This author is jumping out of the frying pan and into the fire. ChatGPT is cool and all, but the fact that they’re trusting it to write critical code for handling their customers money speaks volumes. They’re incredulous at how they feel Stripe violated their trust in it to manage fraud, but then go ahead and blindly place it in another technology they don’t understand. The problem isn’t Stripe (though, yes, they should fix this), it’s the fact that they are just giving away trust and hoping for the best.
Feels like a mischaracterization tbh.
He had it make a script to go through and accept the chargebacks for these accounts, not handle payment processing or do anything to the chargebacks other than click "accept" essentially.
> And based on the context in the article, the author sounds like they lacked the technical skill to write or validate these scripts themselves.
I also don't really get where you're getting that from.
The author even said
> I reviewed all of the scripts carefully, and also never shared any customer data, IDs, or API keys. I think I saved at least a couple hours compared to hand-rolling these tools manually!
The fact that it works is insufficient proof that it was the right thing to do. Building a habit of relying on LLM generated code is an inherently risky practice, and ChatGPT will literally warn you against trusting its outputs. Sure, it lets you growth hack your way through sort term problems, but in the long term I’m not convinced this is responsible decision making at the current levels of LLM technology.
Or maybe I’m just a Luddite, stuck in my old ways.
To me it reads like a great example of where ChatGPT is most useful: as a force multiplier for time-constrained entrepreneurs who have a specific goal and need specialized knowledge for short periods of time (e.g. to write a script). It's now basically free and instant to produce what would previously require a multi-week process of sourcing, hiring and communicating with contractors to write a script that leads to the same end result.
The kneejerk reaction to call this "surprising" or irresponsible, while understandable, gives major "get off my lawn" energy. This is the future and as coders we should support the increased self-sufficiency of non-technical people. If you want to adapt to the change then maybe think about how to improve the process for entrepreneurs of asking ChatGPT to write a script.
I wouldn't say I lack technical expertise in this area, I'm just trying to use my time as efficiently as possible.
And for context what's the average line count we're talking about here? Tens of lines? Hundreds?
I'd just state that tons of us use ChatGPT effectively and never blindly trust the outputs - for me ChatGPT is a starting point, not the final product. We're not all so daft as that lawyer who cut and pasted hallucinated case references into a legal brief without verifying them first.
It gets 50-60% of work done, and a really good basis for me to work on it. Especially when working with one-off, end-to-end relatively short scripts.
I have read post linked here similar to this one, but I can’t recall another instance in which the author abruptly said they relied on stackoverflow to code something unless the content was a meta commentary on coding and debugging itself.
I think using ChatGPT to write long-lived code for a serious application is a bad idea. But I think it's fine for somebody knowledgeable to use it for throwaway and first-draft stuff in areas that aren't their daily work.
Here's the author in question: [edit: wrong Piotr Mierzejewski in tech, see below]
He looks perfectly competent to me to evaluate the effects of some one-shot scripting code, so I think "giving away trust and hoping for the best" is a wild exaggeration of what actually went on.
From my understanding, it also seems that the author submitted a Stripe API key alongside the prompt to create the scripts. This is pretty much a big security no no regardless of the permissions of the key.
Credit card fraud here is socialized. The end consumer is never liable, and so we don't bother with chip and pin, 2FA, 3D secure or whatever else. If we notice a suspicious transaction we simply tap a button in the bank's app and the charge is reversed in minutes.
Banks and payments processors are themselves incentivized to push through transactions as quickly and easily as possible so people spend more (yay consumerism!), and like the author said you mostly don't even need to input the right expiry date, billing address or zip code.
The drawback of course is that all of the liability is pushed on to the business, and so they have to raise prices for everyone to make up for it.
I don't really think there's a rational reason for why you don't have better card security in the US. You just seemingly don't want it.
Systematic change is slow and difficult. FedNow (secure, instant payments directly between accounts) was released 12 days ago, after nearly a decade in preparation.
Pretending that Americans just "don't want" more secure payments is just ignorant, in my opinion, and really screams that the author should spend more time with folks of other cultures.
People should know btw that with 3D secure the card owner can be held liable for fraudulent charges, because some banks have that in their terms for 3D secure. With phone 2FA all that needs to happen is you have your phone and wallet stolen. I've seen cases in the news where people lost thousands.
Are device passcode and app biometrics insufficient security measures in the event of device theft?
