Really sorry to hear about that experience — we need to do better here. If you want to shoot me an email (wmegson [at] stripe [dot] com) I can take a closer look at those specific charges. We are identifying those charges and are going to automatically refund any impacted transactions and waive the fees for those payments. We'll also waive the dispute fee (if a payment has been disputed).
The team is digging into why the risk score is low. In general, the types of signals you describe weigh pretty heavily in Radar’s risk assessment, and should result in higher risk scores. In this particular attack, fraudulent actors are using some pretty sophisticated scripts to try and obtain lower risk scores. We’re iterating quickly to address and stop these types of attacks and score them correctly going forward.
Hi dulse, while you are here, there is another issue with high-risk payments. You can see in your dashboard the count of "high-risk payments", but there is no way to actually review which payments were flagged as high-risk. This seems like it should be easy to implement. I'd expect there to be a report or filter here in the payments tab. I hope you can help!
But OP doesn't specify whether he's using Stripe Checkout integration (where stripe 100% control the landing page hosted in stripe domain) or other integration types (e.g. direct API call / embed which has higher risk). With Stripe Checkout integration type, you redirect users to a payment page hosted by stripe and have no ability to check whether the user is performing card testing there because the payment page is in stripe's domain, so stripe should be the one responsible with card testing prevention when using this discussion integration type.
That is a very hopeful (and naive) view of liability in the merchant processor space. By default all liability falls onto the business, not your merchant processor unless you specifically negotiated for a liability shift.
What can we do then? Stripe's own documentation recommends us to use Stripe Checkout because it's the most secure against card testing, and that checkout page is owned and operated by stripe so it's not like we can add custom card testing detection logic there.
[I lead Radar at Stripe] We're still investigating but have blocked the majority of this attack from the Stripe network. We're going to refund any impacted transactions and waive the fees for those payments. We'll also waive the dispute fee (if a payment has been disputed).
More broadly, we’ve seen an uptick in card testing attempts across Stripe. While the absolute rate of successful card testing across the Stripe network is flat-to-somewhat-down, it’s not evenly spread—some businesses are seeing more than others. For these new testing attacks, we’re deploying mitigants in real time.
Will your customers need to give you the full list of the refunded transactions? Since you couldn't detect them in the first place I don't imagine the fees will be automatically refunded?
Also, after posting this thread I just had to refund two more payments from an Indian IP address using a Singapore card with a billing address in the USA with a ZERO risk score. How does that make any sense? There is no CVC check listed and the zip check is "Unavailable"
I simply don't understand some of these scores
How could there not be a minimum risk score in a situation like this where none of the countries even match up...
I'm the OP of the Twitter thread – I've had the exact same experience: unrealistically low risk scores for most fraudulent transactions. There were plenty of red flags for each of them (400+ cards and 40+ names under one single IP, most payments got already flagged for credit card testing fraud early on before succeeding after many tries...) Even dumb heuristics would have blocked 90% of the fraudulent payments. I appreciate Stripe is fixing this quickly after making it public and refunding fees, but something is definitely wrong with their risk calculation algorithm.
I have experienced the same. An absolutely ludicrous set of suspicious data points like that and Stripe scores it a zero or near zero. We process hundreds of millions of dollars in transactions. Have gotten zero help from Stripe on this scoring.
We're going to automatically refund the transactions and fees, but also support any write-ins if you feel we missed any. (We have some ways to identify the transactions after they happen).
I agree with you, it's very counter-intuitive why these transactions are getting through Radar. We're iterating on some fixes right now that should stop this going forward by addressing this type of attack.
One way I can imagine this happening: if the carder is able to steal the cardholder's tracking cookie or other credential that Stripe trusts due to a previous legitimate transaction, and this causes Radar to disregard signals that would normally lead to a high risk score. (Just a hypothesis, I have no inside info.)
With the way they cycle through cards in the same checkout session I 100% don't think this is happening, but if it is then I wouldn't even blame Stripe at that point lol
What I’d love to know is: many fraudulent users try out different cards one after the other. How is it not the default case that Stripe blocks these users? It’s the most common pattern we see, easily identifiable by the repeated failed attempts with different cards.
