This must be why majority of websites that support stripe also support other payment providers. Because stripe isn’t reliable. :/
On a more serious note; How much further is society going to allow this kind of thing? Hiding behind templated e-mails without any explanation. Disrupting people's lives who become collateral damage with no way out.
The cynical me says there is your answer right there. You are a bit to close to something Stripe invested in, or at least close enough to something they will offer as a service soon.
1. Deal with bad actors
2. Misjudge an honest actor as a bad actor
both approach 1.
To make a general statement about Stripe, we'd need a broader statistical analysis rather than a single anecdote.
We were fortunate in that we had a backup payment gateway integration "just in case", because otherwise we would have been completely unable to accept any payments at all for a full week.
That week was still extremely stressful. They offered no explanation or reason for putting our entire business on hold.
I'm not trying to apologise for Stripe, I'm trying to see what's special about this financial arrangement. It's obviously not a SaaS nor are you selling anything physical.
Unfortunately a word there.
I hope this all works out for you!
Switched to Pin Payments[1] shortly after that experience and have never looked back. Of course, we live in the 2021 century and algorithms will flag issues automatically (I ported my phone number and changed my bank account on the same day, which was fun!), but they've always made sure to contact me and resolve the issue within minutes instead of cutting access. The few times I've contacted them, a competent person has both understood the issue and responded to it appropriately and promptly.
https://en.wikipedia.org/wiki/Ombudsman
> The typical duties of an ombudsman are to investigate complaints and attempt to resolve them, usually through recommendations (binding or not) or mediation. Ombudsmen sometimes also aim to identify systemic issues leading to poor service or breaches of people's rights. At the national level, most ombudsmen have a wide mandate to deal with the entire public sector, and sometimes also elements of the private sector (for example, contracted service providers). In some cases, there is a more restricted mandate, for example with particular sectors of society.
As a developer this puts a big dent on Stripe's reliability and I'm not advising it to any client. Ever.
Reminds me of when people loved online video like YouTube because of the lack of commercials.
Does that mean morons? From their perspective, it's a smart thing to do, if they can get away with it. Or does it mean like "such big balls?".
As the saying goes, to make money in a gold rush, sell pickaxes.
"Access the American market Our credit card comes with a U.S. billing address, so you can unlock features restricted to the U.S or Western markets especially if you don't live there."
Just because they have not yet been hit with this, does not mean they are not at risk of becoming a target if they get a bit more known. Stripe doesn't want to have to deal with that.
Ideally, good companies will find a balance with AI and human operators that's also sustainable as a business.
If you set up your ML so that it works x% of the time, you might very well have a profitable business even if you end up accidentally screwing over a bunch of folks. But no competitor can challenge you in the marketplace because the human cost of answering phones and emails to find that last little bit of efficiency is overwhelmingly disproportionate to any economic value the business would gain.
Many of us like to bang on businesses as being amoral and impersonal, but most are trying to do something people want, only better and more efficiently. ML may be providing an upper limit to efficiency by taking out any opportunity to do some serious analysis. Because in many cases removing that last 1-5% in inefficiency is the bit that leads to a completely new way of working, in many areas we may be boxing ourselves in to a very long-term status quo.
They arbitrarily closed my account a while ago, and after following their draconian re-activation process (somehow my government issued ID is not good enough to identify me, they need to verify the same information and ID in a video call) I think we’re now at 20+ emails and counting.
I just gave up and will go with a different provider or open a new account since it’s easier.
At some point Stripe was the provider that took everyone, but they’ve become allergic to any kind of risk and trust nothing.
I assume when you sign up to a free trail, they'll charge your card £0.00 to confirm it's a valid card, then when the trail ends and they try to automatically charge you for a full subscription they'll block the transaction.
Top Free Best Selling Streaming Softwares Tv Softwares VPN Softwares IPTV Softwares Movies Softwares Job Softwares Editing Softwares Crypto Softwares Kodi Tv Softwares Video Editors
As categories could trigger some red flags, half of those are extremely risky categories. It's also not really obvious what you offer and some low paid scanner person reviewing your site for information probably had no idea what you do but saw VPN, Crypto, streaming, etc and said no.
I can understand that point of view. What I don’t understand is why they couldn’t write a clear email explaining their position so you would actually know what’s up.
This seems like the key point here. I'm not a software guy or even a payments guy, I'm a network infrastructure engineer.
For anything that we want more than 99% uptime, we put in two of everything, sometimes more. Two separate service providers, ideally coming down different physical paths where practical.
You mean learning from the 5th highest market cap company? Isn't that sort of expected? The question you should ask if why the government doesn't step in since companies will do what they can to optimize stock price.
Finally, all bigger software shops face this issue so we are not unique.
The sales pitch, to pay for services anonymously, would make it trivial to use this service for money laundering. I hope the website is lying about how private those transactions really are.
I'm also a little sketched out by the fact the business resides in Wyoming while the person writing the blog says that Stripe wasn't available "in my country". The company has two directors, both of which are a vague "Cloud Peak Law" company which owns a bunch of unrelated LLCs, but no reference to any foreign owners. That's not very confidence inspiring either, in my opinion. I can find a similarly named company from Nigeria but there's no clear connection between the two.
Edit: the company's Cloud Peak Law P.C. "director" is a service used by a Wyoming company set up specifically to allow anonymous registration of a business, set up there specifically because anonymous businesses are allowed by the state. I wouldn't be surprised if one of this law company's other clients used their anonymous-business-as-a-service for something sketchy, causing Stripe to go up the chain and mark the entire Cloud Peak Law "person" as unreliable and disputed. After all, going by the public record, the company is actually run by this law company, not the person writing this blog post. That may be why Stripe is able to claim a dispute that doesn't exist in their own management system. I don't know if that's the reason, of course, because there's little transparency from other side here.
I don't think Stripe should be lying about the nonexistent disputes, but if I were to design a money laundering detection algorithm, this kind of stuff is exactly what I would watch out for. I'm guessing Stripe's machine learning triggered on this company and that they just picked a random TOS bullet point to end the contract by knowing that you won't be able to sue them for it anyway.
It's a massive money laundering red flag, it's not at all surprising that Stripe doesn't want to deal with you.