That's completely untrue. Most European businesses pay much more than that.
What they don't see is: the 3-5% or more markup of goods across the board (doesn't matter if you pay cash or card, especially for big box stores), the number of charge backs and the costs of dealing with it, fraudulent charges, poor security (places still accept mag stripe in the states), innumerable numbers of middleman to process transactions (bank fees, issuing card fees, network fees, premium card fees, ...)
It's fucking chaos. I hate it.
With FedNow, I am hoping that will change. Eliminate all of these middleman that are siphoning funds from people across the board. Eliminate the parasites. Eliminate the waste.
Let me tell you, on two different organizations I am part of, I have ran in the last 2 years, both got hit by automated credit card checking bots using French banks and alot of those cards succeeded.
(Of course there's a whole story about how both these orgs have resisted my previous warnings about hardening the payment sites...one of them even was still using Magento 1)
Anecdotal but meh, the real problem is credit cards are just as much as kludged relics as ACH that nobody wants to really fix meaningfully
For manual payments, UPI in India sounds pretty great. Apparently the customer approves each payment on their phone before it goes through?
0) makes every transaction a trivial SQL query away for the government.
1) everything needs an SMS code. Just as we are trying to get everyone off SMS 2FA
2) doesn’t work for non-Indian numbers or roaming devices
3) can’t get an Indian SIM without proof of address etc. No burners in India
4) regulation expressly forbids devic-local biometrics. This is why there is no Apple Pay in India.
5) Biometrics must be stored with the government. “Unique Identification Authority (UIDAI)” - https://studentbriefs.law.gwu.edu/ilpb/2022/03/22/regulating...
I find the effort of remembering the 4 digit code/having the phone much smaller than the alternative ...
It was a really easy decision for our business based on win rate, avg order size and chargeback fees. Plus now we don't have to constantly worry about Visa's or the merchant bank's 1% chargeback rule. This only applies to Visa charges but it represented about 50% of our total volume.
One last note - Visa is basically taking away a massive revenue source for the processors. If your processor is TSYS, they are trying to charge a RDR fee of $10.
Do you handle this for Mastercard in any way? I've heard of Ethoca (they are really good at SEO), it seems quite similar to Verifi.
- Chip and PIN has been in the UK since 2004 and mandatory since 2006. It wasn't until a decade later that the US caught up.
- Faster Payments allow for instant bank transfers (usually) between any bank account for free. Receiving transfers from clients in US (even with a US Wise bank account) was always a nightmare.
- Since the EU introduced Strong Customer Authentication, most new payments have to be authorised in your mobile banking app or by some other means of 2FA.
- Even before SCA, you'd have to get the Postcode (often digits that mattered) and CVV correct at the very least.
These measures seem like a way of banks shifting the responsibility for fraud onto the customer. In either case though, it's the customer who loses out. In a culture that accepts widespread card fraud, costs increase to offset it.
Also, we're still hearing stories about merchants in the US starting to accept Apple Pay, whereas it worked fine in almost every retailer in Canada the day it was available - even though it wasn't available in Canada for a long time, American visitors (or Canadians with American credit cards) could use Apple Pay on launch day at any retailer that supported tap-to-pay, which was easily most of them.
Maybe, maybe not, but this is a very simplistic way of looking at it. If credit card fraud is responsible for X% of total charges, they can spend effort to deal with it, OR they can simply not deal with it and keeping the transactions going while eating the cost, they may be able to serve Y% more customers where Y > X and thus end up with more profit in the long run.
This works for a lot of businesses in America because the sheer scale is massive (take McDonalds for example, they would probably be better off processing their lunch rush quickly due to the margins they are making rather than take even 1 second to verify there is no fraud). This may not work in Europe, but IMO you're missing an entire dimension when analyzing the true costs.
If the fraud/benefit scale ever tipped away from favoring the companies, I think we would see all these major fraud prevention mechanisms kick in almost immediately in the US.
That’s the micro/local view, and any rational company in the US will do something close to that. There is no local incentive to set the “fraud/friction” to anything other than their competitors.
On the macro level though, if the dial is moved for everyone (i.e. by regulation; the card schemes have tried to make this happen via incentives in the form of the liability shift, but it still wasn’t enough), there’s a chance for increased total efficiency.
The cool thing is that Europe is running this experiment currently – let’s see how it goes.
With that said, I can’t remember the last time I saw a POS terminal that wasn’t contactless.
