecord is much better, however in my experience Fraudrecord is based on other company's record, hmm ?


----------



## Xeepi (Oct 28, 2014)

M-HSN said:


> We are using Maxmind but it seems Fraudrecord is much better, however in my experience Fraudrecord is based on other company's record, hmm ?


Yes, that make sense and scammers will have little chance to fraud.


----------



## Kakashi (Oct 28, 2014)

Enterprisevpssolutions said:


> Use them with maxmind and common sense, you should be ok.


Pretty much this. Can't take both at face value, so use both of them + common sense and most of the time it's ok.


----------



## LimestoneNetworks (Oct 28, 2014)

Thanks for the feedback you guys. I'll pass on the info to our abuse manager. Kudos to Harzem.


----------



## Onra Host (Oct 29, 2014)

Its a great add-on feature since its a community reviewed database. Maxmind is a good add-on as well, but should be taken with a grain of salt half the time. I;ve had users marked as 80-90% fraud and been the best of customers...and had users marked .02% who tried to SPAM 5 minutes after service creation.


----------



## Xeepi (Oct 29, 2014)

Onra Host said:


> Its a great add-on feature since its a community reviewed database. Maxmind is a good add-on as well, but should be taken with a grain of salt half the time. I;ve had users marked as 80-90% fraud and been the best of customers...and had users marked .02% who tried to SPAM 5 minutes after service creation.


Wondering if you have figured out the reason why "users marked as 80-90% fraud and been the best of customers". maybe they are making order using VPN which cause the maxmind high risk alert?


----------



## concerto49 (Nov 1, 2014)

Xeepi said:


> Wondering if you have figured out the reason why "users marked as 80-90% fraud and been the best of customers". maybe they are making order using VPN which cause the maxmind high risk alert?


Could also be the country, a shared ip or many other reasons.


----------



## Licensecart (Nov 2, 2014)

It works alot we have to do some manual checks but only do them if something is suspicious.


----------



## AutoSnipe (Nov 2, 2014)

I check users just after they join up and then check once every 7 days for any changes just to keep track of what is going on.


I think fraud record is wonderful


----------



## sshgroup (Nov 8, 2014)

not so good but not bad too ,  it's some thing can't be explained  so clear, people with less experience in fraud can be very effective.but ....


----------



## SGC-Hosting (Nov 10, 2014)

Fraudrecord has become one of my most favorite WHMCS addons.  Its been a great help for VPS customers and hasn't served me yet for shared hosting.


----------



## Srvify (Nov 10, 2014)

FraudRecord is a great tool if used properly. When you see a customer has been reported for spamming 5 or 6 times its rather obvious they are not a client you want on your network. The only thing that bothers me about it is the "reliability" ranking. I have yet to see anyone ranked higher than a 1.


----------



## iWF-Jacob (Nov 10, 2014)

Srvify said:


> FraudRecord is a great tool if used properly. When you see a customer has been reported for spamming 5 or 6 times its rather obvious they are not a client you want on your network. The only thing that bothers me about it is the "reliability" ranking. I have yet to see anyone ranked higher than a 1.


Yeah, the reliability ranking bothers me as well, I read somewhere that it is supposed to go up with time, as well as the number of reports submitted / number of reports looked up, but I've never seen anyone above a 1.


----------



## Srvify (Nov 11, 2014)

iWF-Jacob said:


> Yeah, the reliability ranking bothers me as well, I read somewhere that it is supposed to go up with time, as well as the number of reports submitted / number of reports looked up, but I've never seen anyone above a 1.


According to their site its based on a variety of factors, no idea what these factors are but it sure doesnt seem to ever change. I will have to pay more attention to it from now on as I am curious if any company has reached a higher than 1 reliability. 



> This is a measure of reliability, depending on the reporting members. It is NOT meant to be a measure of the validity of a report. Every new member of our team of reporting companies starts with a reliability of 1, and their reliability points increase over time, depending on many criteria. A reliability of 1 may mean a report by a new member, it does not necessarily mean that the report is inaccurate. Higher values, up to 10, mean the reporting members gained the trust of our system over time, and their reports are taken more seriously by our system.


----------



## TruvisT (Nov 11, 2014)

Just wondering if anyone has had this issue:

https://www.fraudrecord.com/forums/index.php?topic=31.msg369#msg369

We've not put a lot of time in to checking/debugging so it might just be as simple fix, but so far have had no luck with with latest whmcs/fraudrecord and getting communication working.