I wish I could say I'm joking but I don't need this right now, I'm ~90 days out from launch, I should be tweaking final touches, not building just-in-case backup integrations with other processors.
https://justuseapp.com/free-trial-card claims that one of their main selling points is
> Access the American market
> Our credit card comes with a U.S. billing address, so you can unlock features restricted to the U.S or Western markets especially if you don't live there.
Isn't this just straight up fraud?
Admittedly I'm not familiar with any of the services mentioned, so correction is welcome.
In some cases, it’s forbidden by law to reveal to someone that they’ve been flagged for money laundering.
https://www.law.cornell.edu/cfr/text/31/1020.320
> No bank, and no director, officer, employee, or agent of any bank, shall disclose a SAR or any information that would reveal the existence of a SAR.
Yes, society doesn't break down. Just as it doesn't break down if 1% of people were murdered each year. But society won't accept 1% being murdered. And once it's public enough, they'll also not accept that companies do stuff like that. Case in point: banks are tightly regulated exactly because of that, we need to rely on them to handle money efficiently, so we don't want randomness in their processes. Maybe it's time that Stripe & friends get more regulatory oversight as well, since they don't seem to be capable of managing themselves.
This is the crux of it. What do you define as a balance? In this example, Stripe shouldn’t be using ML to actually ban accounts but instead to flag accounts for manual review.
My company distributes advertisements. We need to watch every ad we ever distribute to ensure both its quality and legality. We have and still are investigating ML to improve this process, but because regulations put the cost on us for false negatives, we would use ML only to identify when it knows an ad fails our checks. It would then pulls it from the QC queue before any tech manually reviews it and emails the client informing it was blocked and why it was blocked and a link to a form where they can request a manual review if they think it was a false positive.
Our contracts allow for a fee to be imposed on the client if they challenge a block which is upheld after manual review.
Doing it this way we reduced our tech workload by removing clearly violating ads from QC queue and we give the client a clear and quick way to challenge the results of the ML.
At least, that is the plan here. It’s still in R&D.
> I have a hunch their main concern is this kind of marketing on your site: „Access the American market Our credit card comes with a U.S. billing address, so you can unlock features restricted to the U.S or Western markets especially if you don't live there."
I personally know of 2 dealings with an Ombudsman in the Netherlands. One involved me personally and another one of a good friend. In both cases the ombudsman advised in our favor. In both cases the reaction on the advice was: "Thanks for the advice, ombudsman, but we are not going to act on it.".
A non-binding ombudsman is in my experience just a paper tiger to make an organization look good and I have never seen a binding one.
A couple of years ago I was unable to make some online purchases with my debt card.
It was always vendor specific and there didn't seem to be any logic to it. I talked to my bank, and they talked to MasterCard, and I would speak with vendors technical support or billing. Nothing out of the ordinary.
This was happening for over a year and I got by with using a credit card as needed (which I don't like to use in general).
Anyway, the common denominator was all these vendors used Stripe for payments. I email Stripe and eventually someone noted that my card number had been flagged by some algorithm in the past and had been blacklisted. For background, to my current knowledge, I've never had an issue with identity-theft, had others fraudulent charge my account, or done anything out of the ordinary.
That fact that this happens, and you have no notification or no clear recourse is frustrating. To be clear, I do not think this is specific to Stripe - I think all large services are vulnerable to this.
That looks like it definitely allows transactions.
Edit: There's a lot on my mind right now, editing to stop for a moment and say thank you, your comment is somewhat reassuring which is what I think your intention was.
2. Stripe did not say "someone asked for a dispute"
3. Stripe banned your app for not being low-risk. And why not? They have the right to decide for themselves
To me, Stripe is showing an outstanding support overall. You can even ping anyone on Twitter or send an email, and they respond.
I really don't understand why so many HN users are so freaked out.
And yeah, it's not a great case of support by Stripe right here. But guess what, thy don't care about you anymore, so they'll dedicate their time to existing/potential clients.
Concerning the cards, we do KYC before the cards are issued and we submit same to Stripe. In extreme cases, we ask for users Govt-issued IDs. Our service might be anonymous to the outside facing world but our users are not anonymous to us and Stripe.
Although that email in the post was admittedly a template, a human did review the transaction activity and actively sent the email. We're digging more into exactly what happened here to prevent the confusion from happening again. Over the past few weeks, we've been overhauling how we work with businesses in situations like these and are rolling out some meaningful improvements soon.
You can build a system that efficiently serves the 98% case of "simple" customers. Then you can ignore the 2% unprofitable/complicated customers, forcing them to go to other vendors.
If you're big enough, you starve your competitors of the low-cost/simple customers. So their cost structure goes way up, which in turn prices the services out of reach of all other customers except the stupidly profitable, which is to say: gambling and porn.
(This has parallels to the USPS v. FedEx/UPS problem in the US, with the exception that the USPS is required to serve all customers, so no one is completely without service)
Hiring more customer service humans is not a guarantee that every customer will get what they want.
You might be able to justify a single payment gateway integration if you're MVP in a simple consumer retail business.
If being unable to take orders for two weeks would be a big problem, then make sure you have at least two gateways, and keep them all warm.
Like, “So, if I want to disrupt a competitor, all I have to do is hire thugs to smash all their stuff?”
Yeah, that’d do it. Good luck.
Ugh, apologies. Something very clearly went wrong here and we’re already investigating.
Zooming out, a few broader comments:
* Unlike most services, Stripe can easily lose very large amounts of money on individual accounts, and thousands of people try to do so every day. We are de facto running a big bug bounty/incentive program for evading our fraudulent user detection systems.
* Errors like these happen, which we hate, and we take every single false rejection that we discover seriously, knowing that there’s another founder at the other end of the line. We try to make it easy to get in touch with the humans at Stripe, me included, to maximize the number that we discover and the speed with which we get to remedy them.
* When these mistaken rejections happen, it’s usually because the business (inadvertently) clusters strongly with behavior that fraudulent users tend to engage in. Seeking to cloak spending and using virtual cards to mask activity is a common fraudulent pattern. Of course, there are very legitimate reasons to want to do this too (as this case demonstrates).
* We actually have an ongoing project to reduce the occurrence of these mistaken rejections by 90% by the end of this year. I think we’ll succeed at it. (They’re already down 50% since earlier this year.)
After you have validation of customer buy-in and market acceptance, when you have time and/or funds to spend on your Stripe-alternative feature sprint, setup and integrate a 2nd payment gateway for redundancy.
