As I note frequently, I have a small pile of thank you letters as a result of the negotiation piece. Very few are written by people with an outsized public profile.
How many people do you think would hit that bar in the industry? Hundreds? I have hundreds of letters with numbers attached to them to say nothing of how many people simply negotiate, get the comp bump, and do not feel the need to email me about it.
Thanks for the reply. I don't know what to say... I'm not going to argue with your thank you letters, I'm sure your advice has helped many people! Somehow this became one of my most highly upvoted comments ever on HN, so my view of it seems to also be striking home for a lot of us.
I'm not trying to say all that matters an outsized profile. I agree that if you have that rare intersection of: 1. acing the interview, 2. a strong background with well-known companies, and 3. (critically) are job-hunting during a hiring bull market, to the point where the company cannot pick-and-choose, and they feel they must hire you, then sure, negotiation will bear some fruit. OR, if you managed to get multiple offers. I think a lot of us have never seen either of those situations.
(I worked at a different processing company, which I am not speaking for.)
We're struggling to find the motive or intended outcome by the attacker(s).
The highest likelihood for me is that they're doing card/credential testing. They have either stolen or purchased a large number of stolen credentials. Those credentials are worth more individually if they are known to function. They can use any business on the Internet which sells anything and would tell someone "Sorry, can't sell you that because I couldn't charge your account/card/etc. Do you have another one?" to quickly winnow their set of credentials into a pile of ones which haven't been canceled yet and another pile. Another variation of this attack is their list is "literally just enumerate all the cards possible in a range and try to sift down to the cards that actually exist."
After sifting through to find the more valuable cards, they sell this onto another attacker at higher price of the mixed-working-and-not-working cards, or they pass it to their colleague who will attempt to hit the cards/creds for actual money.
Digital items are useful because people selling them have high margins and have lower defenses against fraud as a result. Cheap things, especially cheap things where they can pick their price, are useful because it is less likely to trigger the attention of the card holder or their bank. (This is one reason charities get abused very frequently, because they will often happily accept a $1 or lower donation, even one which is worth less than their lowest possible payment processing cost.) The bad guys don't want to be noticed because the real theft is in the future, by them or (more likely) by someone they sell this newly-more-valuable card information onto.
This hit the company I used to run back in the day, also on Paypal, and was quite frustrating. I solved it by adding a few heuristics to catch and giving a user matching those heuristics the product for free, with the usual message they got in case of a successful sale. This quickly spoils your website for the purpose they're trying to use it for, and the professional engineering team employed to abuse you experiences thirty seconds of confusion and regret before moving to the next site on their list. Back in the day, the bad guys were extremely bad at causing their browser instance to even try to look like a normal user in terms of e.g. pattern of data access prior to attempting to buy a thing.
Hope some of that is useful. Best of luck and skill. You can eventually pierce through to Paypal's attention here and they may have options available contingent on you being under card/credential testing attack, or they might not. I was not successful in doing so back in the day prior to solving the problem for myself.
Would also recommend building monitoring so you know this is happening in the future before the disputes roll in. Note that those disputes might be from them or from the legitimate users depending on exactly what credentials they have stolen, and in the case they are from legitimate users, you may not have caught all of the fraudulent charges yet. (Mentioning because you said "all of the charges" were disputed.) If I were you I'd try to cast a wider net and pre-emptively refund or review things in the wider net, both because the right thing to do and also because you may be able to head off more disputes later as e.g. people get their monthly statements.
We had the same issue (people testing stolen credit card numbers) on Stripe that was close to getting us shut off for a certain credit card company. We implemented a captcha and a tool to validate email addresses (emaillistverify) and it solved the problem.
We had the same issue because Marketing was using a stupid landing page SaaS tool to generate sales, it was connected directly to Stripe and we didn't have any control over it. We discovered the problem through Intercom, which notified us about a high volume of bounced emails (automatically sent after purchase). It was clear what was going on after discovering the same pattern.
