
Show HN: UPUP Simple Credit Card Verification to Reduce Fraud - cglace
https://www.upupapp.io
======
cglace
At Fetch[0] we built UpUP as an internal tool to help us authenticate high-
risk transactions. As we scaled we started experiencing a high volume of fraud
from multiple vectors: meth rings, carders, identity thieves, etc. We started
to manually verify multiple forms of identification to approve an order. This
led to quite a bit of customer friction and put a large burden on our customer
service team.

We developed UpUp as a payment verification tool to quickly let customers
demonstrate ownership of a payment method and get their transactions approved.
In the 4 months we've been using UpUp, we've had a 100% success rate in
legitimate customers verifying their accounts and completing purchases. We've
also been able to approve more transactions, as we no longer have to wait for
customers to provide multiple documents before approving their transactions.

We're launching UpUp as its own stand-alone tool for helping any business
verify transactions and combat fraud. We're launching with a Stripe
integration today, making it seamless for any Stripe user to add UpUp's fraud
verification service.

[0] [https://www.fetchtruck.com](https://www.fetchtruck.com)

~~~
emmelaich
One your verification methods is to record a small random charge.

Note that this is also done by 'carders' and so it can trigger bank's own
fraud detection.

I've had this happen to me; a legitimate entity in the USA checked my card
with a small fee (with my agreement) and my card was cancelled. Took me a week
to get it back.

~~~
Alupis
That most likely had to do with your purchase history pattern. Good banks will
notice abnormal patterns and freeze your card/account until you approve the
charges. Overseas charges are a pretty large red flag, particularly if you
simultaneously have charges in your home area. It also depends how the card
was run by this company for this second verification... Virtual Terminal vs. a
normal checkout flow can sometimes be treated as a "Card Not Present" charge,
which can appear more risky to your bank/card company.

Not foolproof, but is a help. Also... another reason to use a credit card for
all online purchases... it's not your money, and almost always will be
refunded in full if disputed (at least in the US). Bank cards/debit cards are
your money, and you might have a fight on your hands with your bank if it's a
large enough charge.

------
Keverw
Very neat, reminds me of how like PayPal makes 2 small deposits to verify your
bank account. Only downside I'd think to this is fees for the site owner(but
might offset chargebacks if their site had a bunch in the past so maybe worth
it) and then secondly not everyone uses online banking...

Like I know someone who's a family member who still does online shopping like
on Amazon but still gets their credit card and bank statements mailed to them
- unless you can maybe check your card balance and recent transactions by
phone... They say they don't trust online banking, yet it's literally probably
the same database and servers other than a flag in the database like
"hasOnlineAccess" with a username/password combo stored... Probably more at
risk of getting their info stolen by installing crap on their own computer
than the bank itself being hacked though.

~~~
Adams472
Thanks for the feedback and story!

Our recommendation is that most businesses should be prepared to offer a few
options for payment or identity verification. In your case, your family member
may have been better suited doing something like a drivers license
verification or a knowledge-based identification.

~~~
Keverw
You're welcome. I been toying around with doing a virtual world, but still far
away from doing the economy related stuff. One of my concerns is some teenager
might steal their parents credit card and rack up charges, maybe multiple
ones. and from my understanding chargebacks are about 30 bucks each. Then I
think offering game tokens or gift cards, criminals buy a bunch of gift cards
to resell with stolen cards. Then worried about trolls, I was thinking of the
idea of charging people to signup but some friends thought that'd hinder
growth... Tricky stuff to think about, but can't monetize it yet without the
other stuff working yet anyways. Even heard of criminals using charities
donation forms to try and verify cards too, pretty shameful since in a way
they are stealing from the children or people with cancer the charity is
trying to help out since other funds would have to help cover the chargebacks.

------
coderintherye
As a business owner dealing with credit card fraud, yes this is a real problem
that the processors currently don't solve and existing solutions are hit or
miss.

That said, I don't see you addressing the key issue, what is the drop-off rate
of _legitimate_ purchasers from having to jump through this hoop to get
verified? If it negatively affects conversion rate too strongly then the loss
outweighs the benefit. It may make more sense in high-value transactions such
as with Fetch than in general ecommerce?

~~~
nottorp
Not that it's interesting for americans, but I have stopped buying anything
handled by Digital River because of their great fraud detection. As in, the
card that is good enough for Amazon, Apple, Blizzard etc is not good enough
for them.

Careful that you don't end up in the same bucket.

~~~
ganoushoreilly
> Show HN: UPUP Simple Credit Card Verification to Reduce Fraud

Not to mention their horrible management of physical goods as well. A lot of
vendors like HTC have had serious issues with with product sales, returns etc.

If it's Digital River, I look for alternatives or don't buy. Glad to seem i'm
not alone.

