What was most surprising about this is not the fact that there is a group of people exploiting Stripe’s payments, but that the author had ChatGPT write a script to automatically handle payments processing, specifically for chargebacks. And based on the context in the article, the author sounds like they lacked the technical skill to write or validate these scripts themselves.
This author is jumping out of the frying pan and into the fire. ChatGPT is cool and all, but the fact that they’re trusting it to write critical code for handling their customers money speaks volumes. They’re incredulous at how they feel Stripe violated their trust in it to manage fraud, but then go ahead and blindly place it in another technology they don’t understand. The problem isn’t Stripe (though, yes, they should fix this), it’s the fact that they are just giving away trust and hoping for the best.
> the author had ChatGPT write a script to automatically handle payments processing, specifically for chargebacks
Feels like a mischaracterization tbh.
He had it make a script to go through and accept the chargebacks for these accounts, not handle payment processing or do anything to the chargebacks other than click "accept" essentially.
> And based on the context in the article, the author sounds like they lacked the technical skill to write or validate these scripts themselves.
I also don't really get where you're getting that from.
The author even said
> I reviewed all of the scripts carefully, and also never shared any customer data, IDs, or API keys. I think I saved at least a couple hours compared to hand-rolling these tools manually!
ChatGPT is not capable of writing production quality code. Many (most) companies have internal policies against deploying any code written by an LLM. The point isn’t to slow devs down, but to mitigate risk. This is especially important in the customer/payments stack. This is not the right place to “save a couple hours”. Maybe if this was for some one-off offline analysis, sure.
The fact that it works is insufficient proof that it was the right thing to do. Building a habit of relying on LLM generated code is an inherently risky practice, and ChatGPT will literally warn you against trusting its outputs. Sure, it lets you growth hack your way through sort term problems, but in the long term I’m not convinced this is responsible decision making at the current levels of LLM technology.
Or maybe I’m just a Luddite, stuck in my old ways.
This guy is operating a profitable business, creating value for customers, shipping features, and openly publishing details and learnings about the threats he mitigated. He used ChatGPT to generate scripts to help him throughout this process. I don't know if he's non-technical or if he just wanted to save some time, but frankly he should be commended for his hustle and get-shit-done attitude. These scripts were not determining life or death, or even making business critical decisions - they were filtering bulk data and making his life easier by producing results that are easily manually checkable, but save tons of time either coding the scripts or hiring a programmer to write them.
To me it reads like a great example of where ChatGPT is most useful: as a force multiplier for time-constrained entrepreneurs who have a specific goal and need specialized knowledge for short periods of time (e.g. to write a script). It's now basically free and instant to produce what would previously require a multi-week process of sourcing, hiring and communicating with contractors to write a script that leads to the same end result.
The kneejerk reaction to call this "surprising" or irresponsible, while understandable, gives major "get off my lawn" energy. This is the future and as coders we should support the increased self-sufficiency of non-technical people. If you want to adapt to the change then maybe think about how to improve the process for entrepreneurs of asking ChatGPT to write a script.
Article author here. I carefully reviewed and tested the ChatGPT scripts before executing them. It helped me save a lot of time manually writing these scripts!
I wouldn't say I lack technical expertise in this area, I'm just trying to use my time as efficiently as possible.
Genuinely curious: How much time would you say you saved prompting for and then carefully reviewing and testing those scripts for bugs, versus writing them yourself?
And for context what's the average line count we're talking about here? Tens of lines? Hundreds?
Glad to see you active here in the comments. Apologies if my comment comes off harshly, my intent is not to tear you down. I think there is a lot of gray space when it comes to using LLMs for generating code. Your usage here is certainly interesting, and I appreciate the additional context and discussion you’ve been providing.
I don't know why I see this type of invalid speculation so often. The author already responded that they reviewed the script and didn't post any sensitive data, so won't add more to that.
I'd just state that tons of us use ChatGPT effectively and never blindly trust the outputs - for me ChatGPT is a starting point, not the final product. We're not all so daft as that lawyer who cut and pasted hallucinated case references into a legal brief without verifying them first.
100% agreed, this is how I always treat it and working on the problem from the article was not an exception from this rule. I share minimum input, and never trust the output blindly.
It gets 50-60% of work done, and a really good basis for me to work on it. Especially when working with one-off, end-to-end relatively short scripts.
I find it odd Chatgpt was mentioned at all. It was almost like an advertisement.
I have read post linked here similar to this one, but I can’t recall another instance in which the author abruptly said they relied on stackoverflow to code something unless the content was a meta commentary on coding and debugging itself.
