Stripe banned us for payment disputes but we never had a single dispute

Edwin from Stripe here. (OP, I've just sent you an email and we can talk more over there—I'm terribly sorry for the trouble.) I can't get into too many specifics about an individual business publicly, but unauthorized charges have high potential to be disputed in the near future—and while Stripe itself doesn't have a dispute threshold, the card networks require businesses to keep disputes low.

Although that email in the post was admittedly a template, a human did review the transaction activity and actively sent the email. We're digging more into exactly what happened here to prevent the confusion from happening again. Over the past few weeks, we've been overhauling how we work with businesses in situations like these and are rolling out some meaningful improvements soon.

So, if I want to disrupt a competitor all I have to do is hire a bunch of darknet identify thieves and you'll shut down their merchant account?

Yes, if you’re willing to break the law and risk the consequences, you can get up to all sorts of stuff. Same as anything?

Like, “So, if I want to disrupt a competitor, all I have to do is hire thugs to smash all their stuff?”

Yeah, that’d do it. Good luck.

Edwin, thanks for reaching out to a community post like this. Plus points to you guys.

Risk is relative thing the activity has to cross threshold for the appropriate gov entity to investigate and since they are swamped that threshold keeps going up.

I think the point is that this attack vector can be pretty anonymous and absolutely deadly to the target company.

This attack is also not protected by insurance, like someone setting fire to your office would be.

It’s fair to explore just how vulnerable a company can be to this type of attack from a malicious competitor.

I understand that you probably don't have the power to directly change anything about this, but what does it even mean when a company says they're "improving how they work with businesses in situations like these".

Every time some big tech company makes promises like these, nothing really ends up changing. The emails always remain vague templates without details from a seemingly anonymous source. Companies end up changing the wording of their email templates, but that's about the only noticeable difference.

I have no doubt that a real human verified the problem and decided to send the email, but I've never seen any big company that swore their dedication to better communication actually change their policies to not make these emails look so... auto-generated. When you're ending a business relationship, even for good reason, you shouldn't come off as a robot.

Such comments on public websites always feel like damage control to me. I'm not claiming your comment is part of some specific damage control operation or anything, but I do wonder if adding that line does much for the credibility of the rest of the post. In my opinion, it adds a layer of corporate pixie dust on top of the rest of your words.

That being said, responding in public, especially in a place like HN, is a pretty brave thing to do, especially with all the other negative threads from others here, so I definitely appreciate the effort you put into this!

Great point. This does seem like an important vulnerability.

I think one method of protection would be using Stripes Radar service to screen transactions for malicious patterns.

While it probably won’t catch all fraudulent charges, it’ll catch a bunch. You can use that increase in rejected transactions as a canary to take a closer look at the other transactions coming through.

Does anyone else have ideas on how you can protect yourself from this kind of attack?

Edit: thinking about this more, it would be a pretty expensive attack to attempt. Stolen credit cards aren't cheap, like email addresses are. You'd need a lot of them to attempt the attack and you likely wouldn't succeed.

I think you'd need 1% of the target merchant's transactions to be chargebacks in order to get them kicked off. I'd assume at least 50% of your attempts would get caught before the chargeback even happens, so you'd need at least 2% of their transactions.

Seems like you'd need a large number of cards. Anyone know the value of a stolen card?

You’d need to come close to 1% in total charges. That’s roughly what Visa and MasterCard set as limits. This would work with anyone who accepts credit cards, not just Stripe customers.

Agreed and more.

Lots of companies monitor HN for negative posts and respond to them but few do it as well as Stripe.

While some companies just put out the OPs fire, Stripe seems to do better.

I have a rare trust that they’re genuine and will actually follow through with improvements to prevent the same issue from happening to others.

As somebody who helped write that email a while ago, I actually agree with you. We think the improvements we're working on will be pretty tangible—as pc mentioned above, we're not just rewriting the emails, but are working on a project to reduce these types of rejections entirely.

Based on my guess of what's happened (informed by working on card dispute systems), is sounds like JustUseApp have been exploiting a little loop hole in how card transaction work, which creates quite a bit of liability for Stripe if they're pushing through a significant amount of transactions.

My guess is that Stripe would work with them to tweak their product so it can work without expose Stripe to all this risk. Might result in something clunkier and harder to use, but at least it'll still work.

Assuming their a competitor 1% seems like a small tax to pay to gain the entire market share.

In this case, would that mean justuseapp's account being shut down earlier in the process? Neither your reply nor pc's seem to indicate (to me, at least) that justuseapp is likely to be reinstated and kept as a customer for a long time.

Actually they are relatively cheap to purchase. It’s been a while since I saw numbers, but googling around seems like 25-50.

I also remember something about bulk sales.

If you never intend to capitalize on the gains other then an attack vector it would minimize the risk.

So eliminating someone’s business is 2% revenue * 25$ usd optimally.

Surely we can build a better service to get these costs down.

You probably don't gain the entire market share even if the attack succeeds in leaving them permanently without a payment gateway, except in situations where the answer to "who is attacking us?" is fairly obvious...

It's a weak point.

You can also pull API keys from most apps and get them banned from advertising networks.

You can hire people to review bomb.

Hire people to make fake news about a competitor go viral.

Someone willing to do illegal things can always hire other people to do illegal things for them "anonymously"

Actually, yes. That will absolutely hurt them.

I actually heard of a person who did something along these lines to the competition and Stripe shut the competitor down.

I just want to echo here that Edwin is superhelpful in the past. He proactively reach out and get the problem fix on my first post, and on the second time I reached out to him and again, he's superhelpful to help me resolve and regain access to Stripe.

Thanks a lo for what you did Edwin.

Vinh.

> a human did review the transaction activity and actively sent the email. We're digging more into exactly what happened here

I can already tell you what happened, Edwin. From your CEO himself:

> We actually have an ongoing project to reduce the occurrence of these mistaken rejections by 90% by the end of this year. I think we’ll succeed at it. (They’re already down 50% since earlier this year.)

Your staff are duking your metrics because you don't understand Goodhart's Law.