←back to thread

Stripe records user movements on its customers' websites

(mtlynch.io)
1134 points mtlynch | 7 comments | 21 Apr 20 17:01 UTC | HN request time: 0.819s | source | bottom
Show context
ScoutOrgo ◴[21 Apr 20 18:27 UTC] No.22937822[source]
I recently worked on a fraud detection POC with a few vendors in this space and it is common for them to require adding a js snippet to capture info like this. This isn't out of the ordinary behavior.
replies(1): >>22940212 #
1. neop1x ◴[21 Apr 20 22:58 UTC] No.22940212[source]
But this IS wrong!! What if my browser doesn't support javascript? It won't allow me to purchase anything! Why there HAS to be javascript to prevent fraud? That is simply an abuse of programmable functionality which was not made for such purposes. Aren't those credit cards safe because they are electronic and todays transactions can be reversed, tracked and that fiat money are just database rows?!
replies(4): >>22940608 #>>22940616 #>>22940657 #>>22942988 #
2. Shank ◴[21 Apr 20 23:59 UTC] No.22940608[source]
> Aren't those credit cards safe because they are electronic and todays transactions can be reversed, tracked and that fiat money are just database rows?!

Whether or not the money is actually safe or not doesn't really matter when the card networks routinely assess penalties that affect the business. Running cards that have transactions that are later disputed, or for having too many disputed transactions in a certain period of time gets you penalized. The card networks do not make consumer protection programs free, and so fraud prevention happens at every layer. It is as much a battle between a vendor and the card network as it is a battle between a vendor and fraudsters.

3. MattGaiser ◴[22 Apr 20 00:00 UTC] No.22940616[source]
> What if my browser doesn't support javascript? It won't allow me to purchase anything!

Unless you are Alex Jones, it is probably not worth it to redesign your website to accommodate doomsday preppers. I just disabled JS and you can't even sign in to Amazon or eBay without it. Most websites are now heavily built on JS frameworks, so most projects I have worked on would not be meaningfully functional without it.

> Aren't those credit cards safe because they are electronic and todays transactions can be reversed, tracked and that fiat money are just database rows?!

No... The reversal doesn't prevent someone from buying something and taking the item. Sure you can reverse the transaction, but then the merchant takes the hit.

Credit cards are safe for the consumer because transactions can be reversed and tracked. They are not safe for the merchant.

replies(1): >>22941369 #
4. paulcole ◴[22 Apr 20 00:07 UTC] No.22940657[source]
> What if my browser doesn't support javascript?

You are SOL. If enough people are SOL and care, then maybe things will change. If not, then you’ll change. Or you won’t.

5. dylan604 ◴[22 Apr 20 02:17 UTC] No.22941369[source]
There's a difference too between allowing self-hosted JS and 3rd party JS. As a no-script user, if a site does not work with JS blocked, I will allow self-hosted JS while still blocking 3rd party. If it still doesn't work, then I consider if the site is something I'm really interested in or not. If not, tab closes. If I am, then I'll look to see if there's 3rd party stuff I trust.

In your example, allowing Amazon's JS allows the site to work at least as far as AWS Console behaves. I don't really use eBay, so I can't speak to what JS is required.

replies(1): >>22951493 #
6. thejosh ◴[22 Apr 20 07:02 UTC] No.22942988[source]
Ublock blocks this from happening and only allows stripe.js when the payment goes through and i've had 0 problems, even with 3d secure.
7. RussianCow ◴[23 Apr 20 00:06 UTC] No.22951493{3}[source]
I think most businesses would be more than happy to lose the tiny percentage of customers who use NoScript in exchange for better fraud detection.