I can empathize with the author. The first time you write some code collaboratively with GPT and it actually works, you feel a burning need to shout about it. Because it's one of those moments where something "clicks" and you suddenly feel like you've discovered fire. Once you figure out how to work with them, it makes you excited for the future and you can clearly see where LLMs will fit permanently
into your toolbelt. They're far from perfect now, and sometimes the time savings is a wash - you get instant specialized expertise that can produce code like a senior engineer, but you need to goad and coax it like it's a high maintenance intern. But the thinking power expended is still somehow lower - it's a new way of working with technology and deferring some of the grueling parts to the machine. This becomes especially obvious when the code requirements depend on an esoteric API or conventions that you'd normally need to spend time researching and manually enumerating.
Author here. My intention was to show that you can use it to help you get going quickly for a very practical, one-off, and self-contained use cases. As I mentioned in other comments already, I did not trust it blindly and did not share any sensitive data with it. Definitely not an ad!
I'm a huge LLM skeptic, but I'd disagree with you here.
I think using ChatGPT to write long-lived code for a serious application is a bad idea. But I think it's fine for somebody knowledgeable to use it for throwaway and first-draft stuff in areas that aren't their daily work.
Here's the author in question: [edit: wrong Piotr Mierzejewski in tech, see below]
He looks perfectly competent to me to evaluate the effects of some one-shot scripting code, so I think "giving away trust and hoping for the best" is a wild exaggeration of what actually went on.
They really wanted us to know they used ChatGPT too. It felt unnecessary how often they mentioned "I got ChatGPT to write a script that did this" like.. ok?
> I created a restricted key in Stripe with lowest possible permissions, and prompted ChatGPT to create a script to accept the chargebacks.
From my understanding, it also seems that the author submitted a Stripe API key alongside the prompt to create the scripts. This is pretty much a big security no no regardless of the permissions of the key.
If you are a foreign company accepting payments from the USA, you should simply expect this as a cost of doing business.
Credit card fraud here is socialized. The end consumer is never liable, and so we don't bother with chip and pin, 2FA, 3D secure or whatever else. If we notice a suspicious transaction we simply tap a button in the bank's app and the charge is reversed in minutes.
Banks and payments processors are themselves incentivized to push through transactions as quickly and easily as possible so people spend more (yay consumerism!), and like the author said you mostly don't even need to input the right expiry date, billing address or zip code.
The drawback of course is that all of the liability is pushed on to the business, and so they have to raise prices for everyone to make up for it.
Your causality chain doesn't track for me. Here in Denmark we have the same consumer protections, the ability to do chargebacks and the (government funded) guarantee that the consumer does not lose any money if their bank account is drained. Yet we still have very strong protections at the time of purchase with mandatory chip-and-pin as well as 3D secure (which replaced Verified by Visa).
I don't really think there's a rational reason for why you don't have better card security in the US. You just seemingly don't want it.
My guess is the difference lies in the fact that the EU limits credit card fees to something around 0.5%
That means the CC companies can't offload the financial burden of this onto the vendors (and they in turn onto their customers), which leads to them having an actual incentive to improve security.
Did you ever try a chargeback? With EU banks, it’s a bureaucratic process in my experience, filling forms, dealing with humans, waiting for merchant response, proving contact with them etc. US banks seem to operate on a magic word “chargeback”: you utter it, the charge is reversed, done.
As is often the case, the answer to the European asked question of "Why don't you just _____" is not "We seemingly don't want it", it's "America has a population 66 times that of Denmark."
Systematic change is slow and difficult. FedNow (secure, instant payments directly between accounts) was released 12 days ago, after nearly a decade in preparation.
Pretending that Americans just "don't want" more secure payments is just ignorant, in my opinion, and really screams that the author should spend more time with folks of other cultures.
And that is in addition to the outrageous fees CC companies charge merchants. In the US it's typically around 2% of the transaction! The EU caps it at 0.3% maximum, which still seems like a lot when you consider how much money they move. That's another cost that gets socialized and passed on to the consumer of course, even shoppers who pay cash have to pay for this through higher prices.
People should know btw that with 3D secure the card owner can be held liable for fraudulent charges, because some banks have that in their terms for 3D secure. With phone 2FA all that needs to happen is you have your phone and wallet stolen. I've seen cases in the news where people lost thousands.
Americans (yes both Canadians and people from the states) are shielded from the chaos that happens to process a single transaction. They only see the paltry rewards in the form of 1-2 (maybe 5) cents per dollar charged, which is translated into "points" (1 cent == 100 points is what I have seen with some "premium" cards) and makes it seem worthwhile.
What they don't see is: the 3-5% or more markup of goods across the board (doesn't matter if you pay cash or card, especially for big box stores), the number of charge backs and the costs of dealing with it, fraudulent charges, poor security (places still accept mag stripe in the states), innumerable numbers of middleman to process transactions (bank fees, issuing card fees, network fees, premium card fees, ...)
