Who uses Stripe for payments? Beware, they seem to not validate cards.

drmike · Oct 28, 2013

Who around here is using Stripe (stripe.com) for card transactions?

Beware, while Stripe claims PCI-compliance and to be all secure, they fail to even do basic live authentication on accounts presented.

I would say no way, not true had I not seen 4+ examples of this utter failure this morning.

The examples are all involving stolen and previously known and reported to be stolen major credit/debit cards. We confirmed this by actually reaching account holders.

Stripe rubber stamped the transactions as valid and fine to deliver services to. Only the good eyes of one company owner caught the oddness after a flurry of orders in same geographic area (state) and with similar account abnormalities (all CAPS use on same fields).

If you are using Stripe, it is time to audit your transactions.

Original thread with more details --> http://vpsboard.com/topic/2396-whmcs-exploit-involving-stripe-payments/

WebSearchingPro · Oct 28, 2013

The bad thing is if stripe gets a chargeback there is a $15.00 fee, which essentially wouldnt have happened if they could verify stolen cards...

rds100 · Oct 28, 2013

I wonder, how could transactions go through with known stolen cards? Don't the banks block / cancel these cards if it's known they are stolen?

WebSearchingPro · Oct 28, 2013

rds100 said:
I wonder, how could transactions go through with known stolen cards? Don't the banks block / cancel these cards if it's known they are stolen?

My guess is they pre-process the transaction, then they find out later its a bad card and charge a fee to the seller.

Patrick · Oct 28, 2013

They do an authorisation for a small amount like £0.1 or whatever to verify CVV/AVS then if it passes it charges the actual amount.

shovenose · Oct 28, 2013

We use them and never have had any problems or disputes/chargebacks.

KS_Phillip · Oct 28, 2013

shovenose said:
We use them and never have had any problems or disputes/chargebacks.

We've only had a single chargeback, which we contested (and won). No other issues thus far with stripe

concerto49 · Oct 28, 2013

We have Stripe but haven't started using it. Was just going to.

drmike · Oct 28, 2013

I am utterly dumbfounded how the transactions were authorized by STRIPE.

I made recommendation to push on Stripe about these and get an answer. Since Stripe has no phone and sticks you to e-ticketing hell who knows when/if a response will be coming.

Stripe had better come clean on this and why they rubberstamped fraud transactions. Hitting seller with fees? That happens Stripe is going to get smashed. Almost certain they are violating multiple regulations based on this... Ho hum...

Damian · Oct 28, 2013

I was trusting that Stripe were authenticating/validating transactions, until this happened:

Since the best response that they could give me that their system allowed the same person to use four different cards in eight minutes was "sorry!" and still charge me a fee, I now look at Stripe transaction records every day.

SkylarM · Oct 28, 2013

I had a similar issue as Damian. They basically claim no responsibility for fraud checks, even though they run their own. The fee sucks, paypal doesn't charge a fee unless you fight a CC dispute and lose. Stripe just tosses on a hefty fine just because they can and say "You should have better fraud protection methods!" when the stuff they run isn't totally great either. We go through all orders more closely as a result.

drmike · Oct 28, 2013

^--- that's scary Damian. Thanks!

More evidence to support auditing Stripe payments and holding accounts for manual approval when Stripe is payment method.

DomainBop · Oct 28, 2013

INIZ said:
They do an authorisation for a small amount like £0.1 or whatever to verify CVV/AVS then if it passes it charges the actual amount.

The small amount was $1.62 when I paid an invoice last week with Stripe (temporary authorization, disappeared the next day)

Damian said:
Since the best response that they could give me that their system allowed the same person to use four different cards in eight minutes

Most merchant accounts (at least the better ones) offer rate limiting fraud filters that allow the merchant to limit the number of transactions that can be submitted per IP per hour (something like AuthorizeNet's IP velocity filter: http://www.authorize.net/support/CNP/helpfiles/Tools/Fraud_Detection_Suite/Transaction_Filters/Transaction_IP_Velocity_Filter.htm )?