(as per the commenter above whose biz was banned from Stripe for 7 days by the imperfect non-recourse ban-bot)
Maybe even choose a different gateway that is more cost effective per transaction for a subset of your global customers, and code your system to route customers payments to the preferentially lower-priced gateway for their country.
Then if one gateway bans you, it's not a showstopper and your business is not severely damaged.
Most all of them have VISA cards.
Expecting customers to carefully create a wallet, an exchange account (so they can buy the crypto) and considering how difficult that can be (even for technical users) is really unreasonable. When people can use crypto as easily as they can use a credit card, then it would be an alternative.
IMPO, this problem is very similar to the PGP problem. You'll get a lot less email if you only accept PGP encrypted and signed emails. You cannot expect your customers to do that. They won't, but they will send you plaintext emails from their Gmail accounts, just as quickly as they will pay using a VISA card.
Something can be perfectly fine for people to do, and it can be just as fine for Stripe to not want to handle it. They can choose what types of businesses they want to allow on their network. It potentially creates opportunities for other service providers.
To them, you are a risk. They don't want that risk.
Over time every payment provider will become Paypal because of outside forces.
Yet this sort of thing just begs for future draconian government interference. Seems to me a smart company would find a way to not invite that unpleasantness on themselves.
I've run a Stripe.com integration (for a SaaS business). A few times a year somebody disputes a charge. It's usually because they looked at their payment card statement and didn't recognize us when we billed for renewal.
Our policy is
1) try to resolve the dispute in our favor. That mostly works. It's good for our reputation score on Stripe.
2) refund the customer's charge. Always.
3) contact the customer and ascertain whether they want to continue their subscription.
I don't understand zero disputes. That's just not feasible when dealing with the public.
This attack is also not protected by insurance, like someone setting fire to your office would be.
It’s fair to explore just how vulnerable a company can be to this type of attack from a malicious competitor.
No, I don't blame you for trying and I'm glad you've got attention, but don't people think it should be possible for all those founders, CEOs and other Stripe luminaries to trawl their own support channels?
Every time some big tech company makes promises like these, nothing really ends up changing. The emails always remain vague templates without details from a seemingly anonymous source. Companies end up changing the wording of their email templates, but that's about the only noticeable difference.
I have no doubt that a real human verified the problem and decided to send the email, but I've never seen any big company that swore their dedication to better communication actually change their policies to not make these emails look so... auto-generated. When you're ending a business relationship, even for good reason, you shouldn't come off as a robot.
Such comments on public websites always feel like damage control to me. I'm not claiming your comment is part of some specific damage control operation or anything, but I do wonder if adding that line does much for the credibility of the rest of the post. In my opinion, it adds a layer of corporate pixie dust on top of the rest of your words.
That being said, responding in public, especially in a place like HN, is a pretty brave thing to do, especially with all the other negative threads from others here, so I definitely appreciate the effort you put into this!
They have bots deciding the future of their users. And when the bots make some kind of mistake they don't give support for the costumer or neither check if the user got wrongly banned. It's some kind of sick blind trust they place on automated systems. Nothing wrong against these systems, but they should have a system in place to check wether these made a mistake or not.
I think one method of protection would be using Stripes Radar service to screen transactions for malicious patterns.
While it probably won’t catch all fraudulent charges, it’ll catch a bunch. You can use that increase in rejected transactions as a canary to take a closer look at the other transactions coming through.
Does anyone else have ideas on how you can protect yourself from this kind of attack?
Edit: thinking about this more, it would be a pretty expensive attack to attempt. Stolen credit cards aren't cheap, like email addresses are. You'd need a lot of them to attempt the attack and you likely wouldn't succeed.
I think you'd need 1% of the target merchant's transactions to be chargebacks in order to get them kicked off. I'd assume at least 50% of your attempts would get caught before the chargeback even happens, so you'd need at least 2% of their transactions.
Seems like you'd need a large number of cards. Anyone know the value of a stolen card?
You can see very clearly that I also thought this was an automated issue, but turned out not to be.
It feels like there should just be a better process. Shut down payments to protect yourselves sure, but spare a real life person to email the customer and give them a chance to explain or at least understand why.
I cannot thank Hacker News enough.
Running a business all these years has been hard and full of Ups and downs. I do not recommend it for the faint-hearted. Until this morning, I had almost given up hope that our business was dead.
Thanks for bringing us back from the dead HN.
Lots of companies monitor HN for negative posts and respond to them but few do it as well as Stripe.
While some companies just put out the OPs fire, Stripe seems to do better.
I have a rare trust that they’re genuine and will actually follow through with improvements to prevent the same issue from happening to others.
So payment using their privacy card would look a little like this.
Merchant --> Privacy Card --> Users Real Card --> Users Bank
Where the step between Privacy Card and Real Card doesn't involve a checkout process and transaction authorisation. In bank speak they're just presenting transactions to the users bank, without first getting a transaction authorisation.
These details are important because presented transactions can't be stopped (that's what authorisation is for), they immediately move money from the users bank to the merchant, regardless of available funds or user consent, they can only be reversed via chargeback. These types of payments are called unauthorised payments, and due to the inability of bank to prevent, you're never really meant to use them, and the receiving bank has very strong rights during the chargeback process.
As a payments processor on the other side of the card network you don't want to be dealing with unauthorised payments. They're trivial to dispute, you're almost certainly breaking the card networks rules, and when they go wrong (which they 100% will), they're extremely expensive and time consuming to deal with.
Additionally in the EU, the introduction of Strong Customer Authentication basically makes these types of transaction completely illegal, and as a customer if such a transaction happened on your account you would have a right to full refund in the event of dispute, and your bank would be forced to provide it even if you had published your full card details online. You're bank would of course then go after the merchant via the card network, and then payment processors like Stripe get caught in the middle, and potentially find themselves liable for money they can no longer reclaim from the merchant, because they've already paid out the money and the dispute only happened 3 or 4 months later.
It was absolutely scary the amounts of fraud I dealt with running a dropshipping shop a decade ago.
Every bad fraud order that I dropshipped ate the entire profits from a dozen legit orders, and card fraud was attempted on approximately 25% of orders we received.
After a few years I shut the site down as it was just barely making a profit as the fraud costs escalated and I felt I was wasting my time screening every order with my own (imperfect) hand-rolled fuzzy logic fraud detection algorithms and manual investigation of every single order.
