
Steal a Credit Card, Buy a Hoverboard - firloop
http://www.buzzfeed.com/josephbernstein/steal-a-credit-card-buy-a-hoverboard#.ruY1nQlznv
======
MarkCole
_" According to internal Stripe documents obtained by BuzzFeed News, online
hoverboard purchases are plagued by fraud."_

 _" Documents show that as of Dec. 7, Soulja Boy’s Stripe account held a
balance of $-174,440.08. Between June 30, 2015, and Dec. 7, according to the
same documents, more than 75% of all orders associated with that account were
disputed after the fact."_

I find the fact that someone at Stripe is leaking financial
documents/information of customers (presumably for some sort of personal gain)
to be HIGHLY disturbing. Maybe it's time they reviewed who has access to what
sensitive information there.

------
rwmurrayVT
Stripe has been known to be incredibly vulnerable to online fraud. They
provide effectively 0 fraud prevention for their users. Any merchant using
Stripe is just a sitting duck for an extreme spike in fraudulent purchases.
Even as recently as 2 weeks ago lists of Stripe-based merchants float around.

Even worse, any bimbo with a SSN and bank account in the USA can sign up. If
you've got someone's SSN and address you can open a Stripe and bank account in
their name. Run up the Stripe balance with stolen cards and then disappear.
Stripe holds initial payments for 7 days and a rolling 2-day period. Clearly
from this article most people don't charge back for a long time, well over 7
days.

Stripe has a fraud problem. They've been denying it and IMO have failed to
bring in fraud prevention experts. They should partner with MaxMind and create
a single, easy to implement product.

------
matt4077
I wonder how the vendor can be described as "unreputable". It seems like the
vendor has the least possibilities of all those involved (banks, cc companies,
stripe) to spot fraud.

The credit card companies also reap all the benefits of making it easy to use
their cards (no pin, no 2FA) but apparently pass the losses from that policy
on to the vendors.

~~~
pcr0
Exactly what I was thinking. The whole point of using something like Stripe is
to hide complexity, why should users have to roll their own fraud prevention?

------
binarnosp
Shouldn't Stripe be responsible for checking frauds and detecting them? Or
shouldn't the credit card company deny the transaction for stolen cards? A low
percentage of fraud is admissible, but the level mentioned in the article
raises a few red flags.

------
shiftpgdn
I find it funny that an SV darling like Stripe offers its customers no anti-
fraud measures like companies like Authorize.net do.

~~~
andyfleming
It's interesting that Stripe customers knowingly, or most likely unknowingly,
have overlooked anti-fraud measures and taken on additional liability in
exchange for a good user interface and easy setup.

~~~
jthnme
True - and once you are a merchant eager to sell and make a living, you really
don't pay attention or maybe don't realize that money charged and received is
not yours yet to keep. One thing that all users should do is enable CVC check.
Believe me it is better to deal with some user complaints and manual
processing then refunding fraudulent payments and screwing with your cash
flow.

------
needusername
There is of course a "solution": 3DS. But it's so horrible that American card
companies (VISA and MasterCard) only force it on the rest of the world, not on
the US of A.

~~~
matt4077
It actually works ok for me. I get an sms within 5 seconds and type in the
code, done. Not sure if it could lead to problems in more complicated
scenarios, i. e. when I'm not using a desktop computer in my home country.

~~~
needusername
Sending an SMS for every online authorization does not required 3DS.

~~~
Sujan
But it's another solution that works, isn't it?

~~~
needusername
If you're cool as a user / ch with 3DS then it's an OK solution.

------
sschueller
This is ridiculous, it is the responsibility of Merchant and card companies to
provide some sort of guarantee that the cards used are valid.

Why do we even accept credit cards if they aren't better than someone saying I
promise to pay you when I get your product.

------
jrjarrett
So what's the connection between hover boards and fraud, I wonder? Why not
something else?

~~~
MarkCole
Perhaps due to them being trendy? You use your stolen credit card to buy high
value items with a resale value. Resell the item to someone else, and you have
turned those numbers on a screen into cold hard cash.

------
celticninja
How can they have this level of fraud with a physical product that has to be
shipped somewhere?

~~~
URSpider94
They mention that in at least one case, most of the fraudulent purchases came
from a single IP. Whomever it is has arranged a place to drop-ship the boards
that will be untraceable. Perhaps they use addresses of unoccupied homes, then
just pick up the packages from the doorstep. I know in the past, criminals
have used fraudulent accounts at local mailbox rental stores, which they rent
for a month and then dump.

Point is, there are plenty of ways to launder shipments, if you are doing it
with a plan and at scale.

~~~
celticninja
I get that, but multiple orders to the same address from the same IP should
surely be raising some flags somewhere.

