Hacker News new | past | comments | ask | show | jobs | submit login
A user is trying to steal from us and I don't mind (plusbryan.com)
131 points by plusbryan on Feb 23, 2013 | hide | past | favorite | 91 comments

If HN incorrectly hellbans someone... they piss someone off.

If a retailer incorrectly hellbans a customer, that is, they tell the customer that their card will be charged, and that the goods they ordered will arrive in the post, but without the intention of doing either of those things, owing to a genuine mistaken belief that the customer is engaging in credit card fraud, but lying nonetheless... are they leaving themselves open to legal action from the customer? From regulators? I'd expect the bad PR alone to be a worse hit for a retailer than a bulletin board.

Absolutely spot on. Hellbanning a real user would probably be worse than not catching fraud in the first place, so must be avoided with utmost care.

- Hellbans are made via operator decision

- Hellbans are reversible and all customer support channels still work for a hellbanned user

This is my takeaway as well.

Also, why not just return "all charges as invalid" if the user has been Hellbanned?

What use is there to continue the charade, by in effect, providing false-positives to someone that will then go and act on that information and commit larger fraud? (by charging larger amounts with the stolen card).

I understand the sentiment -- just a little fuzzy on the execution IMO.

>commit larger fraud

If you are careful only give them FALSE positives (for good cards, decline), then when they ATTEMPT to commit larger fraud with the bad card they will be stopped.

This was my worry.

I've had experiences on a few sites (notably, RyanAir always seems to have problems) where I may try 3-4 cards, sometimes multiple times, before the transaction goes through.

Note that I have a few US credit cards, plus bank accounts in several countries & currencies... they're all in my name, but I wouldn't be amazed if I triggered some company's automated fraud triggers simply because of that.

If they hellbanned my purchases, I'd be seriously pissed... though I totally understand the OPs reasons.

I think as long as this has human review I'm in favor -- but if not, that's risking being seriously cruel to a legit user who simply has a non-normal interaction for unpredictable reasons.

I would be concerned about this as well; they'd better be damn confident that the people they hellban are actually scammers.

We're talking about micro-transactions - less than five dollars. If failing to charge for and ship small items at very small prices were legally actionable or subject to regulation, I imagine a whole slew of companies would be out of business.

And - if we were talking about $500 speaker sets or something, we would be talking about bad PR. But if a false positive fails to receive a $2 item, well, I imagine that would have to be a lot of false positives to lead to a net effect of bad PR.

Can you outline the law a company or individual would be breaking if you pretended to sell something to someone and didn't charge them for it without giving a solid reason?

Given you didn't save their credit card, issue a receipt stating payment was received in cash, or accused them of a crime what exactly is the crime being committed here?

Perhaps more hoax than fraud?

IANAL but breach of contract. You have made an offer through your website, the customer has accepted that order through your website, at which point by default a contract exists between you. You can wiggle round it a bit with your T+Cs, but if you are giving them every impression that a contract exists which you can fulfil then they are allowed to rely on a contract existing. If you've made no attempt to charge their card, that's your fault, not something you can blame on the customer.

If there were too many false positives I would also expect to attract attention from Trading Standards --- false advertising? --- and they might be satisfied that you're making honest mistakes, or they might insist that you overhaul your fraud detection procedures or your customer communications, but either way they will suck up some of your time.

(This is from a UK perspective.)

Can you outline the law a company or individual would be breaking if you pretended to sell something to someone and didn't charge them for it without giving a solid reason?

Probably section 17200 and 17500 of the California code. If you create the impression that a transaction has taken place, without actually performing one, that is fraud.

I disagree, if I order something from a site and it says it'll ship and I don't get it, I would probably call, which would probably get everything fixed.

Since my card would never have been charged I don't think there's any fraud or legal actions that could occur.

Though it may be effective, from a moral standpoint I find hellbanning to be as evil as the name would imply. To a lot of people, finding out that you've been ostracized and nobody told you would be extremely psychologically damaging. This applies more to discussion forums, of course, than online purchases.

Yeah, I had an account hellbanned here for over a year before someone finally told me. There's no way to find if someone replies to you on this forum so I rarely went back and checked if anyone replied to me, but it still bothered me that the admins would find it acceptable to let someone waste their time over an entire year without telling them their account is useless. Not to mention the additional 10-15 seconds of latency opening every page on the forum.

