←back to thread

Stripe banned us for payment disputes but we never had a single dispute

(justuseapp.com)
693 points hienyimba | 2 comments | 14 Sep 21 10:51 UTC | HN request time: 0s | source
Show context
edwinwee ◴[14 Sep 21 12:26 UTC] No.28523676[source]
Edwin from Stripe here. (OP, I've just sent you an email and we can talk more over there—I'm terribly sorry for the trouble.) I can't get into too many specifics about an individual business publicly, but unauthorized charges have high potential to be disputed in the near future—and while Stripe itself doesn't have a dispute threshold, the card networks require businesses to keep disputes low.

Although that email in the post was admittedly a template, a human did review the transaction activity and actively sent the email. We're digging more into exactly what happened here to prevent the confusion from happening again. Over the past few weeks, we've been overhauling how we work with businesses in situations like these and are rolling out some meaningful improvements soon.

replies(5): >>28523708 #>>28523811 #>>28523985 #>>28528152 #>>28528827 #
ddtaylor ◴[14 Sep 21 12:29 UTC] No.28523708[source]
So, if I want to disrupt a competitor all I have to do is hire a bunch of darknet identify thieves and you'll shut down their merchant account?
replies(4): >>28523802 #>>28523989 #>>28527061 #>>28527154 #
1. MichaelApproved ◴[14 Sep 21 12:53 UTC] No.28523989[source]
Great point. This does seem like an important vulnerability.

I think one method of protection would be using Stripes Radar service to screen transactions for malicious patterns.

While it probably won’t catch all fraudulent charges, it’ll catch a bunch. You can use that increase in rejected transactions as a canary to take a closer look at the other transactions coming through.

Does anyone else have ideas on how you can protect yourself from this kind of attack?

Edit: thinking about this more, it would be a pretty expensive attack to attempt. Stolen credit cards aren't cheap, like email addresses are. You'd need a lot of them to attempt the attack and you likely wouldn't succeed.

I think you'd need 1% of the target merchant's transactions to be chargebacks in order to get them kicked off. I'd assume at least 50% of your attempts would get caught before the chargeback even happens, so you'd need at least 2% of their transactions.

Seems like you'd need a large number of cards. Anyone know the value of a stolen card?

replies(1): >>28524956 #
2. BikiniPrince ◴[14 Sep 21 14:02 UTC] No.28524956[source]
Actually they are relatively cheap to purchase. It’s been a while since I saw numbers, but googling around seems like 25-50.

I also remember something about bulk sales.

If you never intend to capitalize on the gains other then an attack vector it would minimize the risk.

So eliminating someone’s business is 2% revenue * 25$ usd optimally.

Surely we can build a better service to get these costs down.