from Hacker News

The underground world of credit card network exploitation

by pimpl on 8/2/23, 3:05 PM with 268 comments

  • by appplication on 8/2/23, 3:42 PM

    What was most surprising about this is not the fact that there is a group of people exploiting Stripe’s payments, but that the author had ChatGPT write a script to automatically handle payments processing, specifically for chargebacks. And based on the context in the article, the author sounds like they lacked the technical skill to write or validate these scripts themselves.

    This author is jumping out of the frying pan and into the fire. ChatGPT is cool and all, but the fact that they’re trusting it to write critical code for handling their customers money speaks volumes. They’re incredulous at how they feel Stripe violated their trust in it to manage fraud, but then go ahead and blindly place it in another technology they don’t understand. The problem isn’t Stripe (though, yes, they should fix this), it’s the fact that they are just giving away trust and hoping for the best.

  • by paxys on 8/2/23, 3:41 PM

    If you are a foreign company accepting payments from the USA, you should simply expect this as a cost of doing business.

    Credit card fraud here is socialized. The end consumer is never liable, and so we don't bother with chip and pin, 2FA, 3D secure or whatever else. If we notice a suspicious transaction we simply tap a button in the bank's app and the charge is reversed in minutes.

    Banks and payments processors are themselves incentivized to push through transactions as quickly and easily as possible so people spend more (yay consumerism!), and like the author said you mostly don't even need to input the right expiry date, billing address or zip code.

    The drawback of course is that all of the liability is pushed on to the business, and so they have to raise prices for everyone to make up for it.

  • by chasebank on 8/2/23, 3:32 PM

    Re: Chargeback fees - Visa acquired a company called Verifi a few years back. Their new products are Rapid Dispute Resolution (RDR) and Order Insight. RDR effectively lets you automatically refund a transaction before it gets turned into a chargeback and Visa charges a $4 fee (Assuming your MCC code is not high risk). Order insight lets you provide certain data about a questioned charge immediately and if the customer has had 3 previous charges with you, a chargeback CANNOT be issued.

    It was a really easy decision for our business based on win rate, avg order size and chargeback fees. Plus now we don't have to constantly worry about Visa's or the merchant bank's 1% chargeback rule. This only applies to Visa charges but it represented about 50% of our total volume.

    One last note - Visa is basically taking away a massive revenue source for the processors. If your processor is TSYS, they are trying to charge a RDR fee of $10.

  • by nerdawson on 8/2/23, 3:55 PM

    Why does the US seem so far behind when it comes to banking?

    - Chip and PIN has been in the UK since 2004 and mandatory since 2006. It wasn't until a decade later that the US caught up.

    - Faster Payments allow for instant bank transfers (usually) between any bank account for free. Receiving transfers from clients in US (even with a US Wise bank account) was always a nightmare.

    - Since the EU introduced Strong Customer Authentication, most new payments have to be authorised in your mobile banking app or by some other means of 2FA.

    - Even before SCA, you'd have to get the Postcode (often digits that mattered) and CVV correct at the very least.

    These measures seem like a way of banks shifting the responsibility for fraud onto the customer. In either case though, it's the customer who loses out. In a culture that accepts widespread card fraud, costs increase to offset it.

  • by thedangler on 8/2/23, 3:31 PM

    I worked at a company who's server was hacked and they stole the API keys and did carding on it from the server. Paypal tried to tell us we owned them $100,000.00 in fees. We were only running $4500.00 payments at most 5 times a day for course registrations. The hacker ran auths on random CC number for $1 every second.

    We didn't have to pay the fees for carding but they don't care.

    They do not care because they make money off fraud.

    We had settings stating we only have orders between $2500 and $6000. But they do not check auths lol

    Crazy.

    This was back around 2010 and stripe was not available in Canada at the time.

  • by mrguyorama on 8/2/23, 6:15 PM

    Stripe is god awful at fraud prevention and it's intentional. They are explicitly outsourcing the cost of risk management to their clients. It's obscene. I work in the credit card fraud prevention field, and I'm not even that good at my job, but our team of like 3.5 people easily built and maintained a system that prevents this exact kind of carding attack.