I use http://hnnotify.com/ to get the replies to my comments. It's pretty useful.

Find out if people replied to you at https://news.ycombinator.com/threads?id=consz

HN randomly takes about 10 seconds to load for me though I've never made an account here. In case my IP was slowbanned, can someone reply to this comment?

Sometimes HN is just slow. Last I heard, it's running in a custom server in a custom Lisp language on a single core of one server.

You're perfectly visible.

That's roughly what my experience with reddit was like. All of my posts sat on 1 point, all of my threads would get downvoted to zero and disappear.

HN uses hellbanning? Neat.

You can actually toggle the visibility of posts from hellbanned users. Under your account settings, turn on 'showdead'.

I leave it turned on, because while hellbanned users don't often contribute a lot, many of their posts are still interesting.

For example, take losethos, who is afflicted with schizophrenia and writes his own operating systems so he can make music with God. (You'll have to turn on showdead to see his comments): http://news.ycombinator.com/threads?id=losethos

For what it's worth, I believe losethos is now posting as SparrowOS, and that account is also dead. It's a tragic case, really, because LoseThos/SparrowOS is a fascinating piece of software, but its author is definitely on the fringes on non-software matters.


He changed nicks, still hellbanned:


I hope you don't find someone who has schizophrenia and hellbanned funny. Because that would be pathetic, and you would be heartless.

I no doubt misinterpreted your comment.

Not at all - I'm very sorry I gave that impression!

Rather, I find it to be a interesting window into the mind of a highly intelligent programmer afflicted with a tragic mental disorder. I enjoy reading his comments because I feel it allows me to understand, if only in a tiny way, what he's going through (although maybe this is simply hubris on my part).

If it's for a legitimate reason (credit card fraud, trolling), then why not? They more than deserve it.

Maybe there's some "compassion" bit that's stuck on in my brain, but I still feel sorry for trolls when they get hellbanned. Aside from that, a decent number of [dead] comments I see are not worth being [dead]. I used to make a point of trying to let the owner of the account know that either they made a stupid comment in the past and they should ask about getting let back in, or someone accidentally pulled the hellban drigger on their account, but it was happening often enough (and I have no connection with YC so there's no direct incentive) that I got tired of it.

How does shadowbanning even work on HN? Do you still get random increments to karma on different comments?

If not, I find it hard to believe that after long enough a period of time of noticing absolutely no activity on your posts, people won't catch on.

Also, yeah if someone is a troll I feel like it's 100% fair game to troll them back. And this is the best counter-troll of them all. I had exactly the opposite reaction of yours when I found out about the shadowban - finally! Some way for us to fight back and give them a taste of their own medicine. Assholes that they are.

There are only two problems with this - one, when people are shadowbanned wrongly/arbitrarily with no right to a fair and speedy trial in a court of their peers, and two, hypocritically I have a tendency to troll sometimes and this may or may not suck >_>

I don't even know how trolling is defined here; and without a clear definition that is actually used when hellbanning, I call BS on that. Trolling doesn't mean whatever you consider bad for whatever arbitrary reason; if it means that it means nothing, and is just an excuse and circular reasoning (ultimately defining trolls as those who got banned for whatever reason).

I can only speak for myself, but I got slowbanned for just being argumentative several times, and the fact that I got NO signal other than "somebody didn't like something in the hundreds of posts you wrote" means I can't really get invested in HN further than the comment I am reading or writing at any given moment. There is zero rhyme or reason and no class to such a process, and for all I know I just get punished for pointing out a truth someone likes to delude themselves about; so I can't even regret anything without knowing what the supposed error was. I just argue less because at the end of the day, what do I care if someone is wrong, and why spend, say, moral outrage or humour on a site that doesn't get or appreciate it, instead of letting it build up and blogging about it? That way everybody is happy :P

That said, for something like credit card fraud it actually seems smart, just like it might be for cheaters in games, or wherever you have an actual clear definition of "crime". This is not the case here, and it shows sometimes.

karma on hn is kind of odd, though; people simply don't seem to interact with the upvote button much. i wondered at one point if i had triggered some sort of ban because i had several submissions in a row sitting at 1 point, but then i got a comment upvote so i figured not. there simply isn't enough of a feedback loop for you to know for sure.

