
A user is trying to steal from us and I don't mind - plusbryan
http://plusbryan.com/a-user-is-stealing-from-us-right-now-and-i-dont-mind
======
mooism2
If HN incorrectly hellbans someone... they piss someone off.

If a retailer incorrectly hellbans a customer, that is, they tell the customer
that their card will be charged, and that the goods they ordered will arrive
in the post, but without the intention of doing either of those things, owing
to a genuine mistaken belief that the customer is engaging in credit card
fraud, but lying nonetheless... are they leaving themselves open to legal
action from the customer? From regulators? I'd expect the bad PR alone to be a
worse hit for a retailer than a bulletin board.

~~~
kordless
Can you outline the law a company or individual would be breaking if you
pretended to sell something to someone and didn't charge them for it without
giving a solid reason?

Given you didn't save their credit card, issue a receipt stating payment was
received in cash, or accused them of a crime what exactly is the crime being
committed here?

Perhaps more hoax than fraud?

~~~
mooism2
IANAL but breach of contract. You have made an offer through your website, the
customer has accepted that order through your website, at which point by
default a contract exists between you. You can wiggle round it a bit with your
T+Cs, but if you are giving them every impression that a contract exists which
you can fulfil then they are allowed to rely on a contract existing. If you've
made no attempt to charge their card, that's your fault, not something you can
blame on the customer.

If there were too many false positives I would also expect to attract
attention from Trading Standards --- false advertising? --- and they might be
satisfied that you're making honest mistakes, or they might insist that you
overhaul your fraud detection procedures or your customer communications, but
either way they will suck up some of your time.

(This is from a UK perspective.)

------
nitrogen
Though it may be effective, from a moral standpoint I find hellbanning to be
as evil as the name would imply. To a lot of people, finding out that you've
been ostracized _and nobody told you_ would be extremely psychologically
damaging. This applies more to discussion forums, of course, than online
purchases.

~~~
consz
Yeah, I had an account hellbanned here for over a year before someone finally
told me. There's no way to find if someone replies to you on this forum so I
rarely went back and checked if anyone replied to me, but it still bothered me
that the admins would find it acceptable to let someone waste their time over
an entire year without telling them their account is useless. Not to mention
the additional 10-15 seconds of latency opening every page on the forum.

~~~
justincormack
Find out if people replied to you at
<https://news.ycombinator.com/threads?id=consz>

~~~
johnreese
HN randomly takes about 10 seconds to load for me though I've never made an
account here. In case my IP was slowbanned, can someone reply to this comment?

~~~
nitrogen
Sometimes HN is just slow. Last I heard, it's running in a custom server in a
custom Lisp language on a single core of one server.

------
GhotiFish
So I moused over this weird little black dot. It changed shape with the words
"Don't move" next to it.

1 second later it seems I'd given this blog the equivalent of a thumbs up.

wtf? Dear plusbryan. -one kudo. THEN -another kudo for having a stupid system.
In fact, -two.

~~~
NoodleIncident
Same here.

I hover over links to see where they go, comics to see their title text, and
vote-buttons to see where they're from. That shouldn't and does not indicate
my approval of this article, and I can't reverse it.

~~~
plusbryan
That's a good point - I'll mention this to dcurtis, who runs svbtle. Certainly
don't want to sucker anyone into liking something they in fact do not!

~~~
fhars
It is deliberate on his part <http://dcurt.is/unkudo>

~~~
nivla
Interesting, I wonder how many of those 6342+ kudos were as a result of people
testing what he was talking about.

> meaningless number

To nitpick, if it was really meaningless, it shouldn't be part of the page,
atleast not under the title "kudos" or under the disguise of endorsements by X
people. Well so it carries as much meaning as a Facebook like button.

Regardless, I would care more for the content of a page than the brand or
endorsements it received.

~~~
rhizome
Exactly. "A meaningless number, prominently displayed."

His joke's on us.

------
huhtenberg
> _A user is trying to steal from us and I don't mind_

Of course, you mind. You hellban them for crissake.

Catchy title though :)

------
huhtenberg
There's a cleaner variation of this.

Once you see a user go through 3 cards, each failing the authorization, _fail_
all subsequent purchase attempts without passing them to the bank. If you feel
like tar-pitting the guy, show "timed out" errors and tell to contact the
support or ask to try again with another card. Legit customers _will_ contact
the support and the frauds will continue supplying you with stolen credit card
#s, which you, of course, will diligently log for the future reference.

~~~
jtheory
This would trap me almost every time I try to buy tickets from RyanAir.

I don't know what's up with their CC processing, but it has never worked for
me on the first try/first card.

~~~
lostlogin
Slightly off topic, but this keeps bugging me. How many cards do you have? Is
it my circle and I, a New Zealand thing, or something else, but everyone I
know has one card, 2 maximum. I once stumbled across someone with about 30
(when he brought them into an MRI scan room, despite having been warned a few
times and me having taken them off him, but he'd have had none after doing
that), but that's the only person I've knowingly me with more than 2. I should
note that everyone here has a direct debit card too - EFTPOS.

~~~
jtheory
Currently I have several cards due to having a life that's very
internationally split, between the US/France/UK mostly, with bank accounts in
each, plus (in the US at least) separated accounts for business/personal.

I have 3 US credit cards as well, one business and two personal -- the second
is just a backup for if the first fails (and when I'm traveling, they fail
frequently). It doesn't cost anything to have a new card (if you don't carry a
balance), so it's useful to have a backup.