    The primary way for a business to prevent carding attacks is to just be slightly more annoying to attack than the next guy. As far as I can tell, Stripe is happy to be the easiest large network to attack because they outsource the pain and cost of any attack to you, their users. They could easily, and for very little cost, prevent this from hurting you.

    Stripe is choosing to let you suffer to save a few bucks.

  • by edwinwee on 8/2/23, 6:50 PM

    (Edwin from Stripe here.) Worth noting this is copypasta from an older post from a month ago (https://piotrmierzejewski.com/p/card-networks-exploitation). We've fixed most of these issues since then. This type of card testing has dwindled—Radar should now be catching these types of attacks.

    On the chargeback point—we hate chargebacks too and we want to limit them as much as possible (we're actually working on a few things over here that we think will help with this). The banks levy chargeback fees (in varying amounts) and an average of them show in the form of a $20 fee—it's not a Stripe-specific fee and we don't profit from chargebacks.

    We've just finished company planning for the rest of the year and reducing this type of fraud is a top priority. So if you think you're seeing something similar, please email me at edwin@stripe.com.

  • by pard68 on 8/2/23, 6:29 PM

    Worked as the catch-all systems/CI/infrastructure/software engineer for an ecommerce company last year. This sort of stuff was so common. I'd spend at least one day a week trying to determine the newest pattern and prevent it. They were using our system to validate credit cards.

    Eventually I stopped more or less all attacks on our cart/checkout. But the requests were still coming. Eventually while trolling logs for an unrelated PHP problem one of the software engineers mentioned there was a huge amount of traffic hitting our page to save a payment for later. The platform would issue a $1.00 charge to verify that the CC was real and they'd moved to using that to "churn" cards.

    These CC thieves are very resourceful.

  • by bze12 on 8/2/23, 4:44 PM

    Some advice I got a while ago about detecting fraud through stripe is you should probably train your own fraud detection model if you’re serious about limiting it and have enough volume. Even something like a simple logistic classifier would work. Stripe radar isn’t tuned to the specifics of your business, and there are other signals you can account for (like which products they’re buying, how long it takes them to buy after opening your site, etc). Custom Radar rules work to an extent.

    I get that a lot of indie businesses probably don’t have the resources/want to do this, so there are solutions you can buy, but they’re expensive and mostly targeted at high volume merchants anyway. Maybe stripe launches a fine-tunable radar product someday?

  • by xyst on 8/2/23, 5:22 PM

    Yet another reason why the credit card industry needs to go. Security protocols non-existent or haven't been upgraded since the turn of the 21st century. The amount of middleman abuses is innumerable as well. The costs of dealing with these nuisances is passed on to the merchant (via higher transaction fees, charge back fees, ...), and inevitably passed on to the consumer.

    Let's not forget that the CC industry encourages the worst spending habits for consumers thus perpetuating the never ending cycle of slaves to debt.

  • by nickdothutton on 8/2/23, 3:53 PM

    I’ve always found it incredible that US banks often require only the card number to perform a transaction. All those “card generators” I used to see uploaded to BBS in the late 80s and early 90s make sense.

  • by thierryzoller on 8/2/23, 3:58 PM

    What strikes me is the comment on 3DS challenges that passed. By law in Europe, once 3DS challenge is completed the Bank owns the risk and cost of the chargeback NOT the Online Shop. Can someone tell me how this is implemented in common processors ? Any experience?

  • by Faaak on 8/2/23, 3:25 PM

    Isn't this solved with 3-D Secure ? Many websites (at least in the EU) implement it and if mandatory, it's impossible to buy something without 2FA (either by SMS, phone app, ...)

  • by zitterbewegung on 8/2/23, 4:11 PM

    Candyjapan has a good write up on mitigating this https://www.candyjapan.com/behind-the-scenes/how-i-got-credi...

  • by myself248 on 8/2/23, 3:26 PM

    Why does the US still accept hand-typed cards?

