Ugh, apologies. Something very clearly went wrong here and we’re already investigating.
Zooming out, a few broader comments:
* Unlike most services, Stripe can easily lose very large amounts of money on individual accounts, and thousands of people try to do so every day. We are de facto running a big bug bounty/incentive program for evading our fraudulent user detection systems.
* Errors like these happen, which we hate, and we take every single false rejection that we discover seriously, knowing that there’s another founder at the other end of the line. We try to make it easy to get in touch with the humans at Stripe, me included, to maximize the number that we discover and the speed with which we get to remedy them.
* When these mistaken rejections happen, it’s usually because the business (inadvertently) clusters strongly with behavior that fraudulent users tend to engage in. Seeking to cloak spending and using virtual cards to mask activity is a common fraudulent pattern. Of course, there are very legitimate reasons to want to do this too (as this case demonstrates).
* We actually have an ongoing project to reduce the occurrence of these mistaken rejections by 90% by the end of this year. I think we’ll succeed at it. (They’re already down 50% since earlier this year.)
> We actually have an ongoing project to reduce the occurrence of these mistaken rejections by 90% by the end of this year. I think we’ll succeed at it. (They’re already down 50% since earlier this year.)
More important than that is provide a way for people to get this revolved without having to make the front page of HN.
One particularly frustrating aspect of fraud prevention is that fraudsters are better than the rest of us at getting human support staff to do what they want. They have way more practice, and they learn techniques that work from other fraudsters.
Stop relying on HN/Twitter as coalmine canaries and hire human fucking support.
This trope is ground into the mud by now.
You don't get to outsource customer support, or better- nix it entirely and then act all shocked shit like this happens.
'Oh no I have no idea how this happened, even though this was the exact plan when we went to email-only suppprt'
If the entire road you have paved is one big crack in the ground, it's less like customers falling through the cracks and more like a city being swallowed up in an earthquake.
It should be made law if you are a payimg customer companies should have to offer customer support that the customer can actually understand.
Doordash and UberEATS are two of the worst companies in the US, and yet even they have (garbage, to be sure) customer service.
You guys cut all corners in the name of the Holy Profit. So why the hell should we cut you slack when you fall in the pit you dug.
Aww how cute you downvote me immediately with not a word of rebuttal.
I'm sure because there is literally no excuse for this bullshit behavior. Im fine eating fake points to call you out on it.
I'll say the same thing about fraudsters I tell clients about hackers, ransomware gangs, etc. What they do is their jobs and some of them are quite good at those jobs. Don't think of them as the stereotype angry teen that might have come to mind 30 years ago - these days it's more likely that they look just like your IT department working from home - or like technical employees in a Russian government office in Moscow.
> One particularly frustrating aspect of fraud prevention is that fraudsters are better than the rest of us at getting human support staff to do what they want. They have way more practice, and they learn techniques that work from other fraudsters.
Then put a flag on that account. Repetitive issues will make it clear what's happening.
Fraudster also doesn't have the same needs as most customers, they don't need to keep the same account... at best the same account will barely give them more credibility, but that would no longer be true if a flag has been raised previously.
There's plenty of ways to verify identities, use that when a flag has been raised previously. Again, something that sure a fraudster can do but lower odds than an actual customers.
It's never that simple. You're implicitly assuming that a fraudster wants the account long term, which is rarely true.
And identity is a VERY complex area, and nothing like as simple as "plenty of ways to verify identities". Particularly noting that fraud is often carried out by leveraging many partial opportunities: I use the (false/stolen) identity from over there to carry out of the fraud over here.
I know it’s not an ideal support mechanism, but I think this is one of the services HN provides to the community (informally). It can provide backdoor/informal channels through engineers and founders to some rather large companies. Especially when other avenues fail. But for the community, in this case, not only Stripe gets to learn about the issue, but we can all take something from this about automated systems and needs for manual overrides/reviews. This type of “case-study” can help many other companies avoid similar problems.
But we also get some of the back story from Stripe about why their systems are designed this way. What challenges they face that made these engineering choices make sense.
I’m sorry that this happened to the OP. But at least this channel of communication exists. And I think we can all benefit from it.