It's fucking chaos. I hate it.
With FedNow, I am hoping that will change. Eliminate all of these middleman that are siphoning funds from people across the board. Eliminate the parasites. Eliminate the waste.
Hah, I found the focus on American banks funny because, the one telegram photo said to use the address of Paris France.
Let me tell you, on two different organizations I am part of, I have ran in the last 2 years, both got hit by automated credit card checking bots using French banks and alot of those cards succeeded.
(Of course there's a whole story about how both these orgs have resisted my previous warnings about hardening the payment sites...one of them even was still using Magento 1)
Anecdotal but meh, the real problem is credit cards are just as much as kludged relics as ACH that nobody wants to really fix meaningfully
I expect it’s path-dependent legacy practices more than anything else. Credit cards were invented in the US, so the tech is old and upgrades take a long time.
For manual payments, UPI in India sounds pretty great. Apparently the customer approves each payment on their phone before it goes through?
"Hassle free peace of mind" meaning you do not need to remember a 4 digit code (or clicking "yes" in a phone app), while you need to check your credit card transaction list regularly to reject fraudulent transactions?
I find the effort of remembering the 4 digit code/having the phone much smaller than the alternative ...
Re: Chargeback fees - Visa acquired a company called Verifi a few years back. Their new products are Rapid Dispute Resolution (RDR) and Order Insight. RDR effectively lets you automatically refund a transaction before it gets turned into a chargeback and Visa charges a $4 fee (Assuming your MCC code is not high risk). Order insight lets you provide certain data about a questioned charge immediately and if the customer has had 3 previous charges with you, a chargeback CANNOT be issued.
It was a really easy decision for our business based on win rate, avg order size and chargeback fees. Plus now we don't have to constantly worry about Visa's or the merchant bank's 1% chargeback rule. This only applies to Visa charges but it represented about 50% of our total volume.
One last note - Visa is basically taking away a massive revenue source for the processors. If your processor is TSYS, they are trying to charge a RDR fee of $10.
Ya, for Mastercard we use their Ethoca network. They are much more expensive, like $25 per resolved charge but now our chargeback rate is near 0% for Visa / MC and get incredible rates on the front end from such clean processing. Plus we never have to worry about chargebacks threatening our merchant account again.
Why does the US seem so far behind when it comes to banking?
- Chip and PIN has been in the UK since 2004 and mandatory since 2006. It wasn't until a decade later that the US caught up.
- Faster Payments allow for instant bank transfers (usually) between any bank account for free. Receiving transfers from clients in US (even with a US Wise bank account) was always a nightmare.
- Since the EU introduced Strong Customer Authentication, most new payments have to be authorised in your mobile banking app or by some other means of 2FA.
- Even before SCA, you'd have to get the Postcode (often digits that mattered) and CVV correct at the very least.
These measures seem like a way of banks shifting the responsibility for fraud onto the customer. In either case though, it's the customer who loses out. In a culture that accepts widespread card fraud, costs increase to offset it.
As a Canadian, it does feel like stepping out of a time machine when you pay at restaurants in the USA. Instead of using a terminal at the table to pay yourself, you need to give the server your card and wait for them to manually process it somewhere. Maybe things have progressed in recent years. But we haven't done it that way in Canada since the early 2000's.
I was visiting Seattle (from Vancouver) a few years ago, and they didn't want me to use my chip card as a chip card because if they did then I couldn't tip. What the heck is that all about?
Also, we're still hearing stories about merchants in the US starting to accept Apple Pay, whereas it worked fine in almost every retailer in Canada the day it was available - even though it wasn't available in Canada for a long time, American visitors (or Canadians with American credit cards) could use Apple Pay on launch day at any retailer that supported tap-to-pay, which was easily most of them.
I've started to see more and more servers using a mobile POS with built in credit reader and receipt printer. They hand it to you for tip and signature and you don't have to hand your card to anyone.
Things have definitely changed here recently. At least in San Francisco, at-table terminals are now the norm in sit-down restaurants. Staff generally use the same device for order-taking and payment.
> In a culture that accepts widespread card fraud, costs increase to offset it.
Maybe, maybe not, but this is a very simplistic way of looking at it. If credit card fraud is responsible for X% of total charges, they can spend effort to deal with it, OR they can simply not deal with it and keeping the transactions going while eating the cost, they may be able to serve Y% more customers where Y > X and thus end up with more profit in the long run.
This works for a lot of businesses in America because the sheer scale is massive (take McDonalds for example, they would probably be better off processing their lunch rush quickly due to the margins they are making rather than take even 1 second to verify there is no fraud). This may not work in Europe, but IMO you're missing an entire dimension when analyzing the true costs.