XFS_Duke · Oct 28, 2013

I used Stripe for about 2 months. Had 3 chargebacks and I disputed them. I won them, but for some reason they still keep trying to take the money BACK out of my account... What they keep saying is that "we have money waiting for you but we don't have a valid bank account." I told them, yea, that is because you keep trying to take the money OUT of my account instead of putting it back in... So far, I was only out of a little money, but I have since moved to Authorize.Net... Much better, slightly higher fee's but oh well.

notFound · Oct 29, 2013

Honestly, I've never actually looked at my Stripe log since the first live transaction. I did notice that the verification didn't matter as in the name was different etc., good thing I only allow select clients to use it otherwise it'd be a disaster.

drmike · Oct 29, 2013

So, this morning was talking to a seasoned provider about this issue.

*FOR THE RECORD* historically I've only dealt with real merchant accounts I've negotiated with large banks and require proper credit worthiness and are regulated fairly heavily.

Take on the Stripe situation seems to be much like all other payment gateways --- PURE SHIT.

They aren't validating the accounts per se.

Transaction goes through the modulo 10 checksum, then pre-auth transaction against the account. They use the pre-auth to levy a charge against the account to prove the account is valid. Pre-auth later is removed/reversed and actual charge is pushed through.

That sounds great, but the breakdown is in instance yesterday accounts were stolen and long ago flagged (i.e. yesterday wasn't first day of fraud against these account).

Belief is the account issuers allowed the transactions. That part makes little to no sense.

It was said that other payment gateways would likely have handled these transactions the same way.

Problem here is this isn't complex fraud. It's very simple. Same thing could happen with ever credit account ever stolen and in mass.

Now the approach should be to let one of these accounts through and see what they use the service for and monitor the activity entirely. Bound to be the DDoS folks and/or spam operators.

LorenKelley · Oct 29, 2013

I work for Braintree Payments (full-disclosure) and we hear stories like this quite a bit. While Stripe and Braintree both have an instant signup process and ease of integration this is where the similarities end. We have fraud tools designed specifically for this issue. The two types of fraud we see most often are stolen cards being used to make purchases and fraudsters using multiple stolen cards to determine if they are valid. We've partnered with Kount to protect our merchants from fraud. Kount draws on over 200 data points and cross references the card's activity across thousands of merchants to determine if the transaction is valid. Couple our gateway and braintree.js with Kount and you have a robust fraud solution.

In the event you do have issues we offer white glove support by phone or email. We have a team dedicated to chargebacks. They will work with a merchant directly to try and win disputes and prevent them in the future. Possibly the best part is that all of this is covered under our standard pricing.

drmike · Oct 29, 2013

@LorenKelley, welcome to the site and glad to have you on board.

There are lots of merchants here and the entire card gateway concept and protections is mostly absent to them.

I'd like to chat with you / help define some information for the providers for anti-fraud and alternative payment processors. I'll PM you here.

How does Braintree compete cost with say Stripe, PayPal and others? Might you folks have a pre-built competitive matrix?

XFS_Duke · Oct 29, 2013

We use Authorize.Net now through TransFirst. Just got it setup, ran tests and everything seemed to work fine. Activated it a couple of days ago. I wouldn't really recommend Stripe for anyone.. I mean, yea it is low cost, but you get what you pay for..

LorenKelley · Oct 29, 2013

@drmike,

Braintree's standard pricing is the same as our competitors at 2.9% and $.30 a transaction. However, we wouldn't be working with companies like Uber, Livingsocial, or Airbnb if we were charging those rates. We offer discounts based on volume, but they are custom pricing schedules per each merchant's specific needs.

Cost is really important, but keeping your customers data safe and keeping the money you make is paramount. You can find cheaper processing, but are they giving you the tools to generate more profit and keep your company and customers safe?

Who uses Stripe for payments? Beware, they seem to not validate cards.

100% Tier-1 Gogent

VPS Peddler

New Member

VPS Peddler

INIZ.COM

New Member

New Member

New Member

100% Tier-1 Gogent

New Member

Well-Known Member

100% Tier-1 Gogent

Dormant VPSB Pathogen

XFuse Solutions, LLC

Don't take me seriously!

100% Tier-1 Gogent

New Member

100% Tier-1 Gogent

XFuse Solutions, LLC

New Member