----------



## perennate (Nov 12, 2014)

I personally think the issues posed by FraudRecord are a subset of those introduced by the increasing availability of big data. For example, there's a lot of debate about to what limits should be placed on the information that insurance companies are allowed to use when analyzing risk of new customers. It seems to be a pretty big problem, for example just looking at the system that has been built around FraudRecord, we already see instances where there are no malicious actors (customer, providers, FraudRecord all operating reasonably) but some are still *un*reasonably denied service or other issues. And even if all providers judged FraudRecord postings with adequate suspicion, there's still the fact (I think, someone correct my if I'm wrong) that just with your email address someone can learn things like at least one of the hosts that you've purchased services from.

As a result I think customers are already starting to avoid companies that use such data, at least I know that FraudRecord plays a role (an admittedly small one) in my decision when choosing a host. Some people maybe take the opposite view, that host using FraudRecord is positive aspect (you know your VM will be more stable!), but we all know abuse still happens and automated systems are always more effective (not to mention manually checking details).

At the very least, I think companies using schemes similar to FraudRecord should clearly mark somewhere in their terms of service that they use it ("We report anonymized customer information pertaining to orders that we deem fraudulent to FraudRecord"), and should *definitely* notify customers when they have been reported so that customers have a chance to contest the claims (provider adding report in FraudRecord and not notifying customer is disgusting in my opinion).


----------



## MannDude (Nov 13, 2014)

perennate said:


> ....and should *definitely* notify customers when they have been reported so that customers have a chance to contest the claims (provider adding report in FraudRecord and not notifying customer is disgusting in my opinion).


Wait, it doesn't? I've never actually used the service or had any direct interaction with it, though I would imagine that the customer would be notified when any data or action about them is entered and passed to FraudRecord. Should send an email to that of which is on file for their account with a URL for them to read and respond to the claim.

Then again, I guess if you introduce the ability to dispute then that would mean someone (Fraud Record) would then have to be the one to make the final decision... which would in turn be a tremendous amount of work having to read and review a provider stating their case and an upset customer going on long rants.


----------



## rds100 (Nov 13, 2014)

It can't send email since FraudRecord doesn't know the email of the reported person. It only receives a strong one-way hash of the email address (and other details) and has now way to derive the real email address from this hash.


----------



## KuJoe (Nov 13, 2014)

perennate said:


> and should *definitely* notify customers when they have been reported so that customers have a chance to contest the claims (provider adding report in FraudRecord and not notifying customer is disgusting in my opinion).


If the customer gives us the same courtesy and notifies us that he's spamming, hacking, DOSing, plans to chargeback after 3 months of service, or violate our Terms of Service and steal from us then I'll be glad to notify them that they've been added to FraudRecord, but until that happens they won't get any notifications from us except on the rare occasion when we use it as a tool to stop harassment.

If the customer has done something that warrants them being reported to FraudRecord by us, then it's pretty serious and I consider them as criminals in my eyes because they are no better than somebody who walks into a store and steals from the cash register or intentionally destroys property because every single client I've ever reported has cost us a lot more money than they paid us.


----------



## TurnkeyInternet (Nov 13, 2014)

FraudRecord is nice in principal, and technically less privacy violating than say a CC merchant gateway account through WHMCS (which you send the person's name, address, IP, email, and more based on whatever CC module you have).  Most CC gateways do a fraud screen, against maxmind and internal database of 'this ip/user has been buying a bunch of stuff, watch out high risk' already so fraudrecord isn't really any different, but another data set for people to use.

The down side, its only as good as the data people submit.  One thing I do NOT like is that fraudrecord keeps a record of the company who submits a report, with your company name attached to it that anyone can look up and see that you had an issue with them.  While fraudrecord isn't storing the private data of said client (no email address, no credit card or ip specifically, just a 1-way encoded hash that traces back to them if you know their email, IP or credit card to do a check against) - it opens you to some complaints that if you report a user, who then decides to login to FraudRecord as a hosting company and look himself up can find your report against him!

By comparison, CDG or other credit card gateways that do fraud screening addons for credit card payments do NOT tell you who or the name of other hosting companies (or online purchasing history details) - they simply tell you that the user is high fraud risk, with no link to who reported them and why.

So bottom line - its a good tool, but by nature of relying on public reporting, and tying public reports to a legal entity/company will discourage people from reporting trouble makers.