It only exists as long as the post gains enough attention to get to the front page. Which doesn't happen for every post - not even most posts - which makes it an exceptionally poor avenue of support.
> I know it’s not an ideal support mechanism, but I think this is one of the services HN provides to the community (informally).
I would like to know where and why Stripe's customer support failed in this case. Or even if it failed at all. Those are the only relevant details.
It's immaterial to the discussion whether any other web forum was used as an alternative to Stripe's customer support. I'm sure HN didn't signed up to be any company's customer support channel, or if it's reasonable to get it involved in this ordeal.
If I have a problem with Stripe, I want my business to be dealt with Stripe directly, and in the process not get a web forum involved. I would hate to be in a position where escalating an issue so that it becomes a PR issue as well is seen as the first step in a problem-solving workflow.
Maintaining the magic abuse detector requires secrecy around the heuristics, which means not always giving the clearest error codes/any error codes to the user re: what's wrong with their account/transaction.
Only a few HN posts can make it to the front page. Only if you are lucky then you will be able to raise your voice through here. So I assume there would be many users out there affected like this and their issues were never resolved.
We actually have an ongoing project to reduce the occurrence of these mistaken rejections by 90% by the end of this year. I think we’ll succeed at it. (They’re already down 50% since earlier this year.)
It seems to me that if a company provides such an important service to other companies (i.e. functioning as that company's direct revenue source - payments), then if somewhere it is determined that Stripe no longer intends to provide that service, someone at Stripe should be reaching out proactively, via a telephone or other method, to the leadership at the customer and explaining to them in detail why the decision was made to terminate the relationship and what recourse they have.
I shudder to think of the impact something that an algorithm based decision like would have on my business in this scenario. I would be an absolute disaster, and could have far reaching implications for the viability of someone's business.
Every single decision where Stripe is terminating a relationship should have a clear path to a human being for resolution, and should be reviewed by a human before the decision is even made. Like, setup a conference call with leadership and work through the issue. Most fraudsters wouldn't go through that process anyway, and it provides a proactive approach to working with customers who obviously would be in a complete disaster recovery scenario if this occurred so it would be all hands on deck on the customers side. Nothing is worse than having all hands on deck to address a critical issue and feeling helpless because the other side of the equation is an auto-responder email box.
No business should be writing blog posts for help on something like this.
This should be at the top of the comments IMO. I'm honestly stunned by this blog post because I always assumed a relationship with a payment processor like Stripe was akin to a banking relationship where you'd have an account manager that would reach out to you to resolve problems. If the banks can do it, why can't Stripe? Is it simply a difference in regulation and what they can get away with legally?
All of the big tech companies think they can use machine learning and algorithms to do everything and they have an "acceptable" rate of failure as a target.
The main problem with that is that even if the failure rate is .01%, the failure is typically catastrophic for that .01%. When the error is going to ruin someone's life, is there really an "acceptable" rate of failure?
A secondary problem is that machine learning and algorithms are going to have a tough time accounting for virility. IE: If I have a small product that goes viral, as a percentage change, my error/fraud/dispute rates are going to jump drastically. So at the exact moment where reliable, scalable payment processing is the most important in my life, the automated systems are going to have the highest risk of banning me and automatically denying my appeal.
The fact that 24-48 hours is considered an acceptable timeframe for an appeal is worthy of it's own paragraph. That's unacceptably slow if they're locking the account and doing irreparable harm to your business. That wouldn't be tolerated in a market with proper competition and my instinct is to ask for regulation that would involve a 3rd party in dispute resolution for a payment processor that's terminating a relationship in a non-amicable manner.
At least give me some options that can make things suck less. I'd prepay $500 (non-refundable) without even thinking about it to be guaranteed a phone call prior to account termination. I'd let them hold back a percentage of revenue up to an absolute value so it can be held as a (refundable) bond to protect against fraud. I'd let them hold back a higher percentage if their automated systems detect an increased chance of fraud / issues.
I think stuff like this is a stunning failure and I can't understand how tech entrepreneurs (of all people) can't understand why it's unacceptable. The dream for most of us is literally to build something that has overnight, viral success and makes us rich, but we've got companies like Stripe using ML algorithms that'll auto-ban you as soon as you deviate from the norm. How is that reasonable?
