Stripe account suffered a card test

83 points Nov 21, 2022

My Stripe account suffered a card test, Stripe asked me to provide KYB materials including inventory documents and company documents, shipping information, but the account was still closed and Stripe is about to make a mandatory refund of all funds in the account (including the actual purchase price of the product). I am seeking help, but Stripe support just tells me it is not working. This could be a vulnerability of Stripe, if your competitor uses Stripe and you want to destroy the competitor's payment system, just test the stolen credit card like crazy and obviously your competitor's Stripe account will be closed.

ThrustVectoring Nov 21, 2022

This sounds like a significant business dispute covered by specific contracts and regulations. You should get a lawyer. If you do not have a lawyer and have a board of directors, funders, or the like, this is a good resource to use to get a lawyer.

Anyone advising specific actions to take in this thread that aren't "get a lawyer, preferably an expert in this field, and follow their advice" is doing you a disservice. This is almost certainly something you can't DIY. If the monetary amounts are too small to be worth a lawyer, you have very limited options.

Get. A. Lawyer.

yawnxyz Nov 21, 2022

What’s the best way to get a lawyer in this field, in this situation? I’m guessing “Google it” would lead to bad ones and scammers?

ThrustVectoring Nov 22, 2022

Referrals from business associates, angel investors, etc. There's a decent amount of various bits and bobs of domain knowledge that comes along with funding, and referring you to a lawyer is one of them. Past that, any good lawyer working outside their specialty will often know and be able to refer you to someone who can work inside the specialty you need.

inkeddeveloper Nov 21, 2022

Contact your local bar association.

neodypsis Nov 21, 2022

Good advice.

nikolay Nov 21, 2022

One of the nonprofits I helped suffered something similar. Tens of $10 charges, most of which were disputed, refunded, and charged a chargebacked feed pretty much erased all funds raised within the month. I trusted Stripe more, but now I believe they are no different thatn Authorize.net, maybe even a bit worse. Anybody can be got on any website using Stripe and test a credit card. A chargeback has a different meaning and that's why it's penalized and I believe Stripe are abusing the system and wrongly charging merchants a chargeback fee. In our case, we're using the most popular WordPress donation plugin - it's not like we've coded this ourselves or that our system was breached - somebody just went to a donation form and tested stolen credit cards with $10 - that's all! And we have to pay $15 for each of those attempts, which Stripe didn't stop! How is this exactly our fault?!

xyzzy_plugh Nov 21, 2022

A card test wouldn't trigger your account getting closed. It would trigger someone possibly looking at your account, however.

I'm guessing you're breaking a rule and their banking partner is unhappy with whatever business you're in. If that's the case, then Stripe's hands are tied and your fate is sealed.

> but the account was still closed and Stripe is about to make a mandatory refund of all funds in the account (including the actual purchase price of the product).

I'm no expert but this sounds like a claw back, or some liability shit. A good reason to not keep money in your receiving account. How big are your transactions? Refunding everything going back how long?

You've painted only a small part of the picture. Without more, I'm not convinced this is good faith. I've seen too many shady businesses pull the same tactics.

edwinwee Nov 21, 2022

I work at Stripe. Could you email me at edwin@stripe.com and we can look into what went wrong here? (If a fraudster hits your account with card testing, we'd refund just the fraudulent test payments and your account status wouldn't be affected.) Additionally, do you have rate limiting or CAPTCHA in place? Either of those would mitigate further card testing. https://stripe.com/docs/disputes/prevention/card-testing

wahnfrieden Nov 21, 2022

IME many forget or neglect or don't know to implement captcha or rate limiting on checkout. It's rarely spec'd and meets resistance with product/sales/exec teams as unspec'd scope and undesirable conversion friction.

zztop44 Nov 21, 2022

Or use popular Wordpress plugins that don’t have captchas or rate limiting

offsky Nov 21, 2022

What is the best way to implement rate limiting if our site allows payment without a login? By IP?

lini Nov 21, 2022

You should add basic rate limiting to your app. We had a similar issue with Stripe and making sure that different card numbers could not be quickly used one after the other by the same account fixed the problem.

prirun Nov 21, 2022

Seems like this should be the default setup on Stripe's end.