If the fraud/benefit scale ever tipped away from favoring the companies, I think we would see all these major fraud prevention mechanisms kick in almost immediately in the US.
> serve Y% more customers where Y > X and thus end up with more profit in the long run.
That’s the micro/local view, and any rational company in the US will do something close to that. There is no local incentive to set the “fraud/friction” to anything other than their competitors.
On the macro level though, if the dial is moved for everyone (i.e. by regulation; the card schemes have tried to make this happen via incentives in the form of the liability shift, but it still wasn’t enough), there’s a chance for increased total efficiency.
The cool thing is that Europe is running this experiment currently – let’s see how it goes.
None of these comments seem relevant to TFA, which is specifically about card-not-present fraud.
Chip and PIN doesn't work for internet payment.
Bank transfers don't work well internationally.
It is trivial to turn on AVS (address verification) and CVV, but it can result in more declined-yet-legitimate transactions. Sometimes that outweighs the fraud risk that these catch.
The responsibility for fraud is pushed to the merchant, not the customer. Yes, customers pay higher prices because merchant fraud gets passed on eventually, but only in the sense that all fraud costs get passed on to consumers eventually.
I mean the "real thing" is 3D Secure, which isn't exactly 2FA and card issuer dependent, but makes things a hell of a lot more of a PITA to execute for fraudsters.
"ahead" and "behind" halt thinking, and turn the entire topic into some kind of number-line position. It is not. This is complex and actors on both sides of the Atlantic are playing in bad faith to exploit changes. Second you ignore the roles involved. Mid-20s person with steady job is a smaller and smaller part of the system-in-fact, for many reasons. Some people say that working 20-somethings are abused and disenfranchised, including in the EU and elsewhere.
In my view, the U.S. is leading the way in this area.
Europe seems to be shifting the burden of fraud prevention onto customers with methods like SMS notifications and pins. In contrast, in the U.S., banks and businesses are primarily responsible for dealing with fraud.
It's not leading the way technically but for the end consumer it might be better. If I get charged unfairly my bank will tell me to go to the police. Americans can easily just refuse it.
I'm sorry but using strong authentication to make my payment is not a burden, it's a bloody feature.
Here's how much of a "burden" that is: you hold your ATM card next to the terminal. Done. Paid. Every once in a while (based on a configurable max per week) it will prompt for a PIN. Which you enter in 5 secs. That would be 1 in 10 payments.
Online payment: scan payment QR with phone, which takes me to my banking app. Authentication is FaceID, TouchID or PIN. Then you click "Yes". Done.
Both methods are highly secure, require no or minimal input and are extremely fast.
On the other hand, the EU caps credit card fees at 0.5% by law while in the US merchants will pay 3 times that at a minimum.
I suspect that in the US CC processors are incentivized to increase their processing fees to cover the cost of fraud instead of building features to prevent it because they can and it's easier than building features. Businesses are incentivized to increase prices to cover the cost of fraud (and CC processing costs) since processors offer such poor tooling to prevent it.
In the US the burden of fraud prevention is squarely on the honest consumer's wallet.
Oh, please. You're grossly misinformed. If anything, US is lagging lightyears behind Europe in terms of fighting fraud and fighting card schemes, which are stripping everyone equally in US, banks and customers alike.
PSD2 directive intruduced a lot of novelties, which no one at the time had (and very few do, not even US). For instance, specific to this situation - remote payments above 30 eur must be SCA (strong customer authentication, similar to 2FA, but more elaborate) verified (small value exception from PSD2 RTS). Also, banks must have both real time and post-time transaction monitoring in place, i.e. they must have systems to detect and prevent such fraudulent attemtps. There literally tens if not hundreds of fraud fighting measures in PSD2, which all banks (both acquirer and issuer) must come mply with. I could go on and on (not the place and format).
Frankly, it's utterly unbelievable that this kind of thing could happen without anyone (either acquirer or issuer) intervenining. Not what could (should) happen here in Europe.
Chip and PIN isn't mandatory in the UK - it's just the default. My debit card is not Chip and PIN, because I asked the bank very nicely.
The problem isn't the Chip and PIN itself, although it has been implemented less securely than it could be. The problem, as you point out, is that the liability for fraud has been shifted in law to the card holder, and that is what I objected to. See https://www.chipandspin.co.uk/ for more.
> These measures seem like a way of banks shifting the responsibility for fraud onto the customer.
Onto the vendor, not the customer. The customer can chargeback anything instantly, and the vendor is on the hook for the fraud.
It's intentional, so the banks and payment processors can make more profits. By making it easier for customers to chargeback, they incentivize customers to buy more stuff, by getting the customer to feel more comfortable charging everywhere. Charging more stuff makes payment processors more money.