I false-rejected a lot of legit customers in the final year, vowing to stamp out the scammers I drove some customers away... it's hard to be perfect when card fraud is easy to achieve.
Actually what the final straw was for me, that made me delete the server, was not the regular identity fraud stolen-card scumbags, but the pathological liars who you could validate as 100% legitimate, but after they received and signed for the goods, would call their bank and lodge a chargeback to get a full refund, because he banks ALWAYS take the customers side and ALWAYS charged me an extra $35 penalty for every dispute I lost (which was every single one, despite sending pages of strong proof showing the customer was a baldfaced lying thief)
> it looks like JustUseApp was collecting money for the virtual cards by pushing through unauthorised payments to the users original card.
> Additionally in the EU, the introduction of Strong Customer Authentication basically makes these types of transaction completely illegal
Was this the case?
You used to offer live chat which is no longer the case, correct ? I understand that stripe has exploded as a business but with all the money being invested in Stripe, I would seriously recommend getting live chat back so at least we know we have someone out there looking for us. Perhaps offer this to customers who are diong a min. MRR (could be controversial).
The attraction behind Stripe is the ease of API but at some point, that will become unimportant if support is not good when we are talking about dollars. Just my 2 cents as an overall Happy Stripe customer for almost 7 years.
EDIT: Never mind. I was wrong.
EDIT: I see that while I was typing you replied to a sibling comment. So we should contact you directly? Can I ask why this slipped through further review, it seems like a bug like this shouldn't require contacting a founder directly by email to resolve.
How can you tell? It seems, naively as an outsider, like the problem is precisely that you can't tell if they should have been rejected, in which case you can't tell how often it happens?
> Our credit card comes with a U.S. billing address, so you can unlock features restricted to the U.S or Western markets especially if you don't live there.
Allowing customers to easily "spoof" their billing address could be very problematic for me as a merchant. There are countries that I don't want to serve customers in, and in some cases am even prevented (by law or agreement) from serving customers in.
With regard to the last part of your comment — absolutely. This is a final recourse when the system breaks, not a part of the system that we hope you ever have to use.
My guess is that Stripe would work with them to tweak their product so it can work without expose Stripe to all this risk. Might result in something clunkier and harder to use, but at least it'll still work.
Maybe it really was a strange and unusual set of circumstances that made this occur, so hopefully its rare that someone would need to escalate to you directly. Thanks for being responsive to questions and making your contact details available. That's a lot better than some companies do.
PS: since I have you here, completely off topic, I met you once in Dublin long ago and you got me interested in Lisp. Thanks for that :)
Using one of these one-time-use cards won't get you out of the debt itself, and these sorts of gyms will happily wreck your credit by sending it to collections.
Making the front-page is often random luck I think, which is also why I personally always upvote such submissions when I find the person making it is a solopreneur/small company - as this may be their last and final resort to get things sorted.
https://tinyletter.com/blauvelt/letters/looking-forward-afte...
More important than that is provide a way for people to get this revolved without having to make the front page of HN.
I know there are other uses as well, but could definitely see this service being a magnet for users who intend to defraud the actual services where these cards are being used.
"what these corporations are doing is literally destroying the basis for a developed economy.... [They] have all collectively routed around the rule of law which is necessary for sustained economic growth over time.
In countries with strong rule of law:
1. Property rights over land, equipment, and personal items are clear and protected by law.
2. Contracts between people, businesses, and the government are effectively enforced by the legal system.
3. Political accountability is high and corruption is low.
4. Business regulations are clear and enforced in a transparent manner.
In such environments people make long-term investments and build large organizations. In contrast, if the property rights and contracts are not enforced and the business regulations are not clear, most of the economy consists of small family owned firms with little modern equipment. A high-tech, prosperous economy would not develop.
Effectively, there are no contracts anymore in the digital economy. There is no predictability anymore. There is no accountability. There is no responsibility. There are no requirements for performance anymore. In sum, the US digital economy is rapidly becoming the equivalent of a third-world economy, complete with crony capitalism and digital robber barons."
I also remember something about bulk sales.
If you never intend to capitalize on the gains other then an attack vector it would minimize the risk.
So eliminating someone’s business is 2% revenue * 25$ usd optimally.
Surely we can build a better service to get these costs down.
Such a service could be offered by the legacy payment providers.
I have used such services in the past, but still feel the field is ripe for disruption.
While I'm sure these places have it in their terms, just making someone sign a contract to agree to it doesn't make it not-unethical or not worth criticising. It just makes it "not illegal in some jurisdictions"
But we also get some of the back story from Stripe about why their systems are designed this way. What challenges they face that made these engineering choices make sense.
I’m sorry that this happened to the OP. But at least this channel of communication exists. And I think we can all benefit from it.
[0] https://techcrunch.com/2021/01/10/stripe-reportedly-joins-th...
[1] https://reclaimthenet.org/laura-loomer-gets-banned-from-paym...
Regarding Stripe's support: I emailed last night to confirm how to delete a user's card when it's represented as PaymentMethod, and in reply I received a link[0] to the cards/delete API documentation (which, in case you're not as steeped in PaymentMethod's as I am, won't work because the two objects are fundamentally different).
Given this rather lacklustre handling & having also been on the receiving end of someone trying to fraud the company I'm working for, I highly doubt someone who is asking for reconsideration after receiving a fraud ban would actually receive an escalation via the front-line agents manning support@stripe.com, and if they could, the actual legitimate bans that Stripe no doubt needs to put in place would simply abuse that channel and waste everyone's time.
I appreciate it's a really challenging balance of trying to provide an escalation/appeals process that won't be abused itself, and by comparison Stripe's approach of direct-founder-contact seems easier than Apple, as if your developer account application is rejected[1] you have absolutely zero recourse apart from going H.A.M. on Hacker News & hoping the community helps you out, whereas in this case there is a magic button that starts an invisible and unaccountable appeals process, that ultimately resulted in another rejection.
The only "solution" (if any) I can see to counter the negative experience (& associated PR) would be involvement in the appeals process, where you are allowed to effectively "state your case" via video call or submission of evidence, but this draws a thorny parallel to the judicial system, and I doubt Legal would sign off on such a process.