----------



## perennate (Nov 14, 2014)

KuJoe said:


> If the customer gives us the same courtesy and notifies us that he's spamming, hacking, DOSing, plans to chargeback after 3 months of service, or violate our Terms of Service and steal from us then I'll be glad to notify them that they've been added to FraudRecord, but until that happens they won't get any notifications from us except on the rare occasion when we use it as a tool to stop harassment.
> 
> If the customer has done something that warrants them being reported to FraudRecord by us, then it's pretty serious and I consider them as criminals in my eyes because they are no better than somebody who walks into a store and steals from the cash register or intentionally destroys property because every single client I've ever reported has cost us a lot more money than they paid us.


You are talking about how you don't feel like notifying customer, but haven't mentioned any issues posed if you notify customer. If FraudRecord required companies to specifically say they are using FraudRecord in terms of service, and notify customers after a report is submitted, that would solve a lot of the transparency issues, and does not pose any additional problems (the notification should of course be done locally, say provided billing panel modules, so that FraudRecord itself doesn't get private data). Criminals must be told what they are being thrown in jail for before being thrown in jail, businesses lose nothing by automatically notifying customers when report is filed; everyone benefits since customers can have greater trust over the system as it improves accountability on businesses.



TurnkeyInternet said:


> One thing I do NOT like is that fraudrecord keeps a record of the company who submits a report, with your company name attached to it that anyone can look up and see that you had an issue with them.  While fraudrecord isn't storing the private data of said client (no email address, no credit card or ip specifically, just a 1-way encoded hash that traces back to them if you know their email, IP or credit card to do a check against) - it opens you to some complaints that if you report a user, who then decides to login to FraudRecord as a hosting company and look himself up can find your report against him!


An anonymous report system that is otherwise identical to FraudRecord would be completely useless. Anyone could submit a report bashing a customer, and providers would have no way to verify its authenticity. FraudRecord is obviously not in a position to deem the validity of the reports, it doesn't even have the details of the customer being reported.

Obviously the customer can find your report against him. If customers were entirely unable to see for what they have been reported, there would be no accountability in the system and it would quickly break down. I would certainly not use any provider using such a service. Similarly, I would not purchase any services from a business unwilling to stand by their reports of fraudulent activity.


----------



## KuJoe (Nov 14, 2014)

perennate said:


> You are talking about how you don't feel like notifying customer, but haven't mentioned any issues posed if you notify customer. If FraudRecord required companies to specifically say they are using FraudRecord in terms of service, and notify customers after a report is submitted, that would solve a lot of the transparency issues, and does not pose any additional problems (the notification should of course be done locally, say provided billing panel modules, so that FraudRecord itself doesn't get private data). Criminals must be told what they are being thrown in jail for before being thrown in jail, businesses lose nothing by automatically notifying customers when report is filed; everyone benefits since customers can have greater trust over the system as it improves accountability on businesses.


It's not that I don't feel like it, it's that at that point in time I already lost money because of them so I will not continue wasting any more money because of them. If I were required by FraudRecord to notify every person I reported to them, I would stop using FraudRecord all together because it's not worth the headaches dealing with those types of people. I don't know any online company in their right mind who would contact somebody who just got terminated for running a DDOS botnet and tell them "Hey, we reported you to a database so other hosting companies know what you did", people already DDOS FraudRecord for getting reported, of course they will go after the host who reported them also. And let's pretend that all the person did was continue to harass us via e-mails, support tickets, fake negative reviews, etc... that's a lot more money being lost over it.

Other companies are welcome to do whatever they want, but I refuse to give skids, spammers, thieves, con artists, and other criminals any courtesy after they treat my company and I like dirt. They agreed to our Privacy Policy so they should expect the worst for their actions.

Now of course this is just my perspective because I don't go reporting people for stupid shit like "He opened 2 support tickets asking what his SSH port is" or "Didn't pay his invoice within an hour of ordering". I really wish that hosting companies could flag FraudRecord reports to clean up some of the trash reports I've seen and the reporting companies be penalized for that kind of thing.


----------



## vRozenSch00n (Nov 14, 2014)

KuJoe said:


> I refuse to give skids, spammers, thieves, con artists, and other criminals any courtesy after they treat my company and I like dirt. They agreed to our Privacy Policy so they should expect the worst for their actions.


Those bad bunch deserve it. It's not only about loosing money, but it's more about one's professional pride both company wise and personal wise.


----------



## TurnkeyInternet (Nov 17, 2014)

perennate said:


> An anonymous report system that is otherwise identical to FraudRecord would be completely useless. Anyone could submit a report bashing a customer, and providers would have no way to verify its authenticity. FraudRecord is obviously not in a position to deem the validity of the reports, it doesn't even have the details of the customer being reported.
> 
> Obviously the customer can find your report against him. If customers were entirely unable to see for what they have been reported, there would be no accountability in the system and it would quickly break down. I would certainly not use any provider using such a service. Similarly, I would not purchase any services from a business unwilling to stand by their reports of fraudulent activity.


