I have a perspective from the other end of this, as a seller. Been using Stripe for 5 years selling digital content with a low, $5 average bill. A year ago the site was likely noticed by hackers who started punching in dozens of stolen credit cards. I kept refunding manually at first, but then I had activated Stripe Radar. It made absolutely zero difference out of the box. "-Is it a 100th charge coming from the same IP in Ukraine with a Canadian VISA? No problem, charge approved, here's your success webhook.". "-Same fake TLD for the email address, for a customer number 2235? Nothing suspicious here, charge approved.".
What helped fight this was to create a rule in Radar to reject all cards without 3D Secure capability, but it had cut off a sizable chunk of legit revenue.
This is the big problem with Stripe's positioning in the payments food chain ladder.
Block every single fraudulent or suspicious transaction, and you're leaving obscene amounts of money on the table.
The amount of credit card fraud that goes unclaimed or is eaten by liability shift is huge, so if Stripe makes a product like Radar ACTUALLY WORK, they would be missing out big time.
I am confident Stripe's radar's shortcomings are deliberate and not simple bugs or design problems.
It appears they have no incentive for the product to be 100% effective and that would explain why Stripe Radar is billed per screened transaction, regardless of outcome.
We benchmark Stripe Radar against other pure play fraud fingerprinting solutions, and the difference is abysmal. The fact that Stripe claims to have seen 80% of any card before it gets to your store make this fact even worse.
So, like parent says, you are going to see radar scores of 90 and 95 for certain charges (clearly fraudulent carding attempts), followed by scores of 15 or 20 for the same card, IP, fingerprint with absolutely no warning.
I've grown tired of escalating this to Support. They just give me the ML model answer. Basically: "It's a black box!"
You can definitely add a rule to start blocking charges from X places, or with Y velocity, or always enforce 3DS, but then you're taking the model into your own hands, and that has some important consequences.
Your acceptance rate goes down. You're heavily interfering with the model and relying (and trusting) it less, and you realise you really don't need Radar to do that for you.
If you're serious about fraud, you must use a pure player solution that is 100% aligned with your interests.
From what we've seen with Stripe Radar in the past, that doesn't seem to be the case.
I'm a big fan of Stripe in may ways, but I really have a love/hate relationship with this side of their business...
Agreed - I remember working on something that only service Australian customers and charged in Australian dollars, but Stripe didn't do much when there was a massive influx of overseas cards charging in US dollars.
Stripe Radar costing money is a bit annoying too - my solution was to block non-Australian cards - but the only way to do that is with Radar, which costs money. Radar doesn't let you whitelist currencies either.
Is there no way to get Stripe to automatically refund all chargebacks/disputes? What if you're only getting a 5% fraud rate for something cheap and you want to just eat the loss and not have to manually deal with disputes? Or if you're selling something like a premium online account, you can just disable the user's account automatically if they dispute the charge.
Yes you might be able to do that, at the risk of some personal liability because this is illegal. It’s also grossly unethical.
If your fraud has a large enough monetary value, large enough scale, or you work with another person on it, you can get hit with a serious felony charge and end up in prison for a few years. Disclaimer: I am not a lawyer or expert on credit card fraud.
Yup, that's an attack that exists and is used regularly. It's not trivial to pull off, but is easy/accessible enough that competitors will sometimes do this to each other's web shops (I've heard of two cases of this just in last 3 years and that's in a city of only 300k people).
This is exactly the big issue no one is talking about. We are putting more and more pseudo security in customer protection but as a seller I am always in constant danger.
A chargeback with stripe costs like $15 for the seller. Even if the charge was only $1.5. Imagine the monetary problems you could create and the seller has no other way than to pay and hope to not get banned.
I have seen a business run with this dealing with mobile phones targeted by organised fraudsters. Moving "too fast" to notice and whoops profit is £0.2m not £3m.
This is another case of the old assumption that businesses have more resources than their customers. It's something everyone in the financial/banking sector seems to assume and it drives me crazy. I run a nonprofit with less than 5000€ income yearly and a handful of volunteers. We have less time and money than one average person who wants to buy something from us or donate. If we got hit by a chargeback storm, we'd go bankrupt in a week.
The same thing happened to me. My solution was to block an IP address from making a purchase after N failed card attempts. It worked well enough to get me back off of the radar of those scammers.
It's called card running. You get a trove of credit cards, so you use them to buy tiny things that the card holders hopefully won't notice. Now you've sorted the list into valid and invalid cards, and can resell the valid list for a lot more money to a scammer who will use it for large scale fraud.
Just to explain, people selling stolen cards have a reputation that makes them money. If they have a reputation for selling cards that have already been burned, they can’t sell each card for as much. But, I’d they have a good way to test their cards, they can get a reputation for only selling cards that still work. This lets them sell each card for multiples of what a fraudster with a bad reputation can charge.
I have no idea why it works this way these days, online fraud should have been solved a long long time ago with technology. The banks/mastercard/visa have the ability to mandate much better security mechanisms (3D Secure etc., 2FA, generating some secure token for any large purchases etc.) so why aren't these compulsory?
The first bank to only authorize purchases with 3DSecure lowers the fraud rate a lot, but people with multiple cards will mostly choose to use other cards, because it's less friction.
Anyway, the merchant eats fraud for card not present transactions. So why would the bank choose to reduce its payment volume in order to reduce fraud it doesn't even have to pay for?
If the merchant says 3D Secure only, it reduces fraud, but also reduces payment volume, because most customers will choose to use a merchant with less friction, especially if their issuing bank doesn't do 3D Secure, or it's broken when they go to purchase.
Reducing fraud is good for merchants, but it the drop in sales may not be worth it. There's a lot of other things merchants can do to reduce fraud that aren't likely to cut into sales as much.
Having worked on the banking side, I’d say it’s because bankers hate technology. You’d be amazed at what some people will do to avoid it. I had one guy retire in 2005. When a new account manager took over his clients, we learned he’d been telling all of them the bank didn’t have email. Just because he didn’t want to adopt it.
And as these additional security settings get more normal it's get harder and sometimes even impossible to pay for your services when you are not in your home country.
What's a payment method actually worth where you have so little control if the payment succeeds?
What helped fight this was to create a rule in Radar to reject all cards without 3D Secure capability, but it had cut off a sizable chunk of legit revenue.