This is a problem that impacts basically any kind of appeals process, and Stripe's not alone in suffering from it, but that perspective doesn't help the dozens of founders that don't have the connections to sort this issues out in private, and are burning the attention span of Hacker News in the process of unblocking their businesses. Front-line support also isn't the answer, unless specific processes can be put in place to handle rejection escalations and get them into the eyes of the right people.
---
[0] https://stripe.com/docs/api/cards/delete
[1] Long story short: to use Apple's Mobile Device Management APIs, you need an Enterprise developer account, which thanks to The Verge & gambling apps skirting the App Store, isn't possible unless you went to Stanford with a future Apple PM. Admittedly, the chances of an Apple executive personally addressing this if I were to email is statistically quite low compared to emailing you.
If someone from Apple is reading this & would like to pre-empt the classic "Apple screwed me" Hacker News post, do feel free to email me on luke@ghostworks.io and I'll happily brief you on The Great Saga of Enrollment 4HZY7VX69S.
I'm a businessman trying to hide my wealth, I get one of these cards and top it up with 100k from my CAyman islands bank account, and use it for all my daily spending. That's a very common method of tax evasion.
Strip could now be on the hook for facilitating this, which means they need to trust justuseapp to do proper KYC that complies with global anti money laundering policies, etc. That is a HUGE task, and if they get it wrong, the consequences are serious. So, when stripe says they're worried; they're right to be.
The intented use of this companies service might be altruistic, but it's really easily absued for nefarious purposes.
I have been "approved" multiple times, but the Issuing-related features never get turned on. Every time I complain, there's another review cycle. The most kafkaesque experience I have had with a business.
Not sure what case you refer to, but in our case someone was able to place multiple clearly (in my own hindsight) fraudulent orders on our woocommerce store. And it wasn't Stripe who lost on these chargebacks - it was us. The only way for Stripe to lose money in such scenario if seller (us) would be an active part of the fraudulent transaction. I.e. work together with someone placing fraudulent orders and immediately funnel money away and throw away stripe account. That is clearly not an option for an established business...
And no, it wasn't a niche attracting fraudsters - we sell pyrography tools, not electronics or some other similarly attractive products for fraudsters.
Never build your whole business on using either or you are just a daily dice throw from being turned off.
The difference between you and TrueBill or Ramp is they have legal teams and founders/backers that have inside access and special approvals that ordinary start ups do not. Certain start ups get special treatment by the banks and payment processors because of behind the scenes actions you cannot take.
Banks and payment processors currently have the power to decide which companies can exist and which cannot. Sometimes for perceived moral or risk reasons and sometimes for random reasons. We really could use some sort of uniform legal appeals process rather than the standard of going to social media to beg for reinstatement.
What's the right solution? It's case by case, down to a mixture of morality and expertise to decide.
Seems these tech algorithms often generate a lot of false-positives wrongfully, or that's what's posted online afterwards. It'd be interesting to dig into the numbers for various platforms, see if they're falsely negative for spam accounts and bad actors. We wouldn't hear posts on HN about spam bots that cut into FB's bottom line, would we?
Cash transactions above a specific dollar value literally generate reports to the government for investigation.
So, I think, yes, cash transactions tend to generate suspicion among anti-money laundering efforts.
Stripe can easily lose very large
amounts of money on individual accounts
Is that because Stripe settles the payment on their end (they pay the merchant) before the payment to Stripe is settled?
Can crypto solve this?
Interestingly, because you can get these debit cards and IBANs with the subscription, Bunq is often used by money mules and the like, giving Bunq a bad name in the process. Wouldn't surprise me if something similar happened here, even if just as a preventive measure.
I do think its strange Justuseapp.com allows people to get a virtual debit card with an address in USA, even when they're not in USA (their customer). Either way, if you're using this ("financial VPN based in USA") to steer away from US government you're doing it wrong. A proper use case would be to avoid PII getting leaked on all kind of online services.
You can also pull API keys from most apps and get them banned from advertising networks.
You can hire people to review bomb.
Hire people to make fake news about a competitor go viral.
Someone willing to do illegal things can always hire other people to do illegal things for them "anonymously"
I suspect fraudster's are able to wait out this period without detection so they can cash out. If this is the case, then even time locking smart contracts won't help, as the fraudsters just wait out the time period. At that point Stripe would have even less recourse to recover money, as retroactive transfers are not possible at that point.
I could see services such as their debit card offering being abusable too.
They also likely have to worry about things such as predatory recurring payments as those will result in chargebacks which could ultimately fall on Stripe to foot.
It will take you years to move $100k at $60 per day.
Seems like a valid reason to ban someone from a platform. Reading further, Stripe was being used to collect money to make hundreds of frivolous lawsuits. (Legal definition thereof)
> 1: The latest payment platform to refuse to accept payments made to Loomer is Stripe.
Looks like Stripe is far the first company to do this. Reading between the lines, this person is specifically trying to get banned to prove a point. At some point, their history of doing so becomes the reason for kicking them off, rather than their political views.
If nothing changes, people will move away from Stripe on to something else. I'd say stuff like this is exactly how a business that wants to stay alive needs to react to swiftly and figure out the root cause for.
The communication from the founder or representative needs to reflect the commitment to change and show the plan they intend to execute. The GP didn't do so well on the second point (vague plan, at best).
If we see stuff like this still happening in 3-6 months, I think it's time to bring out the pitchforks.
It runs the risk of turning 'support' in to a profit center, I support.
Give these guys a break - they are trying to onboard customers as fast as possible to reduce the headache involved. The only way to do it is automation. There will always be cases where things go wrong.
For example, sending money via a banking wire. If the bank goes down, you can't send a second wire through another bank without loss because the first wire is not retractable.
Last time I contacted Stripe I was given a round circle between departments, the department responsible denying the issue and/or sending me to an unrelated department (who had a good agent but, as expected, admitted she couldn’t fix the issue even though she recognised its existence). In the end it turned out to be a bug in Billing that was eventually fixed (per the dev IRC) but support denied there was any bug and kept giving bot-like responses. It was ridiculous. Stripe should probably improve its support, but even if it doesn’t it’ll probably do just fine.
Big tech and developed ‘startups’ are famous for bad support. Consider Coinbase, which barely responds, PayPal, which is useless, or Google/FB, which don’t even provide a contact option except in limited cases (eg GSuite for Business issues).