To fix it, I had to proxy that unreliable SaaS software to implement CAPTCHAs and stronger bot detection. It was essentially a MITM-style proxy but for protection. It was fun to implement
TIL about emaillistverify. Their website always talks about „bulk email checking“, but I assume they also support „live checks“ through an API?
I assume you prevent users from signing up if the check fails?
Top nav of their site has an "API" link which goes to a page that says "ELV’s API keeps your email list clean. Notify website user about an invalid email address when they are filling out a form."
I tried it out. Yes they do support a live check, but it seems... inadequate?
The first Google search result for "disposable email address" yields https://temp-mail.org, and an email addressed created with that service is not recognized as disposable.
I’ve run into this problem before and there’s ways to stop it. Sure your email blocklists work to an extent assuming they’re up to the minute accurate (which they’re not).
I’d look into fingerprinting (https://github.com/fingerprintjs/fingerprintjs), block by ASN if it makes sense for your business (does OVH really need access to my SaaS?), use an active disposable email checker and possibly flag risky orders for manual payment capture if at all possible.
Thanks! I actually just ran into another problem with ELV, a request to their "single email verification" API timed out repeatedly. So not a good experience so far, will probably not keep using it.
When we were having our stolen card testing it was from people using made up gmail handles and ELV handled those easily. I guess it views temp-mail emails (and probably others) as real, which is unfortunate.
This is a very sad incident of carding attempts. You can sign up for FraudLabs Pro service and they have velocity check to prevent carding if it is from similiar browsers, IP or email addresses.
This is correct. We have seen this over the years in our ecommerce business. I suggest using threat levels, you are under attack so the threat level increases until they go away. When the threat level is high, you require an exact match AVS. You might have more agressive filtering at the IP level, real users generally won't be datacenter IPs. Pay attention to the ASN, sometimes you'll get an attack from a network that legit customers never use, so you can just block the whole network. Keep an eye on your logs, you'll notice patterns. The attack is likely coming from a single entity, if you make it difficult to abuse your service, then they will move on.
Agreed. This is a situation where you need a dedicated security team to classify and mitigate this kind of attack while making sure the mitigations don't add too much friction to your real customers. It's not easy. It's also not really on your payment processor to be the first line of defense for this kind of fraud.
You'll need to find some way to fingerprint to classify users into risk buckets and then treat them differently based on the bucket: blackhole, high friction verification, and likely safe are three reasonable buckets.
Cloudflare has tools that can help identify bots, much of this can be offloaded onto them.
Can confirm doing charity collection that we often encountered this. Credit card processor said there was nothing we could do about the more sophisticated attacks that used a wide range of IPs. We basically stopped them by freezing everything if there was an unexpected traffic spike. Not perfect, but it worked and they stopped trying us.
She does not misrepresent her wealth in her article. At no point does she claim to be scraping by.
A direct quote:
> Initially, I was afraid that I wouldn’t be able to afford my taxes this year, but then my accountant told me I could write off losses due to theft. So from a financial standpoint, I’ll survive, as long as I don’t have another emergency — a real one — anytime soon.
I quote several more bits from the piece verbatim.
And how is that a misrepresentation? How people feel about their own financial situations and risk exposure is very famously and firmly in the realm of "that's just your opinion". There's no clear or correct interpretation of what "from a financial standpoint, I'll survive, as long as I don't have another emergency", unless you know her personally and know what she considers to be an "emergency".
A much better signal is that when she reflects on how the stolen $50k could have been used, she imagines: "I could have paid for over a year’s worth of child care up front. I could have put it toward the master’s degree I’ve always wanted. I could have housed multiple families for months." Sure, just because she didn't say "I could have paid off my mortgage/student/car loans" doesn't mean she doesn't have those. But it's a far stretch to assert that her written viewpoint sounds like a typical middle-class/upper-middle-class American, nevermind definitively excludes her from being rich (or at least belonging to one of the hundreds of thousands of millionaire households in New York).
I seem to have set you off somehow, and I do not understand precisely how, but I feel this is important: I did not publicly accuse the writer of anything. (I did heavily imply publicly that I thought that the publication had no real fact checking; when they told me otherwise, after I requested a statement, I swiftly corrected that publicly.)