More often than not I’ll go out with nothing more than my phone knowing that regardless of where I end up, I’ll be able to pay.
Features like SCA protect consumers and businesses alike.
The US has literally thousands of small regional banks across 50 fairly independent states.
Rolling out major new technologies in that environment is far far harder.
Chip and PIN doesn't work for internet payment.
Bank transfers don't work well internationally.
It is trivial to turn on AVS (address verification) and CVV, but it can result in more declined-yet-legitimate transactions. Sometimes that outweighs the fraud risk that these catch.
The responsibility for fraud is pushed to the merchant, not the customer. Yes, customers pay higher prices because merchant fraud gets passed on eventually, but only in the sense that all fraud costs get passed on to consumers eventually.
"ahead" and "behind" halt thinking, and turn the entire topic into some kind of number-line position. It is not. This is complex and actors on both sides of the Atlantic are playing in bad faith to exploit changes. Second you ignore the roles involved. Mid-20s person with steady job is a smaller and smaller part of the system-in-fact, for many reasons. Some people say that working 20-somethings are abused and disenfranchised, including in the EU and elsewhere.
Europe seems to be shifting the burden of fraud prevention onto customers with methods like SMS notifications and pins. In contrast, in the U.S., banks and businesses are primarily responsible for dealing with fraud.
Here's how much of a "burden" that is: you hold your ATM card next to the terminal. Done. Paid. Every once in a while (based on a configurable max per week) it will prompt for a PIN. Which you enter in 5 secs. That would be 1 in 10 payments.
Online payment: scan payment QR with phone, which takes me to my banking app. Authentication is FaceID, TouchID or PIN. Then you click "Yes". Done.
Both methods are highly secure, require no or minimal input and are extremely fast.
I pointed out a handful of ways the US are lagging far behind in banking.
How can they possibly be leading the way?
They’re stuck with a horribly outdated system that harms small businesses and exposes users to significantly higher levels of fraud.
It’s bizarre that so many people accept credit card fraud as just the way things are.
I suspect that in the US CC processors are incentivized to increase their processing fees to cover the cost of fraud instead of building features to prevent it because they can and it's easier than building features. Businesses are incentivized to increase prices to cover the cost of fraud (and CC processing costs) since processors offer such poor tooling to prevent it.
In the US the burden of fraud prevention is squarely on the honest consumer's wallet.
PSD2 directive intruduced a lot of novelties, which no one at the time had (and very few do, not even US). For instance, specific to this situation - remote payments above 30 eur must be SCA (strong customer authentication, similar to 2FA, but more elaborate) verified (small value exception from PSD2 RTS). Also, banks must have both real time and post-time transaction monitoring in place, i.e. they must have systems to detect and prevent such fraudulent attemtps. There literally tens if not hundreds of fraud fighting measures in PSD2, which all banks (both acquirer and issuer) must come mply with. I could go on and on (not the place and format).
Frankly, it's utterly unbelievable that this kind of thing could happen without anyone (either acquirer or issuer) intervenining. Not what could (should) happen here in Europe.
The problem isn't the Chip and PIN itself, although it has been implemented less securely than it could be. The problem, as you point out, is that the liability for fraud has been shifted in law to the card holder, and that is what I objected to. See https://www.chipandspin.co.uk/ for more.
Onto the vendor, not the customer. The customer can chargeback anything instantly, and the vendor is on the hook for the fraud.
It's intentional, so the banks and payment processors can make more profits. By making it easier for customers to chargeback, they incentivize customers to buy more stuff, by getting the customer to feel more comfortable charging everywhere. Charging more stuff makes payment processors more money.
I would say it’s not worse than most of the world though. Much of the world is rampant with fraud borne entirely by the consumer. For instance QR based bank transfers are popular in much of the world outside the western developed world. Fraud is insanely rampant but the ease and utility vs cash makes it acceptable. Transactions costs are near or actually zero and there’s no POS infrastructure. But people meticulously check their transactions because theft is so rampant. The banks and governments seem unconcerned though.
As such I put the US somewhere in the midpoint globally for this space. There are some smaller economies with strong regulatory regimes that do better for sure. There are many more that do much worse. Obviously the goal is the better not the worse, but I think it’s cherry picking to lump the US into being the worst.
We do use chip-and-PIN on most debit cards, but even that can be bypassed on 99% of terminals to fall back to chip-and-signature.