Timing is important as well. If you comment early on an article that gets lots of upvotes later on, you're more likely to get upvotes for your comments. As for submissions, it takes a lot of both luck and timing to get enough people to vote them up for them to reach the front page.

Yeah I agree with that but you pretty much ignored the question. A bad comment isn't the same as being a troll account, and you didn't mention anything about fraudsters.

Also most [dead] comments I see aren't from hellbanning.

I feel bad for trolls and even worse for people who made one remark that pissed off the wrong person and are a completely productive and well meaning poster (I regularly see this type on HN and notify them whenever possible) - but I have absolutely no sympathy for spammers and credit card fraudsters who get hellbanned. It's perfect for them.

I wasn't particularly damaged when I got hellbanned here. I was more curious than upset, and it was fun to see the different way the system behaved when it was 'pretending.'

Generally astute people notice when, if they are talking to someone, and that someone is answering in monosyllables and not paying attention that the conversation is unwelcome. It often isn't all conversations, sometimes its just this conversation. People are busy, people are distracted.

I am often surprised when hell banned people say really outrageous things, and nobody responds, how do they rationalize that? Do they consider it incomprehension? Silent agreement?

At first I thought the same thing as you. However, for instances such as this where the service is especially appealing to criminals I think this solution is reasonable.

Finding effective ways of detecting someone who deserves a hellbanning vs a college campus which has all users behind NAT who will all be upset when the cards they ordered don't arrive as expected (let's assume users don't check their statements daily so won't notice a lack of charge) is a difficult task. It's quite the tightrope you end up having to walk.

extremely psychologically damaging to thieves? I'd vote for it anyday!

It's comforting to want retribution, like a cozy blanket of anger, but (and I reserve the right to change my mind on this at some point in the future) I'd much rather try to find ways of pushing the right buttons to get thieves to become positive contributors to society.

That said, I'm in no way suggesting that payment services need to take up this responsibility at the expense of protecting legitimate users.

The only way to do that is to take away the carrot. They know perfectly well what they are risking and what they gain from it. Take away the gain and suddenly crime is much less attractive.

Very few "normal" human beings are highly rational and empathetic; it stands to reason that thieves, trolls, and fraudsters are no different, thus it's not safe to assume that they know everything they're risking or all of the consequences.

If we were talking about something other than credit card fraud I might agree with you but the whole reason why they try to buy something online first is to test it. If they realize that they can't test stolen cards anymore I doubt they will just wing it and hope to god that the card is good in the checkout lane.

Hellbans are reserved for the worst of the worst. Trolls and malcontents that a simple ban would serve as an encouragement not a discouragement.

That's true in theory. In practice, that's not what happens.

That's a question of poor moderation and admin control instead of a problem with the concept in itself I think.

If it were in physical conversation if someone consistently "spammed" a conversation, by say saying something outloud and obnoxious to get attention, I would ask them to be quiet or leave. If they became persistent the only last resort option I would find would be to ignore them altogether. It might feel morally wrong to simply ignore and pretend another person doesn't exist, but it might be the only thing that does the trick, it might cause them to rethink their words and actions.

That being said I feel like this is way it should be handled online, something like hellbanning being the last option. Unfortunately the difference between real conversation and online is that online a person can simply reenter a board with a completely different name or "face," it could be literally impossible to tell whether a new board spammer is a first-time offender or someone who's been peacefully told to quit in the past. I'm not sure that off-line morals and psychology applies here in the same way

I've seen more than one case in which someone found out they were accidentally banned months earlier, and took it very personally. I can empathize.

The other important function of hellbanning, and why I'm considering using it, is that by obscuring the moment you decided to execute the ban, you make it more difficult to reverse engineer what the criteria were. That makes it harder for an attacker to make progress in circumventing your protection.

It makes it harder to learn, and improve your behaviour. Just what we want in a community?

So I moused over this weird little black dot. It changed shape with the words "Don't move" next to it.

1 second later it seems I'd given this blog the equivalent of a thumbs up.

wtf? Dear plusbryan. -one kudo. THEN -another kudo for having a stupid system. In fact, -two.

Same here.

I hover over links to see where they go, comics to see their title text, and vote-buttons to see where they're from. That shouldn't and does not indicate my approval of this article, and I can't reverse it.

That's a good point - I'll mention this to dcurtis, who runs svbtle. Certainly don't want to sucker anyone into liking something they in fact do not!

