Posts Tagged ‘AVS’

Preventing illegal foreign contributions with AVS, BIN#’s and GeoIP filtering

Thursday, October 30th, 2008

While the Obama campaign continues to invite fraud by allowing transactions from outside the US or with credit cards issued from international banks, some readers have asked how easy it would be to prevent these kinds of problems.  The answer is “extremely easy”.

There are two basic approaches to preventing foreign contributions: 1) Preventing transactions on foreign credit cards and 2) preventing transactions from foreign countries

Preventing transactions using a foreign card
This is straightforward, but requires the use of Address Verification System (AVS).  As described elsewhere on this blog, the AVS system returns a series of codes that the merchant can use when deciding to accept a transaction or not.  In addition to verifying the address, the AVS also lets the merchant know if the transaction is international or domestic.  For example a “Code G” signifies that the credit card issuing bank is of non-U.S. origin and does not support AVS.  Recognizing codes like this is standard functionality of most e-commerce solutions.

Alternatively, the Obama campaign could query the BIN number of the credit cards to determine where the cards were issued.  The BIN# or IIN# is used to identify the institution that issued the card.  BIN lists are freely available, even on Wikipedia.

The Obama campaign could argue that by implementing these controls, they might be disenfranchising American citizens living abroad, but this is simply not the case.  The Obama campaign has a separate site to handle contributions from Americans living abroad, which requires a passport number to donate.  They could simply adjust the AVS or BIN # criteria for donors on this site to allow for international cards, while blocking them from the domestic donation site.

Preventing transactions from a foreign country
The second approach, preventing transactions from a foreign country, is also fairly simple to implement.  Companies like MaxMind offer services that provide merchants with a list of known IP addresses in the US, and only allow complying addresses to enter the site.  This software is not perfect, but it has gained fairly broad acceptance and is frequently used in the entertainment industry to protect content from international distribution.  Configuring an Apache web server to support GeoIP filtering is extremely straightforward, and can be implemented with some minor coding on Microsoft servers.  Given the high quality of the Obama site, I imagine implementing this software would not be a challenge for their web team.

It seems to me, that the Obama campaign could use IP filtering to ensure that only American IP addresses can access the domestic donation site, and direct foreign donors to the Americans living abroad site.  This might be a good question for a journalist to ask the Obama campaign – are they using any IP filtering?  It’s easy to set up, it’s cheap, and it’s great at flagging foreign transactions.  If the Obama campaign is not using IP filtering, why not?  Anyone care to ask the Obama camp?  Will the Washington Post?  Will the New York Times?  Anyone?