A lot of it has to do with legacy POS support and a strong disinclination on the merchants part to upgrade. Terminals are costly and configuration non trivial. Plus a strong “if it ain’t broke don’t fix it” culture and resistance to any change. Add to it a relatively weak consumer protection regulatory regime and you’ve got the US.
I would say it’s not worse than most of the world though. Much of the world is rampant with fraud borne entirely by the consumer. For instance QR based bank transfers are popular in much of the world outside the western developed world. Fraud is insanely rampant but the ease and utility vs cash makes it acceptable. Transactions costs are near or actually zero and there’s no POS infrastructure. But people meticulously check their transactions because theft is so rampant. The banks and governments seem unconcerned though.
As such I put the US somewhere in the midpoint globally for this space. There are some smaller economies with strong regulatory regimes that do better for sure. There are many more that do much worse. Obviously the goal is the better not the worse, but I think it’s cherry picking to lump the US into being the worst.
We still do not use chip-and-pin on credit cards in the US. We use chip-and-signature for most credit cards.
I'm not saying there aren't credit cards with chip-and-PIN, there are a some.
We do use chip-and-PIN on most debit cards, but even that can be bypassed on 99% of terminals to fall back to chip-and-signature.
What's super interesting to me, lot of countries that you would expect to be behind the US on that topic actually have state-of-the-art banking techs. Even the EU is behind some of the stuff I've seen in LATAM.
With a UK card pretty much any transaction I do online requires me to Auth it in app.
I even found I had to do it recently for things like car hire, and those websites are generally just wrappers around local company searches (though higher sums overall).
I worked at a company who's server was hacked and they stole the API keys and did carding on it from the server. Paypal tried to tell us we owned them $100,000.00 in fees. We were only running $4500.00 payments at most 5 times a day for course registrations.
The hacker ran auths on random CC number for $1 every second.
We didn't have to pay the fees for carding but they don't care.
They do not care because they make money off fraud.
We had settings stating we only have orders between $2500 and $6000. But they do not check auths lol
Crazy.
This was back around 2010 and stripe was not available in Canada at the time.
Stripe is god awful at fraud prevention and it's intentional. They are explicitly outsourcing the cost of risk management to their clients. It's obscene. I work in the credit card fraud prevention field, and I'm not even that good at my job, but our team of like 3.5 people easily built and maintained a system that prevents this exact kind of carding attack.
The primary way for a business to prevent carding attacks is to just be slightly more annoying to attack than the next guy. As far as I can tell, Stripe is happy to be the easiest large network to attack because they outsource the pain and cost of any attack to you, their users. They could easily, and for very little cost, prevent this from hurting you.
Stripe is choosing to let you suffer to save a few bucks.
They want to nickel and dime you and make you pay for Radar. It's the exact same strategy with Stripe Taxes and their terrible currency conversions. Provide no service up front and eventually you realize your stripe transaction hits two digit percentage of your overall price.
(Edwin from Stripe here.) Worth noting this is copypasta from an older post from a month ago (https://piotrmierzejewski.com/p/card-networks-exploitation). We've fixed most of these issues since then. This type of card testing has dwindled—Radar should now be catching these types of attacks.
On the chargeback point—we hate chargebacks too and we want to limit them as much as possible (we're actually working on a few things over here that we think will help with this). The banks levy chargeback fees (in varying amounts) and an average of them show in the form of a $20 fee—it's not a Stripe-specific fee and we don't profit from chargebacks.
We've just finished company planning for the rest of the year and reducing this type of fraud is a top priority. So if you think you're seeing something similar, please email me at edwin@stripe.com.
Worked as the catch-all systems/CI/infrastructure/software engineer for an ecommerce company last year. This sort of stuff was so common. I'd spend at least one day a week trying to determine the newest pattern and prevent it. They were using our system to validate credit cards.
Eventually I stopped more or less all attacks on our cart/checkout. But the requests were still coming. Eventually while trolling logs for an unrelated PHP problem one of the software engineers mentioned there was a huge amount of traffic hitting our page to save a payment for later. The platform would issue a $1.00 charge to verify that the CC was real and they'd moved to using that to "churn" cards.
Readit News
This author is jumping out of the frying pan and into the fire. ChatGPT is cool and all, but the fact that they’re trusting it to write critical code for handling their customers money speaks volumes. They’re incredulous at how they feel Stripe violated their trust in it to manage fraud, but then go ahead and blindly place it in another technology they don’t understand. The problem isn’t Stripe (though, yes, they should fix this), it’s the fact that they are just giving away trust and hoping for the best.
Feels like a mischaracterization tbh.
He had it make a script to go through and accept the chargebacks for these accounts, not handle payment processing or do anything to the chargebacks other than click "accept" essentially.
