Most active commenters

    ←back to thread

    Stripe banned us for payment disputes but we never had a single dispute

    (justuseapp.com)
    693 points hienyimba | 12 comments | 14 Sep 21 10:51 UTC | HN request time: 0.487s | source | bottom
    Show context
    edwinwee ◴[14 Sep 21 12:26 UTC] No.28523676[source]
    Edwin from Stripe here. (OP, I've just sent you an email and we can talk more over there—I'm terribly sorry for the trouble.) I can't get into too many specifics about an individual business publicly, but unauthorized charges have high potential to be disputed in the near future—and while Stripe itself doesn't have a dispute threshold, the card networks require businesses to keep disputes low.

    Although that email in the post was admittedly a template, a human did review the transaction activity and actively sent the email. We're digging more into exactly what happened here to prevent the confusion from happening again. Over the past few weeks, we've been overhauling how we work with businesses in situations like these and are rolling out some meaningful improvements soon.

    replies(5): >>28523708 #>>28523811 #>>28523985 #>>28528152 #>>28528827 #
    1. ddtaylor ◴[14 Sep 21 12:29 UTC] No.28523708[source]
    So, if I want to disrupt a competitor all I have to do is hire a bunch of darknet identify thieves and you'll shut down their merchant account?
    replies(4): >>28523802 #>>28523989 #>>28527061 #>>28527154 #
    2. gilrain ◴[14 Sep 21 12:37 UTC] No.28523802[source]
    Yes, if you’re willing to break the law and risk the consequences, you can get up to all sorts of stuff. Same as anything?

    Like, “So, if I want to disrupt a competitor, all I have to do is hire thugs to smash all their stuff?”

    Yeah, that’d do it. Good luck.

    replies(3): >>28523918 #>>28523936 #>>28524053 #
    3. qaq ◴[14 Sep 21 12:47 UTC] No.28523918[source]
    Risk is relative thing the activity has to cross threshold for the appropriate gov entity to investigate and since they are swamped that threshold keeps going up.
    4. MichaelApproved ◴[14 Sep 21 12:48 UTC] No.28523936[source]
    I think the point is that this attack vector can be pretty anonymous and absolutely deadly to the target company.

    This attack is also not protected by insurance, like someone setting fire to your office would be.

    It’s fair to explore just how vulnerable a company can be to this type of attack from a malicious competitor.

    replies(1): >>28525929 #
    5. MichaelApproved ◴[14 Sep 21 12:53 UTC] No.28523989[source]
    Great point. This does seem like an important vulnerability.

    I think one method of protection would be using Stripes Radar service to screen transactions for malicious patterns.

    While it probably won’t catch all fraudulent charges, it’ll catch a bunch. You can use that increase in rejected transactions as a canary to take a closer look at the other transactions coming through.

    Does anyone else have ideas on how you can protect yourself from this kind of attack?

    Edit: thinking about this more, it would be a pretty expensive attack to attempt. Stolen credit cards aren't cheap, like email addresses are. You'd need a lot of them to attempt the attack and you likely wouldn't succeed.

    I think you'd need 1% of the target merchant's transactions to be chargebacks in order to get them kicked off. I'd assume at least 50% of your attempts would get caught before the chargeback even happens, so you'd need at least 2% of their transactions.

    Seems like you'd need a large number of cards. Anyone know the value of a stolen card?

    replies(1): >>28524956 #
    6. ViViDboarder ◴[14 Sep 21 12:59 UTC] No.28524053[source]
    You’d need to come close to 1% in total charges. That’s roughly what Visa and MasterCard set as limits. This would work with anyone who accepts credit cards, not just Stripe customers.
    replies(1): >>28524499 #
    7. ddtaylor ◴[14 Sep 21 13:31 UTC] No.28524499{3}[source]
    Assuming their a competitor 1% seems like a small tax to pay to gain the entire market share.
    replies(1): >>28525312 #
    8. BikiniPrince ◴[14 Sep 21 14:02 UTC] No.28524956[source]
    Actually they are relatively cheap to purchase. It’s been a while since I saw numbers, but googling around seems like 25-50.

    I also remember something about bulk sales.

    If you never intend to capitalize on the gains other then an attack vector it would minimize the risk.

    So eliminating someone’s business is 2% revenue * 25$ usd optimally.

    Surely we can build a better service to get these costs down.

    9. notahacker ◴[14 Sep 21 14:25 UTC] No.28525312{4}[source]
    You probably don't gain the entire market share even if the attack succeeds in leaving them permanently without a payment gateway, except in situations where the answer to "who is attacking us?" is fairly obvious...
    10. BoorishBears ◴[14 Sep 21 15:03 UTC] No.28525929{3}[source]
    It's a weak point.

    You can also pull API keys from most apps and get them banned from advertising networks.

    You can hire people to review bomb.

    Hire people to make fake news about a competitor go viral.

    Someone willing to do illegal things can always hire other people to do illegal things for them "anonymously"

    11. burnte ◴[14 Sep 21 16:20 UTC] No.28527061[source]
    Actually, yes. That will absolutely hurt them.
    12. e9 ◴[14 Sep 21 16:27 UTC] No.28527154[source]
    I actually heard of a person who did something along these lines to the competition and Stripe shut the competitor down.