------
joshmn
Someone who has been in this field for far too long here:

I like the initiative and I think this is a step for deterring credit card
fraud. However, if someone wants your product bad enough, it's trivial — at an
incremental cost — to buy a credit card with login.

Yes, while these issuers have security to prevent logging in/logging in from
an unknown device/ip/user agent/hwid, we can all attest that for every secured
account, there are plenty that aren't. Even with alerts, OPT, device
recognition and notifications, that doesn't deter someone from going to a
shop, searching by BIN, by brand, by zip, by email, by password, etc. to
narrow down what they want to buy.

If you're the only provider with XyzGood, and someone wants XyzGood bad
enough, this won't stop them.

~~~
cglace
We see UpUp as a piece of our overall fraud strategy. We lend $35,000 vehicles
to renters without meeting them in person. Often we are up against very
determined bad actors. What we have found is that if you make a fraudsters job
a little bit harder they will move onto the easier target.

~~~
splonk
The saying we had when I worked on this was that we weren't trying to stop
fraud, we were just trying to be a slightly harder target than eBay.

------
zikani_03
This looks interesting! While I may not be the in target market it somehow
validates something I've been mulling over.

Where I come from we have mobile money solutions but they aren't yet
integrated to allow you to pay for something online. It's a different problem
but the shared element of manual verification for payments has encouraged me
it's something worth looking into much more seriously now.

All the best and thanks for the 'motivation'.

~~~
Adams472
Hey! Thanks for the comment and support. Glad to provide any motivation.
Building is part of the fun :-) Best of luck with your project, and reach out
if we can be of any help.

~~~
WrtCdEvrydy
Okay, I'm sold, where's the API page and how do I get started with the docs?

~~~
Adams472
We're working on the API, but decided to launch before it was ready for public
consumption. Would be great to learn about your use case and give you access.
Could you reach out contact @ upupapp.io?

------
ripberge
Seems like a lot of friction introduced into the purchase process, and $1 is
extremely expensive. Stripe's chargeback protection is likely to be
significantly cheaper for many transactions and they are guaranteeing no
chargebacks! [https://stripe.com/radar/chargeback-
protection](https://stripe.com/radar/chargeback-protection)

~~~
Adams472
Thanks for sharing your thoughts. Chargeback protection is nice in that you
can somewhat set it and forget it. But, there are a few drawbacks including
having a tax on every purchase. (0.4% - 1.0% of gross revenue adds up!)
Chargeback protection also acts as insurance, and the insurance issuer can
decline to offer chargeback protection for suspicious transactions, which
leaves you on the hook for the risk with that transaction if you accept it.

Where UpUp slots in is for those transactions in the gray zone. Declining a
customer's purchase "because our payment processor said you are risky" isn't
the best look.

Also, in many cases, such as rental, the value of the transaction is much
smaller than the amount of the risk from the transaction.

Hope that helps provides some context on the different use cases as we see
them.

------
exabrial
The fact that this is even necessary shows how broken MasterCard and Visa are.
Why not sign the transaction with a public key?

~~~
elchin
It would be hard to provide a seamless UX for it, so it would reduce
purchases.

------
mchusma
Cool tool!

A couple of questions: -can you set this to automatically trigger for high
risk transactions? -how do you flag the user as "ok" for charges in stripe?
-do you need to disclose random charges to the customer? -are these actual
charges that are refunded or just authorizations?

~~~
cglace
_can you set this to automatically trigger for high risk transactions? -how do
you flag the user as "ok" for charges in stripe? -do you need to disclose
random charges to the customer?_

Triggering a verification automatically based on a stripe radar score is
definitely on the roadmap. Right now we do not add any metadata to the stripe
customer record but that is a great idea!

 _Are these actual charges that are refunded or just authorizations?_

These are just authorizations that will be released as soon as the
verification fails, expires, or succeeds.

~~~
mchusma
Thanks!

------
Osiris
I use MaxMind to get back a risk score and use that to determine the
possibility of fraud. It's been extremely effective, very cheap, and
completely transparent to users (unless they trigger a high risk score). How
does this service compete with that?

~~~
Adams472
I don't believe we necessarily complete with MaxMind. MaxMind helps determine
transactions that may be fraudulent. I've used the product in the past and
found it helpful. Sift is another good option.

UpUp provides you with method to provide your customers that lets them prove
they are not fraudulent. In turns, this lets you feel correct about denying a
transaction or sleep better at night when you have approved a transaction that
is questionable.

------
burgalon
Why is this needed if you implement SCA 3D secure?

~~~
jaywalk
It's not, and SCA 3D Secure is a better solution.

~~~
kennydude
Especially when the card providers move the risk, and therefore part of the
cost of the transaction onto the bank. It's up to the bank to make 3D Secure,
secure by authenticating the user in it's own way.