I had some doubts that the story, as presented, was true. I did what I hear journalists do, and went out and reported the story. Some people apparently believe this was an aggressive action, and some people believe that the original story was strictly true, and I can understand either of those beliefs separately but holding both at the same time seems tricky.
I did not believe that New York Magazine was complicit. I harbored the suspicion that they might be incompetent. This suspicion was exacerbated by unambiguous evidence of them being incompetent, in failing to detect that a 17 year old claiming to have made $72 million trading stocks, and then doubling down on that story because their fact-checker had passed it.
You have made, in this thread, several claims that I am wildly miscalibrated with respect to banking procedure. I do not believe I am. For example, I seem to be able to make confident predictions like "Oh, if the teller window is on the second floor, that narrows the selection of bank branches sufficiently to be probably uniquely identifying given any other piece of information" and be proven retrospectively right on those predictions.
If you would like to take issue with my other claims about banking procedure, pick the one that looks fishiest to you, and then propose odds.
> I did not publicly accuse the writer of anything
C'mon, what scenario do you have in mind where New York magazine "materially disavows the article" [0] but the writer, Cowles, is not guilty of fabulism (presenting a creative writing exercise as non-fiction would count as that level of deception)?
> You have made, in this thread, several claims that I am wildly miscalibrated with respect to banking procedure.
I am very confident that you know far more about banking policy and conventions than I do. So when you assert that the facts of NYMag do not seem reconcilable with the reality of American banking, I'm happy to take your word for it. Now that you've essentially retracted that doubt, a doubt so strong that you were willing to spend thousands of dollars to investigate it over a year, I'm very confused about your priors. Was Cowles being richer than you had thought possible your only flawed assumption? Like if she had only written "btw I'm from a rich family and I live in an owner-occupied home in Brooklyn", that alone would have been enough to resolve the many issues you raise about the unlikeliness of a $50k cash withdrawal? What's the threshold of wealth in which that $50k transfer is given cursory approval? Is the $50k easy because she's a one-percenter? Would it be easy if she is/were merely in the top 5% or 10% of household wealth
One of my main frustrations about your writeup is that it sets up these questions and then fails to answer them, as if the fact of Cowles' unspecified wealth is alone the self-evident answer? Speaking as a layperson, I assume that being a 30-something living in New York who had $80,000 in savings and checkings alone -- which she explicitly states in her article -- would be enough to qualify for a no-hold-up same day $50k withdrawal from a New York bank. Is that not the case?
> I had some doubts that the story, as presented, was true. I did what I hear journalists do, and went out and reported the story
And genuine kudos to you, the world would be a better place if "trust, but verify" were our default modes of operation. I guess what bugs me is that your article opens with a detailed examination of how NYMag fumbled that 2014 profile of a teenage millionaire, but you end your own investigation after being apparently satisfied with a fact-check that seems almost as facile as the one purportedly done for their retracted 2014 profile.
Presume a universe in which Cowles did indeed publish a fabrication; it would require an extreme motivation for her to risk torching her career and in such a highly public and scrutinized fashion. Such a motivated person could easily put in the work to make sure that the bank they allude to vaguely fits the description they choose to publish (tbh, we should ask ourselves why would an ostensible fabricator would even choose to publish that "upstairs" detail, when they can easily formulate a description that vaguely applies to a dozen New York banks?). The fact that it's in a police report is, as you say, not a big deal given the light consequences of a false police report (and not a big deal, especially compared to the consequences of career suicide).
> This would be a very different piece if that police report, or any other documentation at a trusted institution, named e.g. 266 Broadway instead.
Why exactly would it be different? What if she had named 266 Broadway to the police, and omitted literally just a single word from her published article ("upstairs"); how would that change the thrust of your dogged investigation, which seems so premised on your knowledge and assumptions of the banking system? So many words and so much effort (again, kudos to putting in the infuriating work needed to get the NYPD to respond) are devoted to this one detail that one can't help but think it was a significant factor in quelling your doubt. Ironically, it reminds me of the strategy that Cowles' alleged scammers used: provide her with seemingly hard-to-know real world information (her SSN, her physical address, that her "2-year-old son was playing in [her] living room") to lull her into believing something much more significant (that the scammer is a CIA agent about to arrest her husband).