30 cards sounds like someone with a serious debt problem. Separate
credit/debit cards are a really useful distinction -- in particular, I can
maintain much higher security for my debit cards (and not use them online); a
credit card purchase can be disputed without the money already being _gone
from your account_. But they're certainly dangerous (given how people tend to
rationalize spending money they don't have...), and _carrying a balance_ on a
credit card almost certainly means you're doing something wrong.

They make it really easy to live beyond your means; I got burned by that a
couple of years out of college, clawed my way back out of debt over a few
years (fortunately with reliable income and low expenses!) and haven't made
the same mistake again.

------
kcbanner
I'm wondering if there is anything legally wrong with falsely saying that a
certain transaction went through when it actually didn't.

~~~
ishansharma
But would a thief sue them for this? Would be fun to see someone sue them for
no disclosing declining payment from a stolen credit card!

~~~
untothebreach
Probably not, but as mooism2 mentions, what happens when it's a legitimate
customer who gets wrongly banned?

~~~
ishansharma
That will be a little bit of inconvenience for them. But since they don't get
shipment or get charged, they will most probably contact customer care and get
themselves unblocked.

If they are not charged and then system tells that order is sent, that is not
much harm. I know, not the best condition for a customer but acceptable to
stop cc fraud!

------
4lun
It's an interesting idea, but what if it's an error on your part and not the
user?

There's no real channel for reverting the hellban once issued since you've
pretty much permanently assumed the user is malicious and can't be trusted.

A few cases I could think:

\- User loses card and cancels it, but finds it again and uses it without
realising.

\- A single piece of information the user has provided is wrong, but the user
repeatedly resubmits without realising. Eventually you hellban them, but
they're actually a legitimate customer who made a mistake, but now you can
never have them as a customer and might be feeding false positives to them and
ignoring their calls for support after they fail to receive the product.

In the end, it doesn't seem like you're saving yourself (you mention Walmart
as the one that usually suffers) and from my point of view you're shooting
yourselves in the foot, as you could accidentally hellban a legitimate
customer which could result in a bad reputation.

~~~
manojlds
> and nothing stops a promising career in white collar crime in its tracks
> quite like a decline in the Walmart checkout aisle with $5000 of merchandise
> in the cart.

It is not Walmart that suffers, but the thief trying to use a stolen /
fraudulent card _at_ Walmart that suffers.

OP mentions it is a automatic _and_ manual process of hellbanning. I am sure
they will have the corner cases covered.

~~~
plusbryan
That's correct - I'd suggest flagging for immediate attention based on
activity bounds beyond the norm (3 declines from different cards for instance)
and then hellbanning if appropriate. Obviously we'd never want a situation
where a real user ended up hellbanned, so the final decision is left up to a
human.

~~~
4lun
Ok that seems more realistic, the actual process is key, I assumed it would be
automated with no human intervention.

------
loopdoend
The naysayers have probably never dealt with real, persistent credit card
fraud. I have. I think this is a beautiful idea that will do a lot of good for
us.

I run a B2B SaaS company that attracts its fair share of fraud. If we simply
string these bad actors along instead of banning them outright I think we
would see a decrease in fraud attempts.

Of course this would only be a manual thing. The vast majority of our
customers come from sales channels and not through the web or search
referrals. This will work great for us as we already have a manual account
approval process. Instead of banning them, we'll hellban them.

------
carbocation
So you extend the offer. The user accepts the offer. The user believes they
have shown consideration by paying for the item, and they expect you to
fulfill the agreement that they believe has been created. Your messaging may
even support this.

If you have anything less than 100% specificity with your fraud detection
algorithm, don't you risk running into trouble because of violation of a
contract (or something similar, IANAL)?

~~~
columbo
Only if they actually charge to the credit card.

If you never process the card and simply give them their 'digital content' or
(in this case) mail a card to an address then you aren't violating anything.
It'd be the equivalent of making a magnetic card reader out of cardboard and
pretending to swipe it before handing someone a cup of lemonade.

Even if you never mail the card I don't see where you would have anything
legally binding as you never processed the card in the first place. (IAANAL)

For one system I worked on we did this for legitimate purposes. It's a long
story but it was around devices people would walk up to and use their card to
buy stuff... if the machine was unable to process we would simply give them
their stuff. The internet connection was crap and it failed about 20% of the
transactions and we ---really--- did not want this thing to come back with an
error 20% of the time, so it was just better to give them away for free.
Eventually we fixed the internet issue but kept the code in there just in the
off chance it happened again.

------
joedev
How do you know when a user is using stolen credit cards?

~~~
leeoniya
i'm assuming a couple chargebacks would need to get the ball rolling.

~~~
PeterisP
You never wait for the chargebacks. If you get chargebacks, they cost you a
lot.

You try to detect/block immediately - if a thief wants to check 10 cards in 5
minutes, you want to block him in the middle of it. And you immediately
revert/cancel any transactions that succeeded so that you don't get
chargebacks.

------
VoltageSpike
Devious. Underhanded. Evil.

I like it!

Upside is that it slows down the thief. Downside is that it will cause
legitimate users to rain hellish social comments down on your head.

------
nraynaud
You're really forbidden to do any false positive with that, or you are good
for a PR nightmare. Moreover applying some kind of sanction without any of the
traditional justice procedural safegards makes me slightly uneasy.

------
ferentchak
Fun times. Do you track the cards that a specific individual uses? That way if
you feel like turning that information over to the Lone Ranger they will have
a method of tying all those incidents together.

------
kirillzubovsky
I love the sporting aspect of this trick. Well done!

------
phil
Totally unrelated: does anybody want a gift box? I've got several thousand.

