
Radar – A new set of integrated tools to help prevent fraud - sinak
https://stripe.com/radar?
======
compumike
Just checked our Stripe dashboard and it looks like this has quietly been
doing good work for us for many months now blocking suspicious charges. It
took me a few clicks to find
[https://dashboard.stripe.com/search/rules?rule_token=block_i...](https://dashboard.stripe.com/search/rules?rule_token=block_if_high_risk)
and after going through a few of them, the per-charge risk factor descriptions
are really helpful too. The high-risk reasons are messages like: "This card
has been used from an unusually large number of IP addresses across the Stripe
network over the last 24 hours." and "This email has been linked to an
unusually large number of cards across the Stripe network over the last hour."

Thanks to Stripe for making it not-a-black-box! I hope others who build
machine learning systems also find a way to make its decisions understandable
by humans (when possible).

~~~
arcticfox
Usually fraud systems are black boxes to prevent abuse, not because they can't
be human readable.

I agree however that to my eye it does usually seem excessively black-box, as
it's not like most fraudsters are idiots, they already know what tools are
arrayed against them.

~~~
rwmurrayVT
Prime example is MaxMind's minFraud. How long do you think it took for someone
to pay $500 and test their card details + billing information + shipping
information + sock5/rdp before submitting payment on a MaxMind "protected"
webstore?

MaxMind isn't a black box either. You can pay 0.03 USD to get the full break
down of scores on an inquiry. You can register and get an ID number to token
your fraudulent VM/RDP with the card before submitting a real payment. That
partially helps defeat their device tracking [1].

[https://www.maxmind.com/en/minfraud-device-
tracking](https://www.maxmind.com/en/minfraud-device-tracking)

~~~
_pmf_
> You can register and get an ID number to token your fraudulent VM/RDP with
> the card before submitting a real payment.

That leaves a trail.

~~~
rwmurrayVT
Purchasing minFraud or creating device ID numbers? If you're on a RDP or VM
who cares? The trail will lead back to nowhere.

You want to create a history, a trail, so to speak with browser/device, IP,
and card usage. MaxMind's device ID tracking is similar to what Radar is
offering. You've used your card before on a MaxMind protected website with
device ID creating LSOs. Now they have you fingerprinted and they can tell if
you suddenly start making purchases from an unusual PC/IP. It helps you as a
legitimate cardholder at the expense of your privacy.

Stripe uses IESnare when you sign up to determine if you have any sketchy
internet history or are a previously banned user. It's a similar strategy,
pose as a legitimate user for a week by browsing the internet normally and
search for payment processors to "compare" online. Then sign up after you've
created history on the device and IP.

------
bflesch
I like the rotating 3D model in the landing page very much. Are they using
some sort of pre-baked library which lets you create such an visualization
with 30 lines of Javascript, or is it 100% custom? Maybe someone can point me
to a good resource for such elegant WebGL renderings.

~~~
edwinwee
Glad you like it! We used Three.js
([https://threejs.org](https://threejs.org)) to handle rendering the
icosahedron itself. Three.js actually includes an icosahedron as one of its
built-in primitives, however we also wanted to add some subtle details to the
model such as rounded edges. So, we created a rounded version in Cinema 4D,
and then rendered both that model as well as an invisible copy of the object
using the Three.js primitive. The primitive gives us easy access to things
like the vertex coordinates, that are then used to position the labels, which
are plain DIVs and not rendered with WebGL.

~~~
markdog12
Great work, result is awesome. Love how it pops in and fits with the page
background nicely. I find your web pages and documentation to be pretty much
the nicest on the internet.

------
rwmurrayVT
I think the "golden age" of online fraud is coming to an end quickly. I've
posted quite heavily on Stripe and fraud threads on HN previously if you want
to read my comment history.

This is a big step for Stripe. I've often asked why they didn't have an
integration with MaxMind or SiftScience already set up. They've been building
their own behind-the-scenes the entire time! This feature is fantastic if you
are a merchant and want to avoid fraud.

To me, the more interesting side of online credit card fraud is the
merchant/payment processor side. Stripe has a cult-like following in the fraud
world because it's known as the the easiest target. They make it so easy to
sign up and process transactions compared to other services like
Authorize.net/BrainTree/etc. They've shed this label recently, in part because
the biggest forum thread discussing it was closed. The other reason was
because it became so much more difficult. With this release, I think it's
simply because they could identify accounts with high numbers of suspected
fraudulent transactions. All the fraudsters were used to just signing up,
running charges on their webstore with sock5, and waiting 2 days for bank
transfers. Now Stripe can identify those transactions well in advance and
assign each account a risk score. Previously, Stripe had to identify the
account risk by sales volume, chargebacks, bank account provider, sign up IP,
and every one's favourite privacy invader IESnare.