It is deliberate on his part http://dcurt.is/unkudo

Interesting, I wonder how many of those 6342+ kudos were as a result of people testing what he was talking about.

> meaningless number

To nitpick, if it was really meaningless, it shouldn't be part of the page, atleast not under the title "kudos" or under the disguise of endorsements by X people. Well so it carries as much meaning as a Facebook like button.

Regardless, I would care more for the content of a page than the brand or endorsements it received.

Exactly. "A meaningless number, prominently displayed."

His joke's on us.

So he knows it's meaningless, why is it even there?

Consider the possibility that he's lying when he says it's meaningless.

You can reverse it by doing it again or clicking or something. Still a bad UI and one I can't verify on my iPhone.

I remember reversing it once upon a time, but am not able to replicate it now.

this is part of the popular svbtle blog network theme and the obtvse theme copied from it. You'll see this theme used on at least 1/3 of the blogs posted on here, I've always been against the whole "mouseover-as-action" thing too.

Just wanna point out, Obtvse did not copy the "kudos" thing, precisely because its author had the same complaint.


There's also a new branch that looks very different: http://natewienert.com/

You might be thinking of WP-Svbtle which is closer to an exact copy.

Apologies for making an off-topic "correction" like this, but Nate Wienert seems like a nice guy so I hate to see his project unfairly accused.

my mistake, I didn't follow the events particularly closely; thanks for the correction.

Er...It's how Svbtle works...It's not OP's fault.

The author chose to be on Svbtle, yes?


My mistake then

Dear Svbtl. -one kudo in general. THEN -another kudo for having a stupid system. In fact, -two.

> A user is trying to steal from us and I don't mind

Of course, you mind. You hellban them for crissake.

Catchy title though :)

There's a cleaner variation of this.

Once you see a user go through 3 cards, each failing the authorization, fail all subsequent purchase attempts without passing them to the bank. If you feel like tar-pitting the guy, show "timed out" errors and tell to contact the support or ask to try again with another card. Legit customers will contact the support and the frauds will continue supplying you with stolen credit card #s, which you, of course, will diligently log for the future reference.

This would trap me almost every time I try to buy tickets from RyanAir.

I don't know what's up with their CC processing, but it has never worked for me on the first try/first card.

Slightly off topic, but this keeps bugging me. How many cards do you have? Is it my circle and I, a New Zealand thing, or something else, but everyone I know has one card, 2 maximum. I once stumbled across someone with about 30 (when he brought them into an MRI scan room, despite having been warned a few times and me having taken them off him, but he'd have had none after doing that), but that's the only person I've knowingly me with more than 2. I should note that everyone here has a direct debit card too - EFTPOS.

Currently I have several cards due to having a life that's very internationally split, between the US/France/UK mostly, with bank accounts in each, plus (in the US at least) separated accounts for business/personal.

I have 3 US credit cards as well, one business and two personal -- the second is just a backup for if the first fails (and when I'm traveling, they fail frequently). It doesn't cost anything to have a new card (if you don't carry a balance), so it's useful to have a backup.

30 cards sounds like someone with a serious debt problem. Separate credit/debit cards are a really useful distinction -- in particular, I can maintain much higher security for my debit cards (and not use them online); a credit card purchase can be disputed without the money already being gone from your account. But they're certainly dangerous (given how people tend to rationalize spending money they don't have...), and carrying a balance on a credit card almost certainly means you're doing something wrong.

They make it really easy to live beyond your means; I got burned by that a couple of years out of college, clawed my way back out of debt over a few years (fortunately with reliable income and low expenses!) and haven't made the same mistake again.

I'm wondering if there is anything legally wrong with falsely saying that a certain transaction went through when it actually didn't.

If you issued a tax receipt, there very well might be.

But would a thief sue them for this? Would be fun to see someone sue them for no disclosing declining payment from a stolen credit card!

Probably not, but as mooism2 mentions, what happens when it's a legitimate customer who gets wrongly banned?

That will be a little bit of inconvenience for them. But since they don't get shipment or get charged, they will most probably contact customer care and get themselves unblocked.

If they are not charged and then system tells that order is sent, that is not much harm. I know, not the best condition for a customer but acceptable to stop cc fraud!

you could say that the transaction went through but don't send an actual order confirmation by email to fraudsters. As far as I know carders will quickly try out a bunch of credit cards to see whether the charges went through but they won't stick around and wait for a confirmation email if the checkout screen says that the card has been successfully charged.