Microsoft (used to?) offer this for developer support and I remember using it maybe 15 years ago where it was a couple of hundred bucks to open a ticket but you got quick access to a real expert and good escalation.
If the issue turned out to be their problem the ticket was refunded.
For something business critical like this it is a way of signaling to the company that there is clearly somethin wrong with the automated process: a real scammer won't pony up hundreds of $ to get a review they would fail.
.... If you weren't disabled by an automated system, and "customer support" (probably another level of shitty ML) continues to double down.
I concur with mikepechadotcom that this is simply a one-off damage control via "Social Media Escalation".
There's also the question/option of considering reputation, which also brings up scary thoughts about China's moves in that area. If you're complaining and are a well known highly voted participant on HN, YouTuber with thousands of subscribers, etc the risk that you as a public-ish figure are trying to scam is lower.
It seems to me that if a company provides such an important service to other companies (i.e. functioning as that company's direct revenue source - payments), then if somewhere it is determined that Stripe no longer intends to provide that service, someone at Stripe should be reaching out proactively, via a telephone or other method, to the leadership at the customer and explaining to them in detail why the decision was made to terminate the relationship and what recourse they have.
I shudder to think of the impact something that an algorithm based decision like would have on my business in this scenario. I would be an absolute disaster, and could have far reaching implications for the viability of someone's business.
Every single decision where Stripe is terminating a relationship should have a clear path to a human being for resolution, and should be reviewed by a human before the decision is even made. Like, setup a conference call with leadership and work through the issue. Most fraudsters wouldn't go through that process anyway, and it provides a proactive approach to working with customers who obviously would be in a complete disaster recovery scenario if this occurred so it would be all hands on deck on the customers side. Nothing is worse than having all hands on deck to address a critical issue and feeling helpless because the other side of the equation is an auto-responder email box.
No business should be writing blog posts for help on something like this.
Do, or do not. There is no "try."
I'm not hopeful for any change in these sort of review processes without any legislation changes, but it would be a truly tragic state of affairs if it were to escalate that far.
I had almost exactly the same issue as OP but with Braintree. The support was equally as useless. Stripe isn’t unique here, most tech companies just don’t know how to build good support.
Fixed it by using Fastspring. It is a fully integrated solution, with a slightly higher fee, but saves you a lot of dev hours. Their support is amazing.
Edit: it might sound clunky, but asking for wire transfers costs almost 0 dev hours, but can still used to prove your potential clients would really pay.
Hire people to manually review final appeals, maybe you've gone too far and are not hiring to keep up with user growth.
Realistically, we need automation to handle most cases. But that means false positives. And their needs to be a better channel than HN or being famous on twitter to get issues resolved.
If a Strip user appeals unsuccessfully through your official channels and then gives up, do you consider that "resolved"?
It seems like you exhaust those unfortunate users who banned due to Stripe's errors and then call it a success because they've stopped complaining. Or does your definition of "resolved" account for that?
https://news.ycombinator.com/item?id=26320429 https://news.ycombinator.com/item?id=21306225
In both case Edwin has helped me a lot to recover my access.
But it's a hear sinking moment and a few anxiety days because without Stripe I don't really know what option I had out there. Paypal is probaly what I will do next in those case.
PS: if you're here Edin, thanks so much for helping me solve those issue in the past. I finally be able to bootstrap by SaaS and profitable with it.
Thanks a lo for what you did Edwin.
Vinh.
I would like to know where and why Stripe's customer support failed in this case. Or even if it failed at all. Those are the only relevant details.
It's immaterial to the discussion whether any other web forum was used as an alternative to Stripe's customer support. I'm sure HN didn't signed up to be any company's customer support channel, or if it's reasonable to get it involved in this ordeal.
If I have a problem with Stripe, I want my business to be dealt with Stripe directly, and in the process not get a web forum involved. I would hate to be in a position where escalating an issue so that it becomes a PR issue as well is seen as the first step in a problem-solving workflow.
Maintaining the magic abuse detector requires secrecy around the heuristics, which means not always giving the clearest error codes/any error codes to the user re: what's wrong with their account/transaction.
This might be the craziest thing I've ever seen in a support email.
I can already tell you what happened, Edwin. From your CEO himself:
> We actually have an ongoing project to reduce the occurrence of these mistaken rejections by 90% by the end of this year. I think we’ll succeed at it. (They’re already down 50% since earlier this year.)
Your staff are duking your metrics because you don't understand Goodhart's Law.
All of the big tech companies think they can use machine learning and algorithms to do everything and they have an "acceptable" rate of failure as a target.
The main problem with that is that even if the failure rate is .01%, the failure is typically catastrophic for that .01%. When the error is going to ruin someone's life, is there really an "acceptable" rate of failure?
A secondary problem is that machine learning and algorithms are going to have a tough time accounting for virility. IE: If I have a small product that goes viral, as a percentage change, my error/fraud/dispute rates are going to jump drastically. So at the exact moment where reliable, scalable payment processing is the most important in my life, the automated systems are going to have the highest risk of banning me and automatically denying my appeal.
The fact that 24-48 hours is considered an acceptable timeframe for an appeal is worthy of it's own paragraph. That's unacceptably slow if they're locking the account and doing irreparable harm to your business. That wouldn't be tolerated in a market with proper competition and my instinct is to ask for regulation that would involve a 3rd party in dispute resolution for a payment processor that's terminating a relationship in a non-amicable manner.
At least give me some options that can make things suck less. I'd prepay $500 (non-refundable) without even thinking about it to be guaranteed a phone call prior to account termination. I'd let them hold back a percentage of revenue up to an absolute value so it can be held as a (refundable) bond to protect against fraud. I'd let them hold back a higher percentage if their automated systems detect an increased chance of fraud / issues.
I think stuff like this is a stunning failure and I can't understand how tech entrepreneurs (of all people) can't understand why it's unacceptable. The dream for most of us is literally to build something that has overnight, viral success and makes us rich, but we've got companies like Stripe using ML algorithms that'll auto-ban you as soon as you deviate from the norm. How is that reasonable?
The absolute worst case scenario for a Stripe customer should be for the customer to opt to have all payments withheld (by Stripe) and to undergo some kind of dispute resolution or problem solving. Would you rather wake up to a banned account or an email saying they're holding your money until you call them? I know PayPal gets a lot of flack for the latter, but maybe it's not that bad compared to the alternative. The problem with PayPal AFAIK is they hold the money for a long time no matter what.
