Indeed. The problem may even be worse with other systems.
There are other trivial ways to prevent unsophisticated card testing. For example, I have a card tester who visits my checkout page every day via a direct link (he must have bookmarked it). Little does he know, the real checkout page is now located at a different URL. So I just reject every transaction at that page.
(Edwin from Stripe here.) I think we _may_ have chatted? (Hard to tell with tempaccount name.) Could you email me at edwin@stripe.com and link to this thread?
> (Edwin from Stripe here.) I think we _may_ have chatted? (Hard to tell with tempaccount name.) Could you email me at edwin@stripe.com and link to this thread?
I am so tired of hearing this. Even worse, you just openly admitted that Stripe has extremely broken processes: "I think we _may_ have chatted?"
Why did that go dark? Did it go dark? Did OP go dark? We'll never know. We just know that Edwin is here for tech support: it's an HN meme. We don't have many of those here.
I'm genuinely disappointed that unless someone complains on [searches Google for your email] channels, they get burned. There are tons of those small companies, entrepreneurs, and others who are getting hosed. I understand there's no incentive to fixing those processes. I couldn't wake up every day and admit to myself that there are certain classes of customers who, despite having equal issues, get preferential treatment because they're loud. This is on the front page right now: https://news.ycombinator.com/item?id=36788274
But as an empath it hurts me.
As someone who has transacted hundreds of millions through Stripe, I'm just floored. It was relatively nuanced before — the support — but this admission just shocks me.
"May have" because OP's HN name is "tempaccount3333", and I did ask them to email me once before, but I don't see anything—so I need them to reach out so I can identify their account and see what's going on.
There's no identifying info here (name or business) and we don't see any emails referencing this thread.
Because here it’s public and they want to save face. When it’s private they dgaf because it doesn’t affect other potential or current clients who might be swayed away from them
bin attacks and card attacks plague many different payment providers, first-hand experience. I'm not aware of much that can be done about this at the payment provider, they also suffer.
Saying they suffer is a bit much. At best they get to collect their fee if there never ends up being a chargeback. If there is a chargeback they don't have to pay the chargeback fee. Sounds like it is an overall win for them to let these slide through.
nope, they get a lot of crap from customers and reputation damage. It's a p0 incident in places where I worked (not stripe, but i can't imagine why they alone would be glad to repel customers for a couple bucks), and everyone absolutely hates it.
There are other trivial ways to prevent unsophisticated card testing. For example, I have a card tester who visits my checkout page every day via a direct link (he must have bookmarked it). Little does he know, the real checkout page is now located at a different URL. So I just reject every transaction at that page.