Hacker News new | ask | show | jobs
by weird-eye-issue 1110 days ago
Will your customers need to give you the full list of the refunded transactions? Since you couldn't detect them in the first place I don't imagine the fees will be automatically refunded?

Also, after posting this thread I just had to refund two more payments from an Indian IP address using a Singapore card with a billing address in the USA with a ZERO risk score. How does that make any sense? There is no CVC check listed and the zip check is "Unavailable"

I simply don't understand some of these scores

How could there not be a minimum risk score in a situation like this where none of the countries even match up...
4 comments
rameerez 1110 days ago
I'm the OP of the Twitter thread – I've had the exact same experience: unrealistically low risk scores for most fraudulent transactions. There were plenty of red flags for each of them (400+ cards and 40+ names under one single IP, most payments got already flagged for credit card testing fraud early on before succeeding after many tries...) Even dumb heuristics would have blocked 90% of the fraudulent payments. I appreciate Stripe is fixing this quickly after making it public and refunding fees, but something is definitely wrong with their risk calculation algorithm.
link
ripberge 1110 days ago
I have experienced the same. An absolutely ludicrous set of suspicious data points like that and Stripe scores it a zero or near zero. We process hundreds of millions of dollars in transactions. Have gotten zero help from Stripe on this scoring.
link
dulse 1110 days ago
We're going to automatically refund the transactions and fees, but also support any write-ins if you feel we missed any. (We have some ways to identify the transactions after they happen).

I agree with you, it's very counter-intuitive why these transactions are getting through Radar. We're iterating on some fixes right now that should stop this going forward by addressing this type of attack.

link
SheinhardtWigCo 1110 days ago
One way I can imagine this happening: if the carder is able to steal the cardholder's tracking cookie or other credential that Stripe trusts due to a previous legitimate transaction, and this causes Radar to disregard signals that would normally lead to a high risk score. (Just a hypothesis, I have no inside info.)
link
weird-eye-issue 1110 days ago
With the way they cycle through cards in the same checkout session I 100% don't think this is happening, but if it is then I wouldn't even blame Stripe at that point lol
link