←back to thread

Stripe records user movements on its customers' websites

(mtlynch.io)
1134 points mtlynch | 1 comments | 21 Apr 20 17:01 UTC | HN request time: 0s | source
Show context
mtlynch ◴[21 Apr 20 17:01 UTC] No.22936825[source]
Author here. Happy to answer any questions or hear feedback about this post.
replies(4): >>22937478 #>>22937646 #>>22937672 #>>22938279 #
tomashertus ◴[21 Apr 20 18:13 UTC] No.22937672[source]
This is a common practice for anti-fraud detection systems. The whole article is sensationalistic. You will see similar techniques used all over the web (your bank website, Ticketmaster, airlines websites, etc.).
replies(1): >>22937868 #
mtlynch ◴[21 Apr 20 18:30 UTC] No.22937868[source]
Thanks for reading!

> This is a common practice for anti-fraud detection systems... You will see similar techniques used all over the web (your bank website, Ticketmaster, airlines websites, etc.).

I respectfully disagree.

My bank tracks my movement on their own website. They don't track movement on other businesses' websites.

I believe many developers integrate with Stripe expecting that their JS library executes and shares data only on the pages where Stripe UI elements appear on the page. The fact that JS library runs on every page and sends data back to Stripe, even before the app calls the API, is unexpected. I believe that Stripe should, at the very least, make this more obvious to integrators and, ideally, give site owners the ability to limit what data Stripe collects.

replies(3): >>22938098 #>>22938101 #>>22939474 #
brunoTbear ◴[21 Apr 20 18:51 UTC] No.22938098[source]
You may not be aware of how many banks/airlines/ticket websites have outsourced their fraud fighting to solutions like Shape Security, or Sift (Science). Web-wide tracking via cookies is a reasonable and widespread technique for fighting fraud.

Given your background I'd imagine you'd be aware of this.

replies(3): >>22938330 #>>22938364 #>>22938781 #
1. bsamuels ◴[21 Apr 20 19:17 UTC] No.22938364[source]
I honestly cannot fault him. While online fraud prevention is a massive industry that touches almost every major website we use, you don't exactly have people giving talks about how serious the problem is or how advanced the detection tooling is because the nature of the industry requires you to keep your methods secret.

Heck, I have a friend who's working on a non-finance web app with <20k MRR, and even at that size he's starting to encounter fraud problems that require tooling to mitigate.

If your app stores any data that may be sellable on the dark web, you are a target.