With a UK card pretty much any transaction I do online requires me to Auth it in app.
I even found I had to do it recently for things like car hire, and those websites are generally just wrappers around local company searches (though higher sums overall).
We didn't have to pay the fees for carding but they don't care.
They do not care because they make money off fraud.
We had settings stating we only have orders between $2500 and $6000. But they do not check auths lol
Crazy.
This was back around 2010 and stripe was not available in Canada at the time.
The primary way for a business to prevent carding attacks is to just be slightly more annoying to attack than the next guy. As far as I can tell, Stripe is happy to be the easiest large network to attack because they outsource the pain and cost of any attack to you, their users. They could easily, and for very little cost, prevent this from hurting you.
Stripe is choosing to let you suffer to save a few bucks.
On the chargeback point—we hate chargebacks too and we want to limit them as much as possible (we're actually working on a few things over here that we think will help with this). The banks levy chargeback fees (in varying amounts) and an average of them show in the form of a $20 fee—it's not a Stripe-specific fee and we don't profit from chargebacks.
We've just finished company planning for the rest of the year and reducing this type of fraud is a top priority. So if you think you're seeing something similar, please email me at edwin@stripe.com.
No, your base offering should catch these.
Sincerely, a customer of yours.
Eventually I stopped more or less all attacks on our cart/checkout. But the requests were still coming. Eventually while trolling logs for an unrelated PHP problem one of the software engineers mentioned there was a huge amount of traffic hitting our page to save a payment for later. The platform would issue a $1.00 charge to verify that the CC was real and they'd moved to using that to "churn" cards.
These CC thieves are very resourceful.
I get that a lot of indie businesses probably don’t have the resources/want to do this, so there are solutions you can buy, but they’re expensive and mostly targeted at high volume merchants anyway. Maybe stripe launches a fine-tunable radar product someday?
Let's not forget that the CC industry encourages the worst spending habits for consumers thus perpetuating the never ending cycle of slaves to debt.
But for the other info, they could be carding for prepaid cards which have no name, address, or ZIP code to verify against?
The solution indeed is to write manual rules to trigger 3D secure.
Banks don't choose to accept incorrect name, invalid CVC, invalid exp date or wrong billing address. It's up to the user (in this case him) to enable CVC Check and AVS in his payment processor to fail payments that don't pass this check. It's also up to him/Stripe to implement 3D secure and trigger it.
https://stripe.com/docs/disputes/prevention/verification#cvc...
It’s kinda funny, but the only time Chase and Amex credit cards asked me for 2FA (I didn’t even know they had 2FA) was when I used them to purchase some things in Indian website through local payment provider (Razorpay).
Don't expect speed or creativity in the US banking sector.
My friend had a USB smartcard reader in like 2001. He'd dip his AmEx to perform a transaction on his PC. It's twenty years later and the industry still hasn't caught up?
What's different about Europe that they seem to have figured this out decades ago?
In contrast, in many places in Europe the user is responsible for unauthorized charges. Regular people care a great deal about not being wrongfully charged as that is almost always proportionally worse, so they demand robust end-user protection so they will not be wrongfully charged.
This is kind of a case of, “everybody would drive safer if instead of a airbag you had a bunch of knives that shoot out and kill you if you get in a crash”.
[1] https://www.law.cornell.edu/wex/fair_credit_billing_act_(fcb...
See EMV fraud liability shift.
https://www.mastercard.us/content/dam/mccom/en-us/documents/...
Which EU countries? Bank card readers are super common in .nl (ING for sure) and .be (just about every single bank there) for example.
Nowadays banks often allow to use either that or, say, an app on your phone or a dedicated physical token. For example you can confirm transactions you make on your computer by unlocking an app and confirming with your fingerprint from your smartphone. But that's semi- recent. Before that kind of 2FA became a thing, it was all done with card readers.
Some countries still live in the past like, I shit you not, Societe Generale in France still has a "2FA" where it shows digits randomly on the screen and you have to click you PIN (some people still have an account like that): that is however quite pathetic and not the norm.
If I want to buy anything online using any one of my credit card, I must put it in a physical reader and reply correctly to a challenge/response.
These readers are different from the electronic ID card readers, which are also used in many EU countries (for example to fill my taxes online).
Our governments actually care about monopolies and security. The PSD2 directive was an utter pain to deal with, but at least it stopped a lot of common scams and thefts in its tracks, and it forced banks and other payment actors to open up their system.