The absolute worst case scenario for a Stripe customer should be for the customer to opt to have all payments withheld (by Stripe) and to undergo some kind of dispute resolution or problem solving. Would you rather wake up to a banned account or an email saying they're holding your money until you call them? I know PayPal gets a lot of flack for the latter, but maybe it's not that bad compared to the alternative. The problem with PayPal AFAIK is they hold the money for a long time no matter what.
I get so frustrated when I see PR / damage control and the solution they're providing is "we're going to improve the algorithms." You can't. By the time those systems fail you need one-on-one human support where both sides can adapt, compromise, negotiate, etc. in real-time.
This is a fair critique. In cases like Stripe, I’m sure there are viable ways to have humans involved.
More generally, the big problem is that most internet companies are trying to achieve growth and user numbers which aren’t incompatible with having humans moderate everything. For example, everyone likes to hate on social media companies doing a terrible job moderating. But the reality is that you cannot hire enough humans to manually moderate billions of things daily. So algorithms are a necessity, unless we are willing to part with platforms which cater to extremely large audiences.
Just came to say that the "billions of things daily" is a red herring. The companies are simply too big to handle moderation even with an algo+human solution. So maybe any network should have only millions of things, or thousands.
1. The sheer volume of fraud attempts. Economics often dictate that it needs to be cheap and fast to reject a fraud attempt.
2. Information leakage. It's normal to see people complain that '<insert service of choice> banned them and refused to say way'. There's a very good reason for that: They're trying to slow the rate at which fraudsters learn to exploit them. So they deliberately don't detail exactly what the issue was. Yes, it's super frustrating if you get innocently caught up it, but it's not arbitrary.
TL;DR: Like everything else in life, there are real and genuine trade-offs here.
Since most of us are mere humans don't have the ability to get your attention by a viral post, how should someone get in touch to get this reviewed and rectified if they find themselves in such a position? I mean, OP's post shows that Stripe still decided to close the account even after "further review", so simply contacting support doesn't seem to be enough.
EDIT: I see that while I was typing you replied to a sibling comment. So we should contact you directly? Can I ask why this slipped through further review, it seems like a bug like this shouldn't require contacting a founder directly by email to resolve.
You don’t have to contact me in particular — you can get in touch with anyone at Stripe. (Or even DM Stripe on Twitter.)
With regard to the last part of your comment — absolutely. This is a final recourse when the system breaks, not a part of the system that we hope you ever have to use.
I suppose a related question then is if your review team is applying stricter rules than you are. Surely, in this particular instance, the review team should have been able to see that its a bug in the same way you are. I guess I'm confused by why contacting a founder helps here, are you overriding some checks somehow? Is that safe to do? If not, why did the review team not spot it?
Maybe it really was a strange and unusual set of circumstances that made this occur, so hopefully its rare that someone would need to escalate to you directly. Thanks for being responsive to questions and making your contact details available. That's a lot better than some companies do.
PS: since I have you here, completely off topic, I met you once in Dublin long ago and you got me interested in Lisp. Thanks for that :)
So, contrary to your email to your customer directly stating that this has been completely and fully and finally reviewed, there's this secret way you won't tell anyone (except your friends here on HN)? Yeah, this is working great.
I don't doubt that from your perspective as the founder of Stripe, that's the workflow you'd like to have for when things "go wrong", but from the perspective of someone currently interacting with Stripe support, I strongly doubt that simply raising a support ticket or reaching out on Twitter would result in any meaningful movement on a rejection like this.
Regarding Stripe's support: I emailed last night to confirm how to delete a user's card when it's represented as PaymentMethod, and in reply I received a link[0] to the cards/delete API documentation (which, in case you're not as steeped in PaymentMethod's as I am, won't work because the two objects are fundamentally different).
Given this rather lacklustre handling & having also been on the receiving end of someone trying to fraud the company I'm working for, I highly doubt someone who is asking for reconsideration after receiving a fraud ban would actually receive an escalation via the front-line agents manning support@stripe.com, and if they could, the actual legitimate bans that Stripe no doubt needs to put in place would simply abuse that channel and waste everyone's time.