You aren't scamming us of course (hey it's not your fault for us choosing to read your article). But asserting that this second-story bank detail is worth attention, implying that a fabulising Cowles wouldn't have put that much thought into her lie, feels like a disservice to the rigorous investigation that your article promises. And without an equally significant number of words dedicated to how you may or may not have had miscalibrated assumptions wrt banking procedure, this is why your article feels incredibly frustrating.
> Speaking as a layperson, I assume that being a 30-something living in New York who had $80,000 in savings and checking alone -- which she explicitly states in her article -- would be enough to qualify for a no-hold-up same day $50k withdrawal from a New York bank. Is that not the case?
I'm no banking expert, but I'm pretty sure no-hold same day withdrawals of that size need much more than that. I wouldn't be surprised if her family has contracted with Bank of America for private banking and family office services, which is usually economical around the $10M assets under management mark (wikipedia says 50M[1] but I've seen lower numbers cited in FatFIRE). In which case the savings and checking figure is essentially nominal, as the wealth is there, but tied up for estate planning (read: tax minimization) purposes; if someone needs money, family offices can set up credit lines. I imagine in that scenario they're basically paying themselves interest.
In any case I doubt any bank is willing to publicly state what the thresholds are in a way anyone could cite, for fear of scammers using that info against them or their clients.
That's one of the things I thought Patrick's article would shed more specific light on, e.g. is it necessary to be in that kind of rarified group (e.g. someone rich enough to have special services with the bank)? Or is being rich enough to own a $3M+ home enough?
The reason why I think the threshold may be much lower than what Patrick insinuates it to be, is because similar big cash scams have been reported by people seemingly much poorer than the NYMag columnist:
> What happened next is tragic for Colleen as she went to her bank. “I told him how much I had in there and he told me to withdraw everything but the $700. I told the lady I need to withdraw $19,000. I said I needed it cash.” Colleen said.
$19,000 is of course less than $50k, but it's still well above the $10k anti-laundering reporting threshold, and it involves a victim in Knoxville for whom that $19k represented her "life savings", yet it seems the bank didn't stop her from a same-day total withdrawal.
(note: this Knoxville incident happened in Dec. 2024, so it's of course possible the victim is perpetrating a copycat fabrication after reading the NYMag article)
Well, the phrase "I now doubt that account less" didn't evoke "this article outlines the non-refutation of a null hypothesis" for me when I initially read it.
After reading the article, sure, I can see that that's what was implied, but I can only say that it wasn't clear enough for me. I still enjoyed it for what it is, but I think I could have enjoyed it more if primed differently.
Tiny correction: in 2010, I invented a thing parallel to something many well-educated Americans of my acquaintance believe with respect to the centrality of their experience, for the Falsehoods essay.
In 2012, a clerk actually asked my wife and I, when we got married, whether it wouldn't make more sense for me to change my name. Then he wouldn't have to spell Patrick McKenzie on the wedding paperwork, and, approximate quote, "I already have to get one name change form out for her so filling out a second one is no trouble at all."
This is occurring against a backdrop of e.g. hearings of the U.S. Senate Banking Committee. I regret to inform you that the broader issue is of great interest outside our circles.
One of the three witnesses the Senate Banking Committee chose to call requested, the following day, a retraction from me… for reasons.
I certainly did not see this ever happening when I started selling bingo cards on the Internet, but here we are.
Appreciate the note. The production configuration still thinks it is in Tokyo, and I did all my reviews on a laptop that knows it is in Chicago. Will fix.
How many people do you think would hit that bar in the industry? Hundreds? I have hundreds of letters with numbers attached to them to say nothing of how many people simply negotiate, get the comp bump, and do not feel the need to email me about it.