Who uses Stripe for payments? Beware, they seem to not validate cards.

Discussion in 'Hosting Talk & Reviews' started by drmike, Oct 28, 2013.

  1. drmike

    drmike 100% Tier-1 Gogent

    8,573
    2,717
    May 13, 2013
    Who around here is using Stripe (stripe.com) for card transactions?

    Beware, while Stripe claims PCI-compliance and to be all secure, they fail to even do basic live authentication on accounts presented.

    I would say no way, not true had I not seen 4+ examples of this utter failure this morning.

    The examples are all involving stolen and previously known and reported to be stolen major credit/debit cards.  We confirmed this by actually reaching account holders.

    Stripe rubber stamped the transactions as valid and fine to deliver services to.  Only the good eyes of one company owner caught the oddness after a flurry of orders in same geographic area (state) and with similar account abnormalities (all CAPS use on same fields).

    If you are using Stripe, it is time to audit your transactions.

    Original thread with more details --> http://vpsboard.com/topic/2396-whmcs-exploit-involving-stripe-payments/
     
  2. WebSearchingPro

    WebSearchingPro VPS Peddler Verified Provider

    493
    143
    May 15, 2013
    The bad thing is if stripe gets a chargeback there is a $15.00 fee, which essentially wouldnt have happened if they could verify stolen cards...
     
  3. rds100

    rds100 New Member Verified Provider

    733
    300
    May 18, 2013
    I wonder, how could transactions go through with known stolen cards? Don't the banks block / cancel these cards if it's known they are stolen?
     
  4. WebSearchingPro

    WebSearchingPro VPS Peddler Verified Provider

    493
    143
    May 15, 2013
    My guess is they pre-process the transaction, then they find out later its a bad card and charge a fee to the seller.
     
  5. Patrick

    Patrick INIZ.COM Verified Provider

    263
    85
    May 16, 2013
    They do an authorisation for a small amount like £0.1 or whatever to verify CVV/AVS then if it passes it charges the actual amount. 
     
  6. shovenose

    shovenose New Member Verified Provider

    819
    101
    May 13, 2013
    We use them and never have had any problems or disputes/chargebacks.
     
    River likes this.
  7. KS_Phillip

    KS_Phillip New Member Verified Provider

    122
    39
    May 16, 2013
    We've only had a single chargeback, which we contested (and won).  No other issues thus far with stripe
     
  8. concerto49

    concerto49 New Member Verified Provider

    960
    200
    May 5, 2013
    We have Stripe but haven't started using it. Was just going to.
     
  9. drmike

    drmike 100% Tier-1 Gogent

    8,573
    2,717
    May 13, 2013
    I am utterly dumbfounded how the transactions were authorized by STRIPE.

    I made recommendation to push on Stripe about these and get an answer.   Since Stripe has no phone and sticks you to e-ticketing hell who knows when/if a response will be coming.

    Stripe had better come clean on this and why they rubberstamped fraud transactions.   Hitting seller with fees?   That happens Stripe is going to get smashed.   Almost certain they are violating multiple regulations based on this... Ho hum...
     
  10. Damian

    Damian New Member Verified Provider

    368
    199
    May 17, 2013
    was trusting that Stripe were authenticating/validating transactions, until this happened:

    [​IMG]

    Since the best response that they could give me that their system allowed the same person to use four different cards in eight minutes was "sorry!" and still charge me a fee, I now look at Stripe transaction records every day.
     
    drmike likes this.
  11. SkylarM

    SkylarM Well-Known Member Verified Provider

    975
    419
    May 15, 2013
    I had a similar issue as Damian. They basically claim no responsibility for fraud checks, even though they run their own. The fee sucks, paypal doesn't charge a fee unless you fight a CC dispute and lose. Stripe just tosses on a hefty fine just because they can and say "You should have better fraud protection methods!" when the stuff they run isn't totally great either. We go through all orders more closely as a result.
     
  12. drmike

    drmike 100% Tier-1 Gogent

    8,573
    2,717
    May 13, 2013
    ^--- that's scary Damian.  Thanks!

    More evidence to support auditing Stripe payments and holding accounts for manual approval when Stripe is payment method.
     
  13. DomainBop

    DomainBop Dormant VPSB Pathogen

    2,260
    2,190
    Oct 11, 2013
    The small amount was $1.62 when I paid an invoice last week with Stripe (temporary authorization, disappeared the next day)

    Most merchant accounts (at least the better ones) offer rate limiting fraud filters that allow the merchant to limit the number of transactions that can be submitted per IP per hour  (something like AuthorizeNet's IP velocity filter: http://www.authorize.net/support/CNP/helpfiles/Tools/Fraud_Detection_Suite/Transaction_Filters/Transaction_IP_Velocity_Filter.htm )?
     