I appreciate it's a really challenging balance of trying to provide an escalation/appeals process that won't be abused itself, and by comparison Stripe's approach of direct-founder-contact seems easier than Apple, as if your developer account application is rejected[1] you have absolutely zero recourse apart from going H.A.M. on Hacker News & hoping the community helps you out, whereas in this case there is a magic button that starts an invisible and unaccountable appeals process, that ultimately resulted in another rejection.
The only "solution" (if any) I can see to counter the negative experience (& associated PR) would be involvement in the appeals process, where you are allowed to effectively "state your case" via video call or submission of evidence, but this draws a thorny parallel to the judicial system, and I doubt Legal would sign off on such a process.
This is a problem that impacts basically any kind of appeals process, and Stripe's not alone in suffering from it, but that perspective doesn't help the dozens of founders that don't have the connections to sort this issues out in private, and are burning the attention span of Hacker News in the process of unblocking their businesses. Front-line support also isn't the answer, unless specific processes can be put in place to handle rejection escalations and get them into the eyes of the right people.
[1] Long story short: to use Apple's Mobile Device Management APIs, you need an Enterprise developer account, which thanks to The Verge & gambling apps skirting the App Store, isn't possible unless you went to Stanford with a future Apple PM. Admittedly, the chances of an Apple executive personally addressing this if I were to email is statistically quite low compared to emailing you.
If someone from Apple is reading this & would like to pre-empt the classic "Apple screwed me" Hacker News post, do feel free to email me on luke@ghostworks.io and I'll happily brief you on The Great Saga of Enrollment 4HZY7VX69S.
The only "solution" (if any) I can see to counter the negative experience (& associated PR) would be involvement in the appeals process, where you are allowed to effectively "state your case" via video call or submission of evidence, but this draws a thorny parallel to the judicial system, and I doubt Legal would sign off on such a process.
There's also the question/option of considering reputation, which also brings up scary thoughts about China's moves in that area. If you're complaining and are a well known highly voted participant on HN, YouTuber with thousands of subscribers, etc the risk that you as a public-ish figure are trying to scam is lower.
Oh absolutely, and that's something I'm taking into heavy consideration as I figure out the next move with Apple: I have next to no social clout or network, so if the loudest move I make in the tech sphere is "Apple screwed me", is that all I want to be known for?
I'm not hopeful for any change in these sort of review processes without any legislation changes, but it would be a truly tragic state of affairs if it were to escalate that far.
Ah! I knew I was forgetting something: much like that dude living in a cave in Lost, I have to SSH into that server and HUP nginx every ~80 days, as the user that does the certificate renewal isn't the same user that runs nginx.
One day I'll overengineer something to solve this, but for the meantime it's "ssh statichost -- sudo kill -s HUP 947" every so often. Thanks for reminding me, much appreciated!
Sorry to say that, but the fact that founders have to post on Hacker News to get necessary support from Stripe in case something like this happens, gives the impression that your reply is just reputation damage control, and nothing will actually change.
I would estimate that roughly 99%–99.9% of cases get resolved without anything on HN. (Per the GP comment, things have already improved 50% since earlier this year and will, I think, improve tenfold by the end of the year.)
If a Strip user appeals unsuccessfully through your official channels and then gives up, do you consider that "resolved"?
It seems like you exhaust those unfortunate users who banned due to Stripe's errors and then call it a success because they've stopped complaining. Or does your definition of "resolved" account for that?
It is just reputation damage control (i.e. this type of mistake will continue to happen - to err is human anyway), but communication is seen pretty favorably and it’s the sensible course of action.
If nothing changes, people will move away from Stripe on to something else. I'd say stuff like this is exactly how a business that wants to stay alive needs to react to swiftly and figure out the root cause for.
The communication from the founder or representative needs to reflect the commitment to change and show the plan they intend to execute. The GP didn't do so well on the second point (vague plan, at best).
If we see stuff like this still happening in 3-6 months, I think it's time to bring out the pitchforks.