I get so frustrated when I see PR / damage control and the solution they're providing is "we're going to improve the algorithms." You can't. By the time those systems fail you need one-on-one human support where both sides can adapt, compromise, negotiate, etc. in real-time.
YOU NEED PEOPLE, NOT MACHINES!
Looking for drop shipping on Google leads me to pages e.g. by Shopify or Square explaining it's a model to run retail where the store doesn't hold stock or fulfill but instead has a distributor / manufacturer fullfil the transaction, shipping directly from them to the customer.
Absolutely!
Mistakes are ok, it'll always happen. Great to try to minimize them, but there will always be mistakes.
The real key is how they are handled and how easy it is to get a real responsive human on the line who is empowered to fix it ASAP.
As I understand it: When A pays B with Bitcoin via the Lightning Network, B can almost instantly be sure that they have the money. There is no way for A or an intermediary to take it back.
There is a (very) large number of people who do this, especially in Canada, because US credit cards offer vastly better rewards even after taking foreign transaction fees into consideration.
Then put a flag on that account. Repetitive issues will make it clear what's happening.
Fraudster also doesn't have the same needs as most customers, they don't need to keep the same account... at best the same account will barely give them more credibility, but that would no longer be true if a flag has been raised previously.
There's plenty of ways to verify identities, use that when a flag has been raised previously. Again, something that sure a fraudster can do but lower odds than an actual customers.
As for having two integrations, what's your opportunity cost? You'll want a backup integration, but imo that's in the same category as having a backup cloud to run on in case AWS goes down. Which, you do, but the time spent working on that is time spent not working on the product.
if (transactionInvalid > 5) {
if (accountPossiblyFraudulent) {
sendAccountCancellationEmail(accountid))
stripeBackEnd.closeUserAccount()
}
}
Big companies like Stripe need to be reigned in with legislation because they wield the power to destroy businesses and they do it without care.
Where is Stripes ombudsman - a customer advocate - an independent person with CEO level power within Stripe who's primary duty is to customers and is a channel of last resort when your normal support channels have failed? Why don't you have this?
How can you allow Hacker News to be the channel of last resort?
You're running a financial services company and doing it as though it's unimportant to cancel someones ability to invoice.
The lack of protection for your customers is why companies like Stripe need much tougher regulation.
In fact, you as the co-founder of Stripe should NOT be answering here on Hacker News. You should make it a point to NOT personally resolve such issues because if you have to, then you are acknowledging serious failure in your companies systems and serious letdown of your customers. In fact you should be appalled that Stripe so fails it's customers that they must go to social media to solve valid problems. You should simply be able to rely on some lower level person in Stripe finding this and posting a short message saying "please contact our ombudsman", and being assured that your ombudsman will give it due and fair consideration.
So surely this is not the only time Stripe has mistakenly cancelled an account - but this is the one case where the person who's account was cancelled was able to get their issue on the front page of Hacker News. Therefore is can be said that many people have their accounts mistakenly cancelled by Stripe and have no recourse - again where is your ombudsman?
This is serious systemic failure of Stripe. And the worst thing is it is not just Stripe - this is what people have now come to expect from giant companies that are a critical part of business - such as Apple's app store - people now expect that the company might one day send a random email saying, in effect that your business is over. You can't or won't fix it, so the law should.
Stripe founder need to hear this: "sorry" ain't enough.
I think the idea of minimizing harm is a really good one.
I've never done any machine learning type stuff, but, based on my limited understanding, I think there are probably a few issues at play that make things difficult.
I think the feedback loop for an algorithm is likely important. If you're training an algorithm to match fingerprints, you have a few things that work in your favor. First, matching is easier with fewer samples, so you can train the model incrementally with larger and larger data sets. Second, the process of identifying false positives is easy, relatively definitive, and isn't influenced by external factors. If the ML algorithm only has X% confidence you send it to a human who assesses the match and tells the algorithm the answer so it can "learn" for the next situation that's similar.
Contrast that with something like payment processing. First, you need to scale with demand and it's not easy to incrementally train the algorithm. Second, false positives don't have a tight feedback loop. A false positive negatively affects a customer and every case is different. You need to rely on external, subjective data that isn't definitive enough to be useful to an algorithm (IMO).
I think matching fingerprints is a good analogy to illustrate some of the problems, especially when you hear things along the lines of "looked too similar to fraudulent activity." With fingerprints, you could give 10 to an amateur and they could probably match them accurately. Scale that up to 10,000 and you have so many that look similar, but not identical and you need a professional to do the matching.
I think ML is similar. It's better on a small scale than it is on a large scale and just doesn't scale up as well as the sales pitch says (unless it's assessing problems with definitive solutions). The issue here is that tech companies are treating ML like it scales in a linear fashion. Just throw more compute at it and 10x the scale, right? Wrong (IMO).
There was another comment here that said something along the lines of getting to 98% accuracy and deciding not to serve the other 2%. I think that's what's happening everywhere, but rather than explicitly telling customers they're not welcome, companies are simply letting their ML algorithms run to find the equilibrium where they can manage the "not positive" rate.
And that goes back to your idea of minimizing harm. They don't want to. They don't care if they promise you service even though you're borderline in terms of triggering false positives. You're part of the data set for their machine learning algorithm and that means you're viewed as acceptable collateral damage. They'll ruin your life to train their ML algorithm(s).
I'm in Australia and our 4 banks are way too powerful, and some of the worlds most profitable on a percentage basis, with nearly the highest paid executives globally.
In the decade since I deleted that site in despair, there have been several royal commissions / public inquiries into the shocking unfair and outright illegal actions all the 4 banks systematically entrenched, including forging customer signatures, ripping off customers at every opportunity, including siphoning customers money when the bank knew they had died, facilitating money laundering of cash earned from drugs on vast scales, influencing our captured politicians to roll back recently-legislated consumer protection laws the previous govt enacted, to absolve them from any culpability whatsoever by writing larger "liar loans" they knew people would struggle to live with, and these are which still going strongly (approx 1 in 3 recently admitting to this in a follow-up survey).
The AUD$35 per chargeback was an easy profit centre for them a decade ago, and no way would they ever take my side when it was free money for them.
I had a USD bank with them for the ecommerce dropship account. Our average order was around USD$51 with a little over 10% gross profit.