Fraudster's have one last shining hope against Stripe. Passing their card data
to Stripe via API, instead of Stripe.JS/Checkout. Radar only works with
Stripe.JS/Checkout. Setting up your own web server to pass card information
prevents them from ever seeing any IP address except the web server. All you
have to do to get them to be okay with this is to turn over a PCI self-
compliance form. Rumour on the internet has it that there's a pre-built web
application specifically for charging Stripe accounts via API.

I'm still looking for a job in fraud prevention friends at Stripe :D

~~~
undefined0
Using Spreedy to act as a 'white' proxy to their API would make it an even
harder job for Stripe to detect the fraudsters. What would be your solution to
the problem?

~~~
rwmurrayVT
It seems Spreedy is the solution I'm talking about. I can't say with absolute
certainty. Their website says it uses api.stripe.com, which is great.
Basically, any code that passes directly to Stripe's API instead of to
Stripe.JS/Checkout.

If you strip away the "buyer's" IP then a lot of their ability to detect
fraudulent transactions goes away. They still have account based limits and
other methods, but my personal opinion is the anecdotal increase in difficulty
of creating fraudulent Stripe accounts is due to Radar based detection.

------
joe-stanton
This looks good, and is sorely needed.

It seems one of Stripe's biggest risks is the impending PSD2/XS2A changes
within the EU/UK. This means banks/merchants/retailers will ditch traditional
card networks (and their fees) to instruct P2P payments directly. This
probably opens up a host of very effective anti-fraud measures too (eg. 2FA
with mobile devices).

I wonder how Stripe will react to this major change in the market?

For example: [https://developer.americanexpress.com/products/accept-
amex](https://developer.americanexpress.com/products/accept-amex)

~~~
thesimon
>I wonder how Stripe will react to this major change in the market?

Probably not, as they are quite US-focused and 3D-Secure is still in closed
beta. Probably better margins in the US.

------
Cyph0n
This is why Stripe is my favorite startup out of the so-called unicorns. They
are really good at finding ways to make more money, while at the same time
improving customer experience.

------
robotnoises
Stripe consistently produces some of the best-looking web design out there.

~~~
jbpetersen
Agreed, their design gets high marks on executing current trends well, having
a distinct brand, and being functional to interact with. And that's on top of
serious talent and execution on the tech and business angles as well.

I can't wait to see how they expand as a company going forward and would
absolutely love to work with them if I wasn't preoccupied with more personal
pursuits.

------
aantix
It's a bit unclear to me; these rules appear to be automated but then they
show a rule builder interface?

How would I ever know if the rule I've built is too constraining, or too loose
in accepting payments?

Payment is not exactly an area of my business that I want to do a lot of trial
and error..

~~~
tarstarr
(I work at Stripe) Stripe's already actioning charges based on the feedback
from the machine learning models. We hope that they'll take care of most fraud
for you.

If you do want to write custom rules on top of what the models are doing,
we've actually built in a testing interface to the rule creation process. When
you test a rule, we'll actually simulate what the rule _would have done_ had
it been active for the past 6 months. Using that information, you'd be able to
tell the # of legitimate, fraudulent, or already blocked payments that would
have matched the rule & make a decision on what's best for your business.

That said, we're looking to make our opinion on a given rule more clear (rules
are still in beta) and would love more feedback on how we can make this
better. Feel free to drop me a line (tara@stripe.com) if you have feedback!

~~~
sandGorgon
hmm.. did you build a backtester that runs every time you test a rule ?

~~~
cjbprime
Isn't that exactly what the comment says?

------
Liron
> On its own, a bimodal distribution does not tell you that a model is good.
> (A vacuous model that randomly assigns probabilities of just 0.0 and 1.0
> would also have a bimodal score distribution.) However, in the presence of
> evidence that transactions with a low score are not fraudulent and
> transactions with a high score are fraudulent, an increasingly bimodal
> distribution is a sign of improved efficacy for a model.

To do this more precisely, a scoring rule
([https://wiki.lesswrong.com/wiki/Scoring_rule](https://wiki.lesswrong.com/wiki/Scoring_rule))
gives a system credit for both (1) making accurate predictions and (2) being
confident at the right times.

------
eps
Is there support for whitelisting transactions?

E.g. if we are executing a charge for a known-good customer, but using
acompletely new card - we'd like to suppress all automated fraud checks and,
ideally, indicate to the client's bank that this is a legit charge.