PenguinCoder Nov 21, 2022

Did you do this on your app itself or is there a way to have stripe do it for you?

shrubble Nov 21, 2022

Stripe is very likely regulated by the money transmission board of whichever state your business is in.

Usually but not always it is a division underneath the Department of State; for instance in Colorado I think it is this group: https://banking.colorado.gov/industry/money-transmitters .

If you don't feel that Stripe is treating you fairly, you should get the relevant agency involved...

(EDIT to add: yes, you should get a lawyer involved also...)

mastazi Nov 21, 2022

You are assuming OP is in the US, but they didn't say where they are located.

mark242 Nov 21, 2022

Stripe.js should include an invisible captcha by default. You effectively need to have that built into any payment form you create; someone must pass the captcha before generating a Stripe token. That's the only way to slow down a card-testing scheme.

0xy Nov 21, 2022

It effectively does, and collects telemetry. There's also Stripe Radar, however when I was working in fraud for a large e-commerce company we found Stripe Radar to be a very poor product in stopping fraudulent transactions.

There are many competitors in this field and the companies that do this for a living operate a much better service than Stripe. Some of them will even fully refund false negatives if they are later disputed.

I was involved in cutting Stripe Radar and moving to one of their competitors.

Unfortunately, as a small business, you are a target for "carders" and other criminal figures.

cavisne Nov 21, 2022

Years ago when i ordered from a site they had a system where they would charge you slightly less than the price on the order, but you had to quickly verify the last 2 digits. Ie a $100 item and they would charge you 99.97, and auto cancel the order if you cant provide the actual cost (from your internet banking). Since credit card charges appear instantly this was pretty simple.

I'm surprised I've never seen such a system since, it seems very effective against stolen cards.

kelnos Nov 21, 2022

I'm not surprised; a system like that increases friction and would turn some non-zero customers away.

miki123211 Nov 22, 2022

My bank doesn't (easily) let me see the transaction amount in the original currency. It always shows the amount after conversion, I'm not even sure if there's a way to see what the original amount actually was.

jbverschoor Nov 21, 2022

They do this to authenticate payment methods in for example PayPal

tdeck Nov 21, 2022

Wish I had advice for you. At this point we need a "Stripe support" tab on HN.

KingOfCoders Nov 21, 2022

When I was working at a large company, they moved all money out from Paypal every night without exception.

I'm not sure why anyone would keep money in Paypal or Stripe.

throw_me_5555 Nov 21, 2022

Just a reminder, that there were people banned by PayPal for doing just that. Or in PP words: keeping too low balance relative to revenue. Still beats having a few weeks of revenue(instead of single day) locked for 180days for arbitrary reason

im3w1l Nov 21, 2022

We don't know that is the actual ban reason. Could just be something they made up when they were gonna ban them for something else and were disappointed there was no money to steal.

tptacek Nov 21, 2022

What do you sell?

DarthNebo Nov 21, 2022

Hope this gets resolved, I learnt from Pierre of ScrapingBee to rate limit billing APIs as well(realistically).

ht85 Nov 21, 2022

It would be nice to know if a few transactions can hurt an account or if it only happens with large, quick volume. OP, do you know at which rate the cards were tested on your platform?

akaxaka Nov 21, 2022

You should switch to Adyen, they have protections against this.

slivanes Nov 21, 2022

They are pretty restrictive on who they take on. i.e. > 5000 transactions per month.

KingOfCoders Nov 21, 2022

There are two models:

1.) Those without checks who take everyone but later will easily bann/block accounts.

2.) And those who are more restrictive to take on customers but will work with you instead of blocking your account.

Everyone needs to chose their preferred payment provider, you usually can't have both.

jaykoronivo Nov 21, 2022

thanks for the info

This item has no comments currently.