Digital products and credit card theft

[eluser]johnwbaxter[/eluser]
I have a shop that sells digital goods. You pay your money, you can download your product instantly.

Trouble is, i have recently had a few people buy who have used cloned / stolen credit cards. The credit card is accepted by the payment processor and tells my shop that all is well, so the shop releases access to the product.

A few hours later the person who's credit card it is notifies the payment processor that the transaction was fraudulent and i refund their money, but obviously someone else has got my product that i can't get back or trace who has it.

I'm wondering if i should put a 10 (or more) hour delay between people paying and actually delivering their product. This would be a shame as i would like it to be available to the purchaser as soon as they have paid.

Does anyone have any experience of this or any advice they could slip my way?

[eluser]Michael Wales[/eluser]
Are you recording IP addresses? You could always notify the ISP of fraudulent activity, file a police report in your city as well as in the perpetrators if you can trace it that far (if not, in the county of the ISPs main office). These are the first steps in getting the money you deserve for your work.

As for not giving your product to people after a certain amount of time - you could implement a phone call system. This could either be manual, or an Asterisk server with a pre-recorded message (which is how I would do it).

User gets emailed a unique X-digit code and is either A) told to call the 1-800 # or receives a call from the 1-800 #. This would be the phone number on file with the credit card company - don't let the user enter their own, that defeats the purpose.

Once they enter their code, the Asterisk database is updated, and a cron script you run on your normal site will check for that change every X minutes and send emails to those that have verified they are who they say they are.

[eluser]johnwbaxter[/eluser]
What would stop people using a public phone for the phone verification? (great idea though)

I am recording ip addresses but that is not fool proof by any stretch of the imagination unfortunately.

I doubt there is any perfect solution to this.

[eluser]johnwbaxter[/eluser]
Hmm interesting. Would the cc company allow me access to that info though?

[eluser]Brandon Dickson[/eluser]
Could you write some sort of remote authentication into your product? like it queries your server after 15 days and if it finds it was bought fraudulently, then it deletes itself?

I guess this would only work if this were a software product...

-Brandon