~~~
patio11
Yes.

We try to be smart about things. For example, if you use Subscriptions, we
assume that subsequent charges of a happily paying customer are also very
likely to be good and so we do not block them.

Most users won't need to tweak the default behavior, but it is flexible in
both directions. You can use the same rule builder interface to whitelist a
transaction vis-a-vis Stripe, using boolean logic on a variety of things
Stripe knows about the charge. Whether this will work for what you want to do
depends a bit on the specifics of it -- we'd be happy to advise.

A subtlety: Due to the way credit card payments work, customers' banks already
assume that every business running a charge is representing to them "It is our
good faith belief that this payment is legitimate" and so they don't expose a
way to say "No, really, we're EXTRA SPECIAL sure about this one. Please give
us their money." If they come to the conclusion that a payment is likely to
not be authorized, they will take action to protect their customer.

(Disclaimer: I work at Stripe.)

------
hisyam
The webpage automatically loads a 206MB video
[http://imgur.com/a/Xyie6](http://imgur.com/a/Xyie6)

That's insane.

~~~
badmon
Mind sharing what chrome extension you're using ?

~~~
hisyam
Download Shuttle

------
maratc
Most merchants don't want a rule engine, or rules. Most merchants want either
a declined transaction (possibly with explanation -- possibly), or an accepted
one with a guarantee against chargebacks.

If Stripe is sure that their models work, they should offload the chargebacks
from the merchants.

A friend of mine worked for a startup that did exactly that. They were sold to
an online payments behemoth in about 2009.

~~~
louischatriot
\-- Most merchants want either a declined transaction (possibly with
explanation -- possibly), or an accepted one with a guarantee against
chargebacks.

Well in fact their is an issue of misaligned incentives here. Your chargeback
insurance has a strong incentive not to receive any chargeback (of course), so
they will be overly cautious and decline a lot of valid charges. Stripe on the
other hand as perfectly aligned incentives with the merchant, as they don't
make money on a blocked transaction.

(disclaimer: I work at Stripe)

~~~
maratc
This does not contradict what I said. Declines should be free. Accepts should
be guaranteed (but not free). Stripe currently offers free declines, but not
guaranteed accepts.

------
dorianm
The video (from Teespring) is 206M, easily explains why it's so slow to load.

(Congrats, we were using a separate fraud detection company that was quite
intrusive and this seems much better)

------
brightball
I love having this built in, but if you're NOT using Stripe and you want
similar protections I'd strongly urge you to check out MaxMind's minFraud.

[https://www.maxmind.com/en/minfraud-
services](https://www.maxmind.com/en/minfraud-services)

------
Silhouette
This looks very promising. Stripe seems to have sometimes let surprising
payments through up to now, even with all the card details security checks
they provided activated, and they've never supported 3-D Secure. They've also
suffered from surprisingly high rates of unexpected declined charges in our
experience. Hopefully if they're now rolling out more comprehensive fraud
protection, that will go some way to addressing all of those concerns, so best
of luck to them with this new development.

Edit: It appears there's a small per-transaction charge for their enterprise
customers on custom plans but it's now included for free with the standard
pricing. Can anyone confirm this?

~~~
morgante
> they've never supported 3-D Secure

That's a feature. It's a horrible system which I wish nobody ever used. I've
literally never been able to successfully complete a transaction.

~~~
fomojola
I've experienced 3D secure and verified by visa effectively insulating a
merchant from chargeback risk (I'm talking 99% success rates winning
chargebacks). You're right, it is incredibly user-hostile and truly painful to
integrate (as compared to Stripe) but if you're in a business that sees a lot
of people trying to rip you off it works wonders.

~~~
wmf
It works wonders in eliminating chargebacks by also eliminating legitimate
customers?

~~~
detaro
Fewer customers but a lot less fraud could very well be the more profitable
and safe option.

~~~
morgante
Perhaps, but it's important to actually run that calculation. After all,
shutting down web payments entirely would totally eliminate fraud—but also
cripple your business in the process.

Personally, I will never use a 3D Secure system these days. If you require it,
I'll simply skip purchasing.

------
patmcguire
I work at a company with a fairly large number of transactions and we don't
really have a problem with fraud. I don't know anyone else who's really
battled it either. Is it much more prevalent for certain industries and
products?

~~~
tyingq
The most common scenario where we experience credit card fraud is high value
items ($500+) and a freight forwarder.

The scammer orders the item, using the billing address of the legitimate owner
of the card, but a shipping address that corresponds with a freight forwarding
operation. These places offer a US address, but forward the shipments on to
various places, including South America, islands in the Caribbean, etc.

Typically, the legit card owner notices the transaction way after it's
shipped, and files a chargeback. As with all "card not present" transactions,
the shop owner then foots the bill, including a chargeback fee.

It took about 3 times getting burned before we took the time to put some
countermeasures in place. The most helpful were geo-ip location for the
purchase itself, and a "flag this for review" filter for anything going to the
Miami area and/or anything with a longish suite number, keywords (freight,
global), etc.

Edit: Worth noting that most credit card fraud solutions I've seen don't have
a way to take the shipping address (as opposed to billing address) as part of
the data to check. For the type of fraud noted above, it's vital. Geo-ip
doesn't work well when the buyer is using a US proxy, or US based accomplice.

~~~
X-Cubed
I understand your concerns as seller, but as a buyer located outside the US,
blacklisting freight forwarders is really annoying, as it blocks access to
legitimate buyers as well.

The government-owned postal service in New Zealand, NZPost, run a service
known as YouShop
[https://www.nzpost.co.nz/tools/youshop](https://www.nzpost.co.nz/tools/youshop)
specifically to allow Kiwis to get access to products that are either only
sold overseas, or would cost ridiculous amounts of money to ship via those
sellers. They operate by providing a personal address in US, the EU, or China,
backed by third-party freight forwarders.

~~~
tyingq
Unfortunately, the fraud rate is just too high for us to do otherwise.

Additionally, it creates issues even with legitimate customers. If the product
arrives with shipping damage, there's no way to know if it was caused by our
shipper, or the freight forwarder. The customer, though, is quite sure it's
our issue to resolve...

------
mgkimsal
Doesn't seem to be a way to use this _without_ using stripe. Would be handier
to send them info, have them give a pass/fail or score, and return that info.
And charge for the service, vs having to migrate to them.

Thanks to uladzislau - wasn't aware of SiftScience - will have to check them
out...

~~~
rhizome
MaxMind is another popular one.

~~~
mgkimsal
thanks... i knew of maxmind, but only the geo stuff.

------
rtcoms
I hope stripe open source some of their UI related stuff.

------
uladzislau
What is the advantage of this vs SiftScience or other tools?

~~~
ihsw
The data is from Stripe's handling of 100,000+ businesses' transactions,
probably a better dataset than SiftScience.

That's a big _probably_.

~~~
falafel_muncher
doubtful that stripe has 100,000+ business customers. Kount is another good
one, that's what Braintree uses apparently.

~~~
tristanho
From the page linked:

"We pinpoint fraud by building behavioral signals from across 100,000+ global
companies."

Apparently they do ;)

~~~
jusben1369
Couldn't that refer to buyers of their customers vs the actual customer count?

------
_RPM
Stripe is really the next Google with their innovative technology. They really
are solving hard Computer Science problems.

------
jamies888888
Cool feature. Stripe are pretty awesome at creating marketing pages for these
things too. Although it's a shame they messed up the green HTTPS padlock on
that page by serving mixed content. (The Teespring video on AWS S3 simply
needs the protocol changing from http to https to rectify this.)

------
ctdean
Pretty neat. Anyone know how this compares to the WePay offering?

------
FabioFleitas
Always gotta hand it to Stripe to build a killer looking landing page

~~~
zitterbewegung
On mobile I had to scroll up to scroll down when that object in the middle
intercepted my touch events.

~~~
bowmessage
oh god! the horror!

------
joshmn
Yeah, I still wouldn't trust it.

Nothing beats manual verification. People aren't sharing credit card numbers
on public forums and mashing them against Stripe. People are paying for fulls,
and grabbing a socks5 that's piped within a few miles of the address of the
cardholder.

Never trust your processor to protect you against your (potential) customers.
Stripe has very little incentive to do so. They'd rather you pay that fat $15
fee when you get hit with a chargeback. They really would.

I'm coming out with a book about Stripe (and a few other processors) and
fraud. Trust me it will be good, and this is already a part of it.

Sincerely,

Someone who was once your enemy

PS my favorite part of this? Telling the carder how to defeat their algos:

* "This card has been used from an unusually large number of IP addresses across the Stripe network over the last 24 hours."

* "This email has been linked to an unusually large number of cards across the Stripe network over the last hour."

Thanks for not saying the card was declined. If you wouldn't mind, please hold
while I switch socks and make a new email.

Sorry if this is crass, but whoever decided on telling the end-user why a card
was declined... complete fucking idiot and should never work in fraud
protection or payment processing again.

~~~
rwmurrayVT
If it isn't my personal favorite HN'er.

