[pc]

There's a lot of online fraud. We invest a ton in Radar, our payment surfaces, etc., to keep this as invisible as possible to businesses. (We don't always succeed, of course. But, despite the growing sophistication of the fraudsters themselves, we do generally get better every year.)

[terminous]

If you enter the wrong CVC or ZIP and it is declined, does that increment your blocked fraud counter?

[handelaar]

No. It used to but they turned it off in Dec 2021; notice in my dashboard says it improved sales revenue by 0.5% but only added fraud risk by 0.0004%

[granzymes]

The intuition here is that the rules that block when CVC/ZIP doesn’t match necessarily happen after the bank already decided the transaction was okay, because that’s when Stripe learns whether CVC/ZIP match what the bank had on file.

So if you block on a mismatch, you’re throwing away an approved charge every single time since the bank already decided that other signals say the transaction is okay. The bank can block it themselves if they think it’s suspicious (which from my understanding wouldn’t increment this metric).

[Darmody]

That's a good question.

I once had my payment flagged as fraudulent because the card owner was not the same as the shop account owner.

My bank decided it was a good idea to block my card without telling me anything. I realized a couple days after when I couldn't pay my groceries.

[cuuupid]

Out of curiosity do you share the suspected fraud with law enforcement? At that amount there are probably too many to chase down so I’d think this is just an unprosecuted crime?

[smokefoot]

Generally the bank will file a Suspicious Activity Report (SAR) with FINCEN for egregious cases. I don’t think intermediaries like stripe have any direct responsibility in this respect but I could be wrong. The volumes are huge and few SARs actually are investigated or prosecuted.

[fragmede]

SARs are for, like, attempted funding of terrorists. fraudy cc attempts don't scratch the surface

[smokefoot]

Um, no. Banks file a lot of those. If it’s me using my dads credit card number then sure, not a SAR. But most of that activity is systematic: either backed by organized crime or a semi-professional fraudster. Those most definitely would get a SAR

[fragmede]

> If it’s me using my dads credit card number then sure, not a SAR.

I was imaging that end of the spectrum, but you're right, when it escalates to organized mafia gang criminal organizations there would be SARs.

[smokefoot]

Sorry that was probably an overly snarky response on my part. Stripes product is actually aimed at merchants so two steps removed anyway.

[ajryan]

Can you estimate what proportion of fraud is automated/bot/scripted versus manual human interaction? Do you rely much on botnet detection or IP reputation?

[laaaaea]

There's a lot of fraud. Period.

I assumed stripe founders had offline business experience before stripe :) Online maybe increase it a little more and make it more risky to the business because of "card not present". But hardly new to online.

There's also a lot of false positives if you verify too much on data brokers, as you just mentioned you do, instead of talking to the issuing institution on fears of chargeback and rate hikes.