There is a nasty repeating threat over on another message board (LET) that is bashing a host, from a customer thrown off and reported to FraudRecord.  Said client (or potential, but now x-client) went nuclear and is out using social media to basically bad mouth the host.

The public posting of who entered the data on record may add legitimacy to FraudRecord, but it also adds a double edge sword that can cost the host in pain and suffering (or online rep, which equates to money).

I don't have the answer (sorry) - but my concerns with FraudRecord reporting were based on that.  I still like it in concept, and I agree there has to be checks and balances to keep it legitimate.  Does FraudRecord need to make it public facing that anyone (who signs up for a free account and types in an email address to 'see' if they are listed) can see their report, and who made it?    should it be some closed circle 'cabal' of grand wizards who approve membership into the FraudRecord system for access to do lookups?  (I'm joking on that btw)

WIth Maxmind anti-fraud, or our credit-card gateway's advanced fraud monitoring - they do not tell me which other hosting company or online store had a beef with this person, only that the details of the user match up with 'trouble'.  Maxmind does partly rely on post-user subsmission of 'charge backs' and bad deeds to add to their system (while i realize most of it is automated IP address based).  Overall even though its not publicy telling me who made the compaints to get this person a bad 'reputation', I still have a reasonable trust if either tell me its high risk.

Perfect world?  Every computer user accessing the Internet has to sit on a chair powered by 50,000 volts.  Once your abuse level rises too high, you are 'taken offline' permanently.  That goes for spam, and fraud   Until there is something significant to keep fraudsters and spamsters scared to do bad things, our best bet is these type of feedback systems even if not perfect.


----------



## AnthonySmith (Nov 17, 2014)

The Fraud Record 'system' does not fit with everyone's ideals on how things should be done, obviously no one can dispute that as a new thread pops up on the interwebs fairly often however the reality is apart from people that feel hard done by the others that comment about the way it works and how much they don't like it are the ones it will never actually impact I would bet.

It is one of those situations where there is no 1 solution that would make everyone happy but it certainly does work for hosts, just today in fact I accepted an order without doing the Fraud Record check, I then did run the check around an hour later to see a report made by KuJoe which suggested the end user was a spammer, double checked things and low and behold there was a constant stream at about 40mbit with thousands of smtp connections, needless to say that person no longer has service.

Do I feel like I should tell them that I have also submitted a record? no.

Do you think they would have grounds to care if I did tell them? no

Would it change anything if I did tell them? no

I have submitted a report in the past that was challenged, the end user contacted Fraud Record, they in turn contacted me and mediated upon presentation of the evidence the record was removed in this instance it was more due to end user ignorance i.e. running an anonymous proxy on a common port which was then found and abused by a spammer, I agreed to remove the record despite the fact the end user was a royal pain about losing his service to begin with because in hind sight he then understood what damage he had caused and probably wont do it again.

I really like Fraud Record, I think 1 simple change would make it much more acceptable to the majority of people who don't, and that is the ability to look yourself up and have a proper appeals process in place and when an appeal is in progress the record is marked as such.


----------



## TierNet (Nov 18, 2014)

FraudRecord is really helpful for detecting fraud orders. Whenever there is any high risk order, we make sure that we check it on FraudRecord to fetch details, and it has helped alot in avoiding fraud clients who intend to misuse server.


----------



## Munzy (Nov 18, 2014)

TierNet said:


> FraudRecord is really helpful for detecting fraud orders. Whenever there is any high risk order, we make sure that we check it on FraudRecord to fetch details, and it has helped alot in avoiding fraud clients who intend to misuse server.


Ohh offer post coming soon?


----------



## perennate (Nov 18, 2014)

AnthonySmith said:


> I really like Fraud Record, I think 1 simple change would make it much more acceptable to the majority of people who don't, and that is the ability to look yourself up and have a proper appeals process in place and when an appeal is in progress the record is marked as such.


Hm, that does sound good too. I suppose automatic notification has problem that customer can just change details next time he or she registers.


----------



## GigaboxHost (Dec 2, 2014)

fraud is a constant moving target and requires constant monitoring. we use several systems and they all seem to be about the same. just comes down to who is current on the data.

Both, Record Fraud and Maxmind have made a difference for us.


----------