It's an interesting idea, but what if it's an error on your part and not the user?

There's no real channel for reverting the hellban once issued since you've pretty much permanently assumed the user is malicious and can't be trusted.

A few cases I could think:

- User loses card and cancels it, but finds it again and uses it without realising.

- A single piece of information the user has provided is wrong, but the user repeatedly resubmits without realising. Eventually you hellban them, but they're actually a legitimate customer who made a mistake, but now you can never have them as a customer and might be feeding false positives to them and ignoring their calls for support after they fail to receive the product.

In the end, it doesn't seem like you're saving yourself (you mention Walmart as the one that usually suffers) and from my point of view you're shooting yourselves in the foot, as you could accidentally hellban a legitimate customer which could result in a bad reputation.

> and nothing stops a promising career in white collar crime in its tracks quite like a decline in the Walmart checkout aisle with $5000 of merchandise in the cart.

It is not Walmart that suffers, but the thief trying to use a stolen / fraudulent card at Walmart that suffers.

OP mentions it is a automatic and manual process of hellbanning. I am sure they will have the corner cases covered.

That's correct - I'd suggest flagging for immediate attention based on activity bounds beyond the norm (3 declines from different cards for instance) and then hellbanning if appropriate. Obviously we'd never want a situation where a real user ended up hellbanned, so the final decision is left up to a human.

Ok that seems more realistic, the actual process is key, I assumed it would be automated with no human intervention.

The naysayers have probably never dealt with real, persistent credit card fraud. I have. I think this is a beautiful idea that will do a lot of good for us.

I run a B2B SaaS company that attracts its fair share of fraud. If we simply string these bad actors along instead of banning them outright I think we would see a decrease in fraud attempts.

Of course this would only be a manual thing. The vast majority of our customers come from sales channels and not through the web or search referrals. This will work great for us as we already have a manual account approval process. Instead of banning them, we'll hellban them.

So you extend the offer. The user accepts the offer. The user believes they have shown consideration by paying for the item, and they expect you to fulfill the agreement that they believe has been created. Your messaging may even support this.

If you have anything less than 100% specificity with your fraud detection algorithm, don't you risk running into trouble because of violation of a contract (or something similar, IANAL)?

Only if they actually charge to the credit card.

If you never process the card and simply give them their 'digital content' or (in this case) mail a card to an address then you aren't violating anything. It'd be the equivalent of making a magnetic card reader out of cardboard and pretending to swipe it before handing someone a cup of lemonade.

Even if you never mail the card I don't see where you would have anything legally binding as you never processed the card in the first place. (IAANAL)

For one system I worked on we did this for legitimate purposes. It's a long story but it was around devices people would walk up to and use their card to buy stuff... if the machine was unable to process we would simply give them their stuff. The internet connection was crap and it failed about 20% of the transactions and we ---really--- did not want this thing to come back with an error 20% of the time, so it was just better to give them away for free. Eventually we fixed the internet issue but kept the code in there just in the off chance it happened again.

How do you know when a user is using stolen credit cards?

A thief running a scam like this will try 5-10 cards before moving on. Your average customer only owns 2-3 cards. We usually flag a user when when they get 3 declines from 3 different cards - and if it looks suspicious enough at that point, we hellban them.

i'm assuming a couple chargebacks would need to get the ball rolling.

You never wait for the chargebacks. If you get chargebacks, they cost you a lot.

You try to detect/block immediately - if a thief wants to check 10 cards in 5 minutes, you want to block him in the middle of it. And you immediately revert/cancel any transactions that succeeded so that you don't get chargebacks.

It's actually usually way too late by the time the chargeback rolls in. Proper villains will have moved on.

Devious. Underhanded. Evil.

I like it!

Upside is that it slows down the thief. Downside is that it will cause legitimate users to rain hellish social comments down on your head.

You're really forbidden to do any false positive with that, or you are good for a PR nightmare. Moreover applying some kind of sanction without any of the traditional justice procedural safegards makes me slightly uneasy.

Fun times. Do you track the cards that a specific individual uses? That way if you feel like turning that information over to the Lone Ranger they will have a method of tying all those incidents together.

I love the sporting aspect of this trick. Well done!

Totally unrelated: does anybody want a gift box? I've got several thousand.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact