Most active commenters
  • pc(4)
  • advaita(3)

←back to thread

Stripe records user movements on its customers' websites

(mtlynch.io)
1134 points mtlynch | 13 comments | 21 Apr 20 17:01 UTC | HN request time: 1.288s | source | bottom
Show context
pc ◴[21 Apr 20 17:42 UTC] No.22937303[source]
Stripe cofounder here. The question raised ("Is Stripe collecting this data for advertising?") can be readily answered in the negative. This data has never been, would never be, and will never be sold/rented/etc. to advertisers.

Stripe.js collects this data only for fraud prevention -- it helps us detect bots who try to defraud businesses that use Stripe. (CAPTCHAs use similar techniques but result in more UI friction.) Stripe.js is part of the ML stack that helps us stop literally millions of fraudulent payments per day and techniques like this help us block fraud more effectively than almost anything else on the market. Businesses that use Stripe would lose a lot more money if it didn't exist. We see this directly: some businesses don't use Stripe.js and they are often suddenly and unpleasantly surprised when attacked by sophisticated fraud rings.

If you don't want to use Stripe.js, you definitely don't have to (or you can include it only on a minimal checkout page) -- it just depends how much PCI burden and fraud risk you'd like to take on.

We will immediately clarify the ToS language that makes this ambiguous. We'll also put up a clearer page about Stripe.js's fraud prevention.

(Updated to add: further down in this thread, fillskills writes[1]: "As someone who saw this first hand, Stripe’s fraud detection really works. Fraudulent transactions went down from ~2% to under 0.5% on hundreds of thousands of transactions per month. And it very likely saved our business at a very critical phase." This is what we're aiming for (and up against) with Stripe Radar and Stripe.js, and why we work on these technologies.)

[1] https://news.ycombinator.com/item?id=22938141

replies(52): >>22937327 #>>22937331 #>>22937352 #>>22937362 #>>22937385 #>>22937475 #>>22937518 #>>22937526 #>>22937559 #>>22937599 #>>22937775 #>>22937815 #>>22937962 #>>22938015 #>>22938068 #>>22938208 #>>22938310 #>>22938383 #>>22938533 #>>22938646 #>>22938728 #>>22938777 #>>22938855 #>>22938884 #>>22939026 #>>22939035 #>>22939376 #>>22939803 #>>22939814 #>>22939916 #>>22939952 #>>22940051 #>>22940090 #>>22940177 #>>22940282 #>>22940315 #>>22940317 #>>22940352 #>>22940686 #>>22940751 #>>22941252 #>>22942502 #>>22942538 #>>22942710 #>>22942907 #>>22943100 #>>22943453 #>>22944163 #>>22944509 #>>22944652 #>>22945170 #>>22946136 #
1. advaita ◴[21 Apr 20 18:06 UTC] No.22937599[source]
millions of fraudulent payments per day

Are there ways for transparently communicating (verifiable) stats for this claim?

To be clear, I am not saying that your claim is not true but if one thing HN has taught me, it is to always ask for data backing up claims that are tall.

replies(3): >>22937708 #>>22937869 #>>22938141 #
2. pc ◴[21 Apr 20 18:17 UTC] No.22937708[source]
Not sure what verifiable stats could look like here, I'm afraid... but I can assure you that it is in fact true!
replies(2): >>22937751 #>>22938241 #
3. gruez ◴[21 Apr 20 18:21 UTC] No.22937751[source]
For one, some definitions would be nice. How do you define "fraudulent payments"? If I tried to checkout while on VPN and firefox with resistfingerprinting enabled, and your antifraud system stopped me, did that count toward your "millions per day"?
replies(1): >>22938008 #
4. weego ◴[21 Apr 20 18:30 UTC] No.22937869[source]
Having worked with payments on a number of products it's really not a tall claim at all. On a small product that's an offshoot of a large media company we had the luxury of firewalling off a lot of countries, prior to that we'd see thousands of fraudulent attempts / payments a week. A lot of them are people iterating through lists of stolen card numbers looking for ones that are still working, so while the actual number of people / bots doing it might be lowish the volume of attempted charges can be huge.
replies(2): >>22938272 #>>22940471 #
5. pc ◴[21 Apr 20 18:42 UTC] No.22938008{3}[source]
We build models that predict P(payment charged back as 'fraudulent') and then let small random samples through in order to test the accuracy of our predictions. This calibration means that we can compute a pretty accurate "true" total from those we have blocked.
replies(1): >>22938524 #
6. fillskills ◴[21 Apr 20 18:55 UTC] No.22938141[source]
As someone who saw this first hand, Stripe’s fraud detection really works. Fraudulent transactions went down from ~2% to under 0.5% on hundreds of thousands of transactions per month. And it very likely saved our business at a very critical phase.
replies(1): >>22938552 #
7. advaita ◴[21 Apr 20 19:06 UTC] No.22938241[source]
Thanks for responding Patrick, as I said I actually do believe that the claim you're making is not false.

I am always curious about/collecting patterns successful teams leverage for solving problems that I consider important.

Being able to communicate fraudulent payments that Stripe blocks is definitely one of them.

I was being a bit selfish when I asked that, my thought process was like; "Going forward data-collection is going to be scrutinized much more than now and rightfully so. If I ever run a business where we collect data for a very important use case I would want to make sure that we are able to communicate what, why, and how with utmost level of transparency)."

Hope that puts some context to my question, it was a good-faith question. :)

8. advaita ◴[21 Apr 20 19:09 UTC] No.22938272[source]
Very interesting. By any chance do you have recommended engineering/product reading around this?

Even if they're blog posts from eng/prod teams that would be a huge favor.

9. cosmie ◴[21 Apr 20 19:33 UTC] No.22938524{4}[source]
Out of curiosity, when a transactions is part of one of those random samples and is flagged as fraudulent, are the costs/impacts to the merchant the same as any other fraud chargeback/dispute (particularly those that don't use Stripe Chargeback Protection)?
replies(1): >>23005560 #
10. pc ◴[21 Apr 20 19:36 UTC] No.22938552[source]
Thanks! Very glad it worked out for you. I quoted you in my response at the top -- hope you don't mind. (Can remove if you prefer.)
replies(1): >>22939516 #
11. fillskills ◴[21 Apr 20 21:29 UTC] No.22939516{3}[source]
No worries. I am glad Stripe was there to help us when we needed it
12. splonk ◴[21 Apr 20 23:37 UTC] No.22940471[source]
I used to work on fraud detection on a product with transactions totaling billions of dollars a year, and for a period of time we could have stopped something like 90% of our fraud attempts (with like a 99% accuracy rate) by simply blacklisting IPs from Turkey, Vietnam, Ghana, and Nigeria.
13. _Microft ◴[28 Apr 20 10:31 UTC] No.23005560{5}[source]
The question was interesting. Too bad we did not get an answer here.