Inded. More specifically SCA (Strong Customer Authentication) which is required by PSD2. VISA says the "SYH" (Something You Have) is either "a mobile phone, a card reader or other device evidenced by a one-time passcode".
Note however that I cannot log nowadays to any of my bank in the EU without having a big banner saying something like (paraphrasing): "WARNING: scammers are trying to steal your funds. Neither the bank nor the police nor anyone else shall ask you your PIN or to confirm anything on your card reader."
Basically: life is harder for scammers so they try to trick (mostly old) people into validating transactions over the phone.
It might've been possible someone had something like that in ol' good '00s with ActiveX, but that must've been surely an exception (and a security nightmare).
The device reads your card, asks for the pin and then spits out a 2FA code to enter on the website or app. The old ones only did this code thing (usually with SMS as a backup way to get the code, but most banks have moved away from sms now). Some more advanced ones have a digital signing capability by taking a photo from a QR-like code on the computer screen and then displaying the signing code for you to enter.
These advanced ones are a bit out of use now that everyone uses the mobile app, except for business accounts and larger amounts like my bank's 50k limit on mobile app confirmation. But I don't regularly transfer more than 50k in one transaction anyway.
Edit: Here is a picture of one that we use with a large Dutch bank for our business account with the QR-code reading thing: https://4.bp.blogspot.com/-6c1NGHew1P8/VBqvTeqDQdI/AAAAAAAAf...
Some banks may have used this for 3D Secure during online card payments as well, but I've never encountered one. Validation for that in my case evolved from setting a password on my account, which they'd ask for some characters from, to tokens sent via SMS to my registered phone number, to a push notification from my bank followed by FaceID to authorise payment.
In person Chip & PIN, and more recently contactless, is ubiquitous. Magstripe payments are so rare I have to explicitly enable them in my bank's app for the card, and it'll turn itself off again 7 days later. I never encountered chip & signature until going to the US, where everyone in the group I was with looked at it like some sort of joke (and indeed it is, because there's no signature recorded against my card for validation).
And there are two things that are not to be confused: electronic ID card readers (used for stuff like VAT tax filings, income tax filings, etc.) and debit/credit card readers (which may or may not be connected to the PC) used as 2FA (with a challenge/response). The ones that aren't connected to the PC generate a number which you then enter to confirm you login/order.
Many banks in the EU enforce at least one type of 2FA. The shittiest, most pathetic ones, still do it by SMS (but it's still 2FA and still better than nothing). Others use a card reader (in which you literally plug your bank card, which signs orders / challenge/response style and never leak the card's secret). Other give a physical RSA-like token with codes changing every x second. Others allow the use of an app on a smartphone to confirm transactions.
When I log to at least one of my bank I've got a list asking me which type of 2FA I'll use to log in and confirm payments. Card readers (two different types) are on the list.
I use that to log in, confirm wire transfer and buy stocks too.
That logic doesn't quite translate internally, so it's important to maintain the perception that the banking system is all that stands between the little people and a hungry mob of scammers. If the scam problem were demonstrably easy to solve at the POS, it would be harder to justify the merchant fees and other bank-related overreach.
Everyone would need to mandate the security feature while have a short term incentive to not.
"Hedgemony" is a war game focused on connecting policy and strategy. https://www.usmcu.edu/Outreach/Marine-Corps-University-Press...
Stop whining, have the US adopt PSD2 (SCA in particular) and your problems will go (most of them)..
I found out about this when I had a problem of somebody running a script of trying different credit cards over a two hour window.
My payment processor told me I should prevent these types of things. So I investigated and never had this problem anymore.
Cloudflare is amazing at preventing all kinds of attacks. I love Cloudflare.
I Hope the other 85% are just recent transactions that haven’t been scrutinized yet.
Or did the fraudsters target a bank with high net worth clients that don’t scrutinize smaller billings???
I can see a lot of people not really scrutinizing a random Spotify transaction or something. Especially vendors that let you store multiple cards and then you don’t always keep it straight which transaction went to which card anyway.
It is instead a showcase on how mediocre issuers can be when authorizing transactions, and how non-sensical the system has become that the merchant ends up paying the price for chargebacks.
Entirely classes of liability and fraud is shifted to the issuer and no longer on the merchant.
Has Stripe Radar improvements slowed down or have fraudsters gotten better?