> And based on the context in the article, the author sounds like they lacked the technical skill to write or validate these scripts themselves.
I also don't really get where you're getting that from.
The author even said
> I reviewed all of the scripts carefully, and also never shared any customer data, IDs, or API keys. I think I saved at least a couple hours compared to hand-rolling these tools manually!
The fact that it works is insufficient proof that it was the right thing to do. Building a habit of relying on LLM generated code is an inherently risky practice, and ChatGPT will literally warn you against trusting its outputs. Sure, it lets you growth hack your way through sort term problems, but in the long term I’m not convinced this is responsible decision making at the current levels of LLM technology.
Or maybe I’m just a Luddite, stuck in my old ways.
To me it reads like a great example of where ChatGPT is most useful: as a force multiplier for time-constrained entrepreneurs who have a specific goal and need specialized knowledge for short periods of time (e.g. to write a script). It's now basically free and instant to produce what would previously require a multi-week process of sourcing, hiring and communicating with contractors to write a script that leads to the same end result.
The kneejerk reaction to call this "surprising" or irresponsible, while understandable, gives major "get off my lawn" energy. This is the future and as coders we should support the increased self-sufficiency of non-technical people. If you want to adapt to the change then maybe think about how to improve the process for entrepreneurs of asking ChatGPT to write a script.
I wouldn't say I lack technical expertise in this area, I'm just trying to use my time as efficiently as possible.
And for context what's the average line count we're talking about here? Tens of lines? Hundreds?
I'd just state that tons of us use ChatGPT effectively and never blindly trust the outputs - for me ChatGPT is a starting point, not the final product. We're not all so daft as that lawyer who cut and pasted hallucinated case references into a legal brief without verifying them first.
It gets 50-60% of work done, and a really good basis for me to work on it. Especially when working with one-off, end-to-end relatively short scripts.
I have read post linked here similar to this one, but I can’t recall another instance in which the author abruptly said they relied on stackoverflow to code something unless the content was a meta commentary on coding and debugging itself.
I think using ChatGPT to write long-lived code for a serious application is a bad idea. But I think it's fine for somebody knowledgeable to use it for throwaway and first-draft stuff in areas that aren't their daily work.
Here's the author in question: [edit: wrong Piotr Mierzejewski in tech, see below]
He looks perfectly competent to me to evaluate the effects of some one-shot scripting code, so I think "giving away trust and hoping for the best" is a wild exaggeration of what actually went on.
From my understanding, it also seems that the author submitted a Stripe API key alongside the prompt to create the scripts. This is pretty much a big security no no regardless of the permissions of the key.
Credit card fraud here is socialized. The end consumer is never liable, and so we don't bother with chip and pin, 2FA, 3D secure or whatever else. If we notice a suspicious transaction we simply tap a button in the bank's app and the charge is reversed in minutes.
Banks and payments processors are themselves incentivized to push through transactions as quickly and easily as possible so people spend more (yay consumerism!), and like the author said you mostly don't even need to input the right expiry date, billing address or zip code.
The drawback of course is that all of the liability is pushed on to the business, and so they have to raise prices for everyone to make up for it.
I don't really think there's a rational reason for why you don't have better card security in the US. You just seemingly don't want it.
Systematic change is slow and difficult. FedNow (secure, instant payments directly between accounts) was released 12 days ago, after nearly a decade in preparation.
Pretending that Americans just "don't want" more secure payments is just ignorant, in my opinion, and really screams that the author should spend more time with folks of other cultures.
People should know btw that with 3D secure the card owner can be held liable for fraudulent charges, because some banks have that in their terms for 3D secure. With phone 2FA all that needs to happen is you have your phone and wallet stolen. I've seen cases in the news where people lost thousands.
Are device passcode and app biometrics insufficient security measures in the event of device theft?
That's completely untrue. Most European businesses pay much more than that.
What they don't see is: the 3-5% or more markup of goods across the board (doesn't matter if you pay cash or card, especially for big box stores), the number of charge backs and the costs of dealing with it, fraudulent charges, poor security (places still accept mag stripe in the states), innumerable numbers of middleman to process transactions (bank fees, issuing card fees, network fees, premium card fees, ...)
It's fucking chaos. I hate it.
With FedNow, I am hoping that will change. Eliminate all of these middleman that are siphoning funds from people across the board. Eliminate the parasites. Eliminate the waste.
Let me tell you, on two different organizations I am part of, I have ran in the last 2 years, both got hit by automated credit card checking bots using French banks and alot of those cards succeeded.
(Of course there's a whole story about how both these orgs have resisted my previous warnings about hardening the payment sites...one of them even was still using Magento 1)
Anecdotal but meh, the real problem is credit cards are just as much as kludged relics as ACH that nobody wants to really fix meaningfully
For manual payments, UPI in India sounds pretty great. Apparently the customer approves each payment on their phone before it goes through?