Why did it take a Hacker News thread for you to actually do something useful about this? If this is the first time you're hearing about that it's a pretty severe failure of multiple layers of your customer service procedures. I certainly wouldn't recommend you guys versus other processors I've used at work who would actually do something about this when calling or emailing through the usual channels. This is a very "Google" way of handling things to have to Tweet or post on HN to get any kind of real support and it's very concerning.
Hi dulse, can you please make a public announcement with much more clarity. We received one of your alert emails but it was very cryptic with very little information and no mention this was happening across the network. Our fraud team spent two hours in a panic until we found this thread via Twitter.
Hi! I work on card testing at Stripe and would love to help. Sorry to hear about this experience, would be great to dig in and see how we can fix it and improve our system.
If you could, shoot me an email and we can dig in? I'm at wmegson [at] stripe.com (will DM you as well).
Congratulations!! Love the philosophy around the product and the dynamic treatment of higher risk transactions with Checkout routing to 3DS.
It must feel great to be able to support such a "simple" product, as I know there must be a ton of complexity under the hood enabling the simple form factor.
1) bug report: your input on describe yourself is set to email, which messes with my keyboard on my phone. Have that be text input, the other to email as it is.
2) like the idea, connecting influencers can be relevant for sales referrals, recruiting, or networking. All seem like good monetization opportunities.
3) it feels tricky to get the balance right between in person vs phone call contact. Looking forward to seeing how you’re going to handle that.
It’s an investment trade off around commitment (in person is better for connecting and relationship building but is more expensive as a time investment). If it’s more transactional a phone call is better (eg, quick question or advice about something specific). If it’s something more potentially meaningful, in person Coffee makes more sense (eg, if I’m looking to network with someone or trying to hire them / get them to hire me).
The defaults you set could make a big difference in the user experience. Maybe every first touch is chat/phone, then move to real world? Dunno if there’s a right answer but feels like something to be thoughtful about.
Our goal for the experience is the Apple Pay OCR experience, but it's embeddable directly in apps (so users don't have to already have it set up, if they prefer to use cards, or navigate to apple pay and come back). I agree this would be for the users not using Apple Pay.
Long term, I agree the trend is moving toward apple pay and digitized payments, but I found lots of people still like / prefer credit cards (so trend is that direction, but slope isn't super high and it'll take a while). I'm also excited about the fraud benefit of this kind of solution for bigger orgs that deal with fraud.
Make sure you test it against cards that have both valid from and valid till dates on them for some reason this still fucks the Apple Pay OCR and it’s quite common on EU at least on UK cards.
So if there are two dates assume that the more senior one is the expiry date.
Great advice, thank you! We'll make sure the date stuff works.
For EU cards, one experience I'm excited about supporting is the "tap to add" flow which may be even easier than OCR. Unfortunately only Android supports it for now, but love that experience when it's possible.
You’re google wallet is integrated with Chrome and Chrome stores CC info also separately so yeah on Android it’s a different story for users with Google play devices and those who wants to store their details in chrome/google pay at least.
Gotcha, didn't realize. We're several weeks away from fully working product (tried to be transparent on the page about timing), but have figured out the hardest part (generic OCR algo to read the numbers). Was hoping to get some feedback on the direction / interest level in advance of full completion, but this may not be the right forum.
Hey HN, I loved the experience of card scan products, but found they don't work well with more recent card designs. We're re-implementing the OCR algorithms from the ground up to work on a much broader range of card types, and also doing some checks to make sure the cards are real (which will help a lot with fraud).
Would love to answer any questions and hear thoughts!
> Would love to answer any questions and hear thoughts!
do you have anything to show? right now it looks like an advertisement - would love to see an sdk, or link to the source, or something more than an email capture page.
Unfortunately what we have isn't really sharable yet, but we're planning to update as soon as it is - but I get this isn't that helpful when you want to play around with it. We figured out the hard part (OCR algo is pulling the card info) and were hoping to get some feedback on the direction / interest level / use case before completing all the rest of it which will take us several more weeks. We'll journey on.