  14. XFS_Duke

    XFS_Duke XFuse Solutions, LLC Verified Provider

    389
    149
    Jun 7, 2013
    I used Stripe for about 2 months. Had 3 chargebacks and I disputed them. I won them, but for some reason they still keep trying to take the money BACK out of my account... What they keep saying is that "we have money waiting for you but we don't have a valid bank account." I told them, yea, that is because you keep trying to take the money OUT of my account instead of putting it back in... So far, I was only out of a little money, but I have since moved to Authorize.Net... Much better, slightly higher fee's but oh well.
     
    drmike likes this.
  15. notFound

    notFound Don't take me seriously! Verified Provider

    329
    88
    Apr 11, 2013
    Honestly, I've never actually looked at my Stripe log since the first live transaction. I did notice that the verification didn't matter as in the name was different etc., good thing I only allow select clients to use it otherwise it'd be a disaster.
     
  16. drmike

    drmike 100% Tier-1 Gogent

    8,573
    2,717
    May 13, 2013
    So, this morning was talking to a seasoned provider about this issue.

    *FOR THE RECORD* historically I've only dealt with real merchant accounts I've negotiated with large banks and require proper credit worthiness and are regulated fairly heavily.

    Take on the Stripe situation seems to be much like all other payment gateways --- PURE SHIT.

    They aren't validating the accounts per se.


    Transaction goes through the modulo 10 checksum,  then pre-auth transaction against the account.   They use the pre-auth to levy a charge against the account to prove the account is valid.  Pre-auth later is removed/reversed and actual charge is pushed through.

    That sounds great, but the breakdown is in instance yesterday accounts were stolen and long ago flagged (i.e. yesterday wasn't first day of fraud against these account).

    Belief is the account issuers allowed the transactions.  That part makes little to no sense.

    It was said that other payment gateways would likely have handled these transactions the same way.

    Problem here is this isn't complex fraud.  It's very simple.   Same thing could happen with ever credit account ever stolen and in mass.

    Now the approach should be to let one of these accounts through and see what they use the service for and monitor the activity entirely.  Bound to be the DDoS folks and/or spam operators.
     
  17. LorenKelley

    LorenKelley New Member

    2
    3
    Oct 29, 2013
    I work for Braintree Payments (full-disclosure) and we hear stories like this quite a bit. While Stripe and Braintree both have an instant signup process and ease of integration this is where the similarities end. We have fraud tools designed specifically for this issue. The two types of fraud we see most often are stolen cards being used to make purchases and fraudsters using multiple stolen cards to determine if they are valid. We've partnered with Kount to protect our merchants from fraud. Kount draws on over 200 data points and cross references the card's activity across thousands of merchants to determine if the transaction is valid. Couple our gateway and braintree.js with Kount and you have a robust fraud solution. 

    In the event you do have issues we offer white glove support by phone or email. We have a team dedicated to chargebacks. They will work with a merchant directly to try and win disputes and prevent them in the future. Possibly the best part is that all of this is covered under our standard pricing.
     
    MannDude, drmike and tchen like this.
  18. drmike

    drmike 100% Tier-1 Gogent

    8,573
    2,717
    May 13, 2013
    @LorenKelley,   welcome to the site and glad to have you on board.

    There are lots of merchants here and the entire card gateway concept and protections is mostly absent to them.

    I'd like to chat with you / help define some information for the providers for anti-fraud and alternative payment processors.  I'll PM you here.

    How does Braintree compete cost with say Stripe, PayPal and others?  Might you folks have a pre-built competitive matrix?
     
  19. XFS_Duke

    XFS_Duke XFuse Solutions, LLC Verified Provider

    389
    149
    Jun 7, 2013
    We use Authorize.Net now through TransFirst. Just got it setup, ran tests and everything seemed to work fine. Activated it a couple of days ago. I wouldn't really recommend Stripe for anyone.. I mean, yea it is low cost, but you get what you pay for..
     
    drmike likes this.
  20. LorenKelley

    LorenKelley New Member

    2
    3
    Oct 29, 2013
    @drmike,

    Braintree's standard pricing is the same as our competitors at 2.9% and $.30 a transaction. However, we wouldn't be working with companies like Uber, Livingsocial, or Airbnb if we were charging those rates. We offer discounts based on volume, but they are custom pricing schedules per each merchant's specific needs. 

    Cost is really important, but keeping your customers data safe and keeping the money you make is paramount. You can find cheaper processing, but are they giving you the tools to generate more profit and keep your company and customers safe?