    My friend had a USB smartcard reader in like 2001. He'd dip his AmEx to perform a transaction on his PC. It's twenty years later and the industry still hasn't caught up?

    What's different about Europe that they seem to have figured this out decades ago?

  • by tamimio on 8/2/23, 5:35 PM

    Credit cards payments are exactly just like SMS 2FA, both are insecure by design and served the purpose before the internet, trying to shove old tech into new one and expecting it to work well is just naive. Instead of spending time and resources by big corporations to create such “web environment integrity”, how about creating a better more secure, fraudulent proof system instead?

  • by mndgs on 8/2/23, 7:12 PM

    The contents of the article do not match with the title. Article is how they experienced and fought chargebacks. Simple, nothing spectacular.

    Stop whining, have the US adopt PSD2 (SCA in particular) and your problems will go (most of them)..

  • by Ubergeek99 on 8/3/23, 3:50 AM

    Cloudflare has tools to prevent too many form submits. You can specify which page, how many submits and so on.

    I found out about this when I had a problem of somebody running a script of trying different credit cards over a two hour window.

    My payment processor told me I should prevent these types of things. So I investigated and never had this problem anymore.

    Cloudflare is amazing at preventing all kinds of attacks. I love Cloudflare.

  • by jon_adler on 8/2/23, 8:10 PM

    I imagine that the fraud rate in Europe is lower since the introduction of PSD2. This legislation required a combination of 2-factor authentication (3DS2) and transaction analysis to achieve low overall fraud rates.

  • by Scoundreller on 8/2/23, 6:48 PM

    > We learnt that 15% of the successful fraudulent charges resulted in chargebacks.

    I Hope the other 85% are just recent transactions that haven’t been scrutinized yet.

    Or did the fraudsters target a bank with high net worth clients that don’t scrutinize smaller billings???

    I can see a lot of people not really scrutinizing a random Spotify transaction or something. Especially vendors that let you store multiple cards and then you don’t always keep it straight which transaction went to which card anyway.

  • by cryptoegorophy on 8/2/23, 11:55 PM

    Pro tip. Get ekata. All of this could’ve been avoided. Another pro tip - get 3dsecure to work all the time. If not - ekata that transaction.

  • by codedokode on 8/2/23, 6:11 PM

    It is ridiculous that you can simply enter somebody's card number and buy something without confirming a purchase via SMS code.

  • by freed0mdox on 8/2/23, 3:43 PM

    Usually these transactions are automated with the checkers. Some are as simple as a PHP script replaying a request, some are more sophisticated that use residential proxies, some are parts of huge enterprises like try2check. If you have a list of IPs, you can scan them for 80/443 open and sometimes catch simple checkers in action.

  • by Sxubas on 8/3/23, 4:47 AM

    I worked at a credit card network company some years ago and thought the article mentioned an exploit on the actual network.

    It is instead a showcase on how mediocre issuers can be when authorizing transactions, and how non-sensical the system has become that the merchant ends up paying the price for chargebacks.

  • by 90K_MRR_Hacker on 8/2/23, 6:20 PM

    I've been using a platform called Chargeblast.io and it's been doing wonders; literally saved my business from closing down. I haven't found another platform like it - best price, best value

  • by bigbacaloa on 8/2/23, 7:31 PM

    As an end user of banks in both the US and EU, the banks in the US seem way, way behind technically and in terms of online usability. Both less secure and more cumbersome to use.

  • by alberth on 8/2/23, 10:05 PM

    Off topic: Why don’t more non-European merchants use 3DS?

    Entirely classes of liability and fraud is shifted to the issuer and no longer on the merchant.

  • by cryptoegorophy on 8/3/23, 12:10 AM

    Also this is one the reasons why i absolutely love PayPal. It gets a lot of hate but i never lose any chargebacks.

  • by kareemc on 8/2/23, 4:09 PM

    In my experience, Stripe used to be a lot better at catching this stuff - but I've noticed it's seem to have been getting worse and worse.

    Has Stripe Radar improvements slowed down or have fraudsters gotten better?