I see this as one of the most fundamental problems the next generation will need to face. How do we build better models to give access to wealth creation outside a small number of highly leveraged technology companies to a wider group of society? Recent trends in the gig economy, AI, and medicine make me worry more we are slipping toward a super asymmetrical world like Gattica or Altered Carbon -- which is not the world we should want to live in. We should want to preserve a strong path to the American middle class for everyone.
Despite the hype, I'm bullish on cryptocurrency tokens on potentially being a model of a more equitable design for firm returns. If done correctly, the returns of firms could go to the early participants in the network, instead of the VCs and early accredited investors that have special access. The ICO world today isn't there yet (a lot of pre-sale discount tokens to those privileged VCs; lots of ICOs aimed at the larger public are scams, and it's hard to tell the difference between them) but I think we have the tools to create more equitable models, if we only have the will.
I really don't see how crytocurrency is going to solve this problem at all.
It does not prevent the problem of a few people having way more wealth/power than others; at best, it just chooses a different set of people to be the wealthy ones.
I agree with you the current versions I've seen feel this way. But I like to think of it as programmable money: it can be whatever we want it to be.
Imagine an ICO that gives more reward when users provide a proof-of-income, and more tokens go to those worse off (sort of like a graduated income tax, but for ICOs). Not saying it's a good idea, just that it's programable so we can make it do whatever we think is best, it's up to us to determine what's best. The right model would require some iteration and experimentation.
There are hard challenges I don't have an answer for -- eg, the less well off probably overlap with those less likely to be engaged with weird internet experiments -- but they feel surmountable, if we want to solve it.
While it's not a silver bullet and has a long way to go, advances in alternate models of money distribution such as cryptocurrency do seem to be moving us towards a more decentralized monetary system
Right, but the question is what reason do we have to believe that a decentralized monetary system will be more equitable? Being decentralized is no protection against inequality.
Yes; I've always been baffled by the idea that an unmanaged currency will be better. Either tragedy-of-the-commons, or some gorilla(s) exploiting it, seems the very likely outcome.
Right? Anyone who gains power or wealth can utilize that power to accumalate more and/or prevent others from also gaining power and wealth. It doesn't matter if it is centralized or decentralized.
However, by being decentralized it prevents any mechanism of checking the power gained. Yes, centralization can be used as a means of maintaining power, but it can also be used as a way of checking power. Decentralization has no way of checking power.
isn't that what the 1999 dot-com bubble was? firms could go public almost right out of the gate and then Joe Average investors could buy and sell equity of these immature firms?
It would be nice if there was a VC that could operate like the stock market was supposed to. You invest in the VC and you get a share out. But that share can be really really small. 100$ or less. And you get an ROI. I've thought about that before but I have no clue how or what shape that would take with my limited knowledge of the legality behind VC funding.
Is this assuming that the venture capital industry outperforms the general stock market? I don't think it consistently does. I don't have massive or recent data, but here's a report from a few years ago:
Despite the headline, if you compare the venture capital indexes with the S&P 500, there's no clear winner. Except at the 50-year time horizon, where the early-stage index went to the moon. Good luck investing in that.
It's not just about returns but also diversification. An open VC would allow people to invest in early-stage companies, not just mid/late-stage companies like the stock market. You'd never want to have too much of it because of the enhanced risk but a small allocation for diversity wouldn't be bad.
HFT has a lot of impacts and may be good or bad overall, or socially useless, or whatever. but it undeniably does result in a better deal for a normal person trying to make small investments -- they've replaced the old market makers but charge much less for the job.
The reason you can't do that is to protect the system from abuse. Kickstarter already has a bunch of scammers, but it's not as bad because people are spending disposable income on it and not using it as an investment. As soon as you let the average Joe speculate on start-ups, thousands of companies will pop up trying to figure out the best way to scam people.
VC has access to these stocks before they are available on the stock market. These are also stocks that aren't traded in micro transactions so they can't be gamed by Machine Learning.