0) makes every transaction a trivial SQL query away for the government.
1) everything needs an SMS code. Just as we are trying to get everyone off SMS 2FA
2) doesn’t work for non-Indian numbers or roaming devices
3) can’t get an Indian SIM without proof of address etc. No burners in India
4) regulation expressly forbids devic-local biometrics. This is why there is no Apple Pay in India.
5) Biometrics must be stored with the government. “Unique Identification Authority (UIDAI)” - https://studentbriefs.law.gwu.edu/ilpb/2022/03/22/regulating...
I find the effort of remembering the 4 digit code/having the phone much smaller than the alternative ...
It was a really easy decision for our business based on win rate, avg order size and chargeback fees. Plus now we don't have to constantly worry about Visa's or the merchant bank's 1% chargeback rule. This only applies to Visa charges but it represented about 50% of our total volume.
One last note - Visa is basically taking away a massive revenue source for the processors. If your processor is TSYS, they are trying to charge a RDR fee of $10.
Do you handle this for Mastercard in any way? I've heard of Ethoca (they are really good at SEO), it seems quite similar to Verifi.
- Chip and PIN has been in the UK since 2004 and mandatory since 2006. It wasn't until a decade later that the US caught up.
- Faster Payments allow for instant bank transfers (usually) between any bank account for free. Receiving transfers from clients in US (even with a US Wise bank account) was always a nightmare.
- Since the EU introduced Strong Customer Authentication, most new payments have to be authorised in your mobile banking app or by some other means of 2FA.
- Even before SCA, you'd have to get the Postcode (often digits that mattered) and CVV correct at the very least.
These measures seem like a way of banks shifting the responsibility for fraud onto the customer. In either case though, it's the customer who loses out. In a culture that accepts widespread card fraud, costs increase to offset it.
Also, we're still hearing stories about merchants in the US starting to accept Apple Pay, whereas it worked fine in almost every retailer in Canada the day it was available - even though it wasn't available in Canada for a long time, American visitors (or Canadians with American credit cards) could use Apple Pay on launch day at any retailer that supported tap-to-pay, which was easily most of them.
Maybe, maybe not, but this is a very simplistic way of looking at it. If credit card fraud is responsible for X% of total charges, they can spend effort to deal with it, OR they can simply not deal with it and keeping the transactions going while eating the cost, they may be able to serve Y% more customers where Y > X and thus end up with more profit in the long run.
This works for a lot of businesses in America because the sheer scale is massive (take McDonalds for example, they would probably be better off processing their lunch rush quickly due to the margins they are making rather than take even 1 second to verify there is no fraud). This may not work in Europe, but IMO you're missing an entire dimension when analyzing the true costs.
If the fraud/benefit scale ever tipped away from favoring the companies, I think we would see all these major fraud prevention mechanisms kick in almost immediately in the US.
That’s the micro/local view, and any rational company in the US will do something close to that. There is no local incentive to set the “fraud/friction” to anything other than their competitors.
On the macro level though, if the dial is moved for everyone (i.e. by regulation; the card schemes have tried to make this happen via incentives in the form of the liability shift, but it still wasn’t enough), there’s a chance for increased total efficiency.
The cool thing is that Europe is running this experiment currently – let’s see how it goes.
With that said, I can’t remember the last time I saw a POS terminal that wasn’t contactless.
More often than not I’ll go out with nothing more than my phone knowing that regardless of where I end up, I’ll be able to pay.
Features like SCA protect consumers and businesses alike.
The US has literally thousands of small regional banks across 50 fairly independent states.
Rolling out major new technologies in that environment is far far harder.
Chip and PIN doesn't work for internet payment.
Bank transfers don't work well internationally.
It is trivial to turn on AVS (address verification) and CVV, but it can result in more declined-yet-legitimate transactions. Sometimes that outweighs the fraud risk that these catch.
The responsibility for fraud is pushed to the merchant, not the customer. Yes, customers pay higher prices because merchant fraud gets passed on eventually, but only in the sense that all fraud costs get passed on to consumers eventually.
"ahead" and "behind" halt thinking, and turn the entire topic into some kind of number-line position. It is not. This is complex and actors on both sides of the Atlantic are playing in bad faith to exploit changes. Second you ignore the roles involved. Mid-20s person with steady job is a smaller and smaller part of the system-in-fact, for many reasons. Some people say that working 20-somethings are abused and disenfranchised, including in the EU and elsewhere.
Europe seems to be shifting the burden of fraud prevention onto customers with methods like SMS notifications and pins. In contrast, in the U.S., banks and businesses are primarily responsible for dealing with fraud.