I was the only one losing out. The bank, my dropship supplier, and the card fraudsters all got paid and received their goods.
And identity is a VERY complex area, and nothing like as simple as "plenty of ways to verify identities". Particularly noting that fraud is often carried out by leveraging many partial opportunities: I use the (false/stolen) identity from over there to carry out of the fraud over here.
1. The sheer volume of fraud attempts. Economics often dictate that it needs to be cheap and fast to reject a fraud attempt.
2. Information leakage. It's normal to see people complain that '<insert service of choice> banned them and refused to say way'. There's a very good reason for that: They're trying to slow the rate at which fraudsters learn to exploit them. So they deliberately don't detail exactly what the issue was. Yes, it's super frustrating if you get innocently caught up it, but it's not arbitrary.
TL;DR: Like everything else in life, there are real and genuine trade-offs here.
You cannot use a PO box as your residential address when you apply for a credit card. Assuming you have an SSN or ITIN, if you use a private mailbox as your residential address on a credit card application in the US, your mileage will vary. Some financial institutions maintain databases of private mailbox addresses and flag these if you use them but no matter what, falsely representing that you reside in the US on a credit card application by using a private mailbox with a US address will always put you at risk of an account closure.
Many issuers will allow you to set a mailing address that's different from your residential address. This can typically include a PO address. That's not the same thing as lying about your country of residence.
More generally, the big problem is that most internet companies are trying to achieve growth and user numbers which aren’t incompatible with having humans moderate everything. For example, everyone likes to hate on social media companies doing a terrible job moderating. But the reality is that you cannot hire enough humans to manually moderate billions of things daily. So algorithms are a necessity, unless we are willing to part with platforms which cater to extremely large audiences.
As long as you get your foot in the door and pay the bills on time, your credit history only grows -- and it is extremely unusual for accounts in good standing to be closed. In theory they can close your account at any time, yes. In practice, this rarely happens, because it's common for people to move around the world these days and it doesn't make sense to close someone's account for that.
To get access to the half decent rewards credit cards in the US will at a minimum require you to have an ITIN. To obtain an ITIN, you need to submit an application to the IRS and provide a bunch of documentation related to your identity and foreign status. This documentation needs to be original or certified. If you don't use your ITIN at least once to file a tax return in 3 years, it will expire.
If you jump through the hoops to get an ITIN, as I mentioned, financial institutions usually have a database of private mailbox addresses. Technically these are called CMRAs - commercial mail receiving agencies. If you use a CMRA address when applying for a credit card, there's a good chance it will be detected. So you're going to need a friend or family member in the US to let you use their address. Also, if you apply with a foreign IP address, this too will likely be detected. Use of a VPN can trigger extra scrutiny.
The American credit cards that offer attractive rewards have the highest requirements in terms of credit score. If you have no credit history, you will not be approved for these. The average non-resident foreign national isn't spending enough every year on their credit cards to gain any meaningful benefit from a crappy American rewards credit card, or to spend years building up a credit history to get a better card.
As for people moving around the world, it's imminently easier for American citizens to keep their credit cards and get new ones when they become expats, especially if they don't change their addresses or set up alternative US addresses (with friends or family) before they move abroad.
Has Stripe considered having a link on the main page for questions about a charge? If I could have typed in charge details and gotten direct confirmation that the merchant account was closed for fraud (I bet it was) and that I could ask online for my money back, it would have saved me a phone call, saved Stripe a chargeback, and earned a bit of goodwill.
One day I'll overengineer something to solve this, but for the meantime it's "ssh statichost -- sudo kill -s HUP 947" every so often. Thanks for reminding me, much appreciated!
wrote back to the support asking to reconsider, really hoping for a quick answer!
The reporting you are referring to only relates to bank transactions. In the US, When a business deposits their cash receipts, the bank generates a report. There is no obligation on the business (e.g.a car dealership that sells a car for $100k in cash has no incremental reporting burden)
More importantly - because x can be used in the commission of y crime, but the vast majority of the use of x is in perfectly normal/legal use, one should not cast suspicion on the use of x or reverse the burden of proof on for using x.
Wait what?
Here my comment:
> Fraudster also doesn't have the same needs as most customers, they don't need to keep the same account...
How does I assume fraudster wants the account? I'm arguing the reverse, that they don't want it, thus give more credibility over anyone doing effort to get his account back. I don't understands that part, feel free to clarify it.
> And identity is a VERY complex area, and nothing like as simple as "plenty of ways to verify identities".
I was arguing that opening up customer service for theses instances won't be a huge risk if you keep a flag on the account as they fraudster don't need the account long term (as you seems to agree).
Doing others verification is to reduce that risk further, risk that I already consider minimal. No one said that it would be 100% effective, nothing is perfect, sure some will be able to bypass, but as I said, they don't need to.
> Particularly noting that fraud is often carried out by leveraging many partial opportunities: I use the (false/stolen) identity from over there to carry out of the fraud over here.
Yup, thus why getting more proof of the user identity will allow to confirm he is actually who he is claiming to be. Here in Canada we can do that at Canada Post office. It's not something Stripe ask for, thus if someone with a flagged account ask to get it back, doing a local verification will most probably be harder for him.
You make this sound way more complicated than it actually is to get an ITIN. There are very few hoops to jump through. Having an account with a US-based stock broker is usually sufficient, there are even companies that will handle the entire application for you for a fee.
> financial institutions usually have a database of private mailbox addresses. Technically these are called CMRAs
They get this list from the USPS, and anyone can use the USPS website to see if an address is on the CMRA list or not.
> The American credit cards that offer attractive rewards have the highest requirements in terms of credit score. If you have no credit history, you will not be approved for these.
Like I said above, once you get your foot in the door (if you have zero history, there are companies that will give you secured cards, against a deposit, that help you build history), your credit history only grows. You don't need "years" of credit history to get a good rewards card, it's pretty much two years.
> The average non-resident foreign national isn't spending enough every year on their credit cards to gain any meaningful benefit from a crappy American rewards credit card, or to spend years building up a credit history to get a better card.
The average non-resident foreign national probably buys more stuff online delivered from the US than you think. Two years of spending roughly $800/month on average would do it (this is not as much as it seems, because it includes all international travel spend -- and Canadians who are getting US cards are in the demographic that visits the US frequently).