This is a very upper-middle class view of the economy because it very much represents the difference between most people and upper middle class - those in the upper middle class tend to be employees of successful tech or medical companies, and that makes sense since most people here fall into that category.
However looking at the data there is another section of the economy where the 1% and .1% reside, i.e those who own mid to large size companies or are high up exectives. In that section you'll see owners of companies like Walmart, Target, really any successful company. Doesn't have to be tech or medicine. The point being those sectors of the economy have been hit the worst by de-unionization because they aren't necessarily booming (even if they earn a profit) so without a union employees have very little bargaining power.
If you want to really reduce inequality you have to compress those sectors of the economy by leveling the field between employees and business owners.
> How do we build better models to give access to wealth creation outside a small number of highly leveraged technology companies to a wider group of society?
We have one - the stock market. $100 invested in Amazon the day it started trading would be worth something like $20,000 today.
Investing in the market has become very democratized. Online brokers offer inexpensive access to everyone, and you can start investing for $100 or less.
This isn't necessarily a solution. Investing lets one multiply the disposable wealth they already have - but wealthy people have more, and can invest a larger percentage of their assets. I would've be surprised if the share of capital gains income is even more unequal than all income.
So gambling is your solution? It's easy to identify Amazon after the fact just like it's easy to identify the winner of a horse race. Go back to the dawn of Amazon and invest $100 in some of the other startups that look just as likely to be big and now your $100 is $0
Gambling has a mathematical downward bias. Investing has a mathematical upward bias. (That's my definition of the difference.)
I find it rather unfair to argue that wealthy people make money off of investments, but that non-wealthy people shouldn't invest because positive returns are not guaranteed. Well, they aren't guaranteed for wealthy people, either, but they invest anyway.
Everything in life is gambling and probability. Take a job? You might get fired tomorrow. Start a business? It might fail. Invest in a company? It might turn out to be worth a billion, or $0. Borrow money from a bank? They might try to screw you over at some point, or not. The economy might tank tomorrow. The market might tank tomorrow. An astroid might hit the world in six months.
Seems like a strawman argument. Sure, metaphorically "everything" might be gambling, but the point is to play games with better odds for everybody except the casino.
How does that help people who don't even have that $100 to spare? They'd benefit far more from meaningful access to an economy's growth, wouldn't they? The people who can afford to do that in a way that truly pays off already have plenty of money.
The stock market is open to more people, but it still biases disproportionately for those that have more money.
I don't see where I said it did. You didn't answer my question.
EDIT: Forty-some percent of Americans don't have the cash on hand or free credit to handle an unexpected $400 expense. [0] That statistic is almost 3 years old. I doubt it's gone down in that time.
Anyhow, it does not distinguish between "has no discretionary income" from "spent every dime they have". The latter is a common problem even among higher income folks.
People seem to be able to find the funds to buy iphones/booze/drugs/airjordans even down to the lowest levels.
Has investing in the stock market become democratized? Sure you could invest in Amazon at a low market cap back in the 90's, but what about Uber, Stripe, Dropbox, or any recent breakout 'unicorn'?
The privatization that has happened in financing high-growth startups is not great news for Joe Q Public
I think super asymmetric societies are less just. I'm not sure I'm a Utilitarian in all things, but I think we should try to make as many people as happy and content as possible, not the 1% or 0.1% of society. I'm OK with there being unhappy or less privileged people, but a just world should be closer to a normal distribution (and your outcome should be based on the content of your character, not your birthright).
Maybe something closer to the Star Trek vision of the future (vs. the other two sci fi visions I mentioned).
I doubt it, as they will be enforced by Stripe / PayPal on the payout end.
The laws regulate once you hit certain thresholds, like $100-$500 but it's aggregate not individual contributions (and this service is geared toward more mass market crowd funding).
The team is digging into why the risk score is low. In general, the types of signals you describe weigh pretty heavily in Radar’s risk assessment, and should result in higher risk scores. In this particular attack, fraudulent actors are using some pretty sophisticated scripts to try and obtain lower risk scores. We’re iterating quickly to address and stop these types of attacks and score them correctly going forward.