Here's how much of a "burden" that is: you hold your ATM card next to the terminal. Done. Paid. Every once in a while (based on a configurable max per week) it will prompt for a PIN. Which you enter in 5 secs. That would be 1 in 10 payments.
Online payment: scan payment QR with phone, which takes me to my banking app. Authentication is FaceID, TouchID or PIN. Then you click "Yes". Done.
Both methods are highly secure, require no or minimal input and are extremely fast.
I pointed out a handful of ways the US are lagging far behind in banking.
How can they possibly be leading the way?
They’re stuck with a horribly outdated system that harms small businesses and exposes users to significantly higher levels of fraud.
It’s bizarre that so many people accept credit card fraud as just the way things are.
I suspect that in the US CC processors are incentivized to increase their processing fees to cover the cost of fraud instead of building features to prevent it because they can and it's easier than building features. Businesses are incentivized to increase prices to cover the cost of fraud (and CC processing costs) since processors offer such poor tooling to prevent it.
In the US the burden of fraud prevention is squarely on the honest consumer's wallet.
PSD2 directive intruduced a lot of novelties, which no one at the time had (and very few do, not even US). For instance, specific to this situation - remote payments above 30 eur must be SCA (strong customer authentication, similar to 2FA, but more elaborate) verified (small value exception from PSD2 RTS). Also, banks must have both real time and post-time transaction monitoring in place, i.e. they must have systems to detect and prevent such fraudulent attemtps. There literally tens if not hundreds of fraud fighting measures in PSD2, which all banks (both acquirer and issuer) must come mply with. I could go on and on (not the place and format).
Frankly, it's utterly unbelievable that this kind of thing could happen without anyone (either acquirer or issuer) intervenining. Not what could (should) happen here in Europe.
The problem isn't the Chip and PIN itself, although it has been implemented less securely than it could be. The problem, as you point out, is that the liability for fraud has been shifted in law to the card holder, and that is what I objected to. See https://www.chipandspin.co.uk/ for more.
Onto the vendor, not the customer. The customer can chargeback anything instantly, and the vendor is on the hook for the fraud.
It's intentional, so the banks and payment processors can make more profits. By making it easier for customers to chargeback, they incentivize customers to buy more stuff, by getting the customer to feel more comfortable charging everywhere. Charging more stuff makes payment processors more money.
I would say it’s not worse than most of the world though. Much of the world is rampant with fraud borne entirely by the consumer. For instance QR based bank transfers are popular in much of the world outside the western developed world. Fraud is insanely rampant but the ease and utility vs cash makes it acceptable. Transactions costs are near or actually zero and there’s no POS infrastructure. But people meticulously check their transactions because theft is so rampant. The banks and governments seem unconcerned though.
As such I put the US somewhere in the midpoint globally for this space. There are some smaller economies with strong regulatory regimes that do better for sure. There are many more that do much worse. Obviously the goal is the better not the worse, but I think it’s cherry picking to lump the US into being the worst.
We do use chip-and-PIN on most debit cards, but even that can be bypassed on 99% of terminals to fall back to chip-and-signature.
With a UK card pretty much any transaction I do online requires me to Auth it in app.
I even found I had to do it recently for things like car hire, and those websites are generally just wrappers around local company searches (though higher sums overall).
We didn't have to pay the fees for carding but they don't care.
They do not care because they make money off fraud.
We had settings stating we only have orders between $2500 and $6000. But they do not check auths lol
Crazy.
This was back around 2010 and stripe was not available in Canada at the time.
The primary way for a business to prevent carding attacks is to just be slightly more annoying to attack than the next guy. As far as I can tell, Stripe is happy to be the easiest large network to attack because they outsource the pain and cost of any attack to you, their users. They could easily, and for very little cost, prevent this from hurting you.
Stripe is choosing to let you suffer to save a few bucks.
Deleted Comment
On the chargeback point—we hate chargebacks too and we want to limit them as much as possible (we're actually working on a few things over here that we think will help with this). The banks levy chargeback fees (in varying amounts) and an average of them show in the form of a $20 fee—it's not a Stripe-specific fee and we don't profit from chargebacks.
We've just finished company planning for the rest of the year and reducing this type of fraud is a top priority. So if you think you're seeing something similar, please email me at edwin@stripe.com.
No, your base offering should catch these.
Sincerely, a customer of yours.
Eventually I stopped more or less all attacks on our cart/checkout. But the requests were still coming. Eventually while trolling logs for an unrelated PHP problem one of the software engineers mentioned there was a huge amount of traffic hitting our page to save a payment for later. The platform would issue a $1.00 charge to verify that the CC was real and they'd moved to using that to "churn" cards.
These CC thieves are very resourceful.