Not really. Stripe has a better platform than competitors, and even though its support isn’t a strong point it’s still better than competitors (which admittedly is not a very high bar). It’s probably much better for large businesses who have their own contact/account manager at Stripe etc.
Last time I contacted Stripe I was given a round circle between departments, the department responsible denying the issue and/or sending me to an unrelated department (who had a good agent but, as expected, admitted she couldn’t fix the issue even though she recognised its existence). In the end it turned out to be a bug in Billing that was eventually fixed (per the dev IRC) but support denied there was any bug and kept giving bot-like responses. It was ridiculous. Stripe should probably improve its support, but even if it doesn’t it’ll probably do just fine.
Big tech and developed ‘startups’ are famous for bad support. Consider Coinbase, which barely responds, PayPal, which is useless, or Google/FB, which don’t even provide a contact option except in limited cases (eg GSuite for Business issues).
Right. I meant in terms of its APIs, Stripe’s product is solid. I’m not saying their user service/CS is great, although it’s probably average for the payment processing industry for non-large companies.
I had almost exactly the same issue as OP but with Braintree. The support was equally as useless. Stripe isn’t unique here, most tech companies just don’t know how to build good support.
It feels like there should just be a better process. Shut down payments to protect yourselves sure, but spare a real life person to email the customer and give them a chance to explain or at least understand why.
It seems like companies can't seem to get their act together to offer some kind of rapid escalation/remediation service. Maybe it's time for legislation to force their hand. This could potentially cost a business a ton of money (and affect a non-trivial number of employees) in the process.
Would 'paid' support help? Like pay, say... $150 up front, which is refunded (partial or all) depending on the outcome (error on their end, you get refunded?)
It runs the risk of turning 'support' in to a profit center, I support.
Microsoft (used to?) offer this for developer support and I remember using it maybe 15 years ago where it was a couple of hundred bucks to open a ticket but you got quick access to a real expert and good escalation.
If the issue turned out to be their problem the ticket was refunded.
For something business critical like this it is a way of signaling to the company that there is clearly somethin wrong with the automated process: a real scammer won't pony up hundreds of $ to get a review they would fail.
Exactly re: who won't pay. If I'm losing hundreds or thousands, I'll pay $150 just to get a real person's attention - most scammers won't. And yeah, it was MS I was initially thinking of, but haven't been in that world for a long time, so no idea if it's still an option.
What's your recommended way to get in touch with humans? Previously we had a manufacturing business + online store rejected because we mentioned that some of our customers may eventually be drop-shippers (i.e. an online store cannot prevent people from buying on behalf of other people) and there seemed to be no recourse other than "start a different business."
My email address is public (patrick@stripe.com). Lots of other people at Stripe also have public email addresses. (Just to be super clear, it’s a bug that you’d have to do this, and I’m sorry about the trouble! But when mistakes happen we do want to have a way to know so that we can fix things.)
What do you mean by drop-shippers and what do they do that's risky/bad?
Looking for drop shipping on Google leads me to pages e.g. by Shopify or Square explaining it's a model to run retail where the store doesn't hold stock or fulfill but instead has a distributor / manufacturer fullfil the transaction, shipping directly from them to the customer.
Some companies don't want to do business with drop shippers, maybe because they will often be unable to fulfill orders or because customers will often be upset that their order took a few weeks to arrive. As a manufacturer, we anticipated that some people would resell our products on their own storefronts.
if (transactionInvalid > 5) {
if (accountPossiblyFraudulent) {
sendAccountCancellationEmail(accountid))
stripeBackEnd.closeUserAccount()
}
}
It's disgraceful that there isn't multiple layers of careful analysis and INCLUDING personal reachout before canceling an account.
Big companies like Stripe need to be reigned in with legislation because they wield the power to destroy businesses and they do it without care.
Where is Stripes ombudsman - a customer advocate - an independent person with CEO level power within Stripe who's primary duty is to customers and is a channel of last resort when your normal support channels have failed? Why don't you have this?
How can you allow Hacker News to be the channel of last resort?
You're running a financial services company and doing it as though it's unimportant to cancel someones ability to invoice.
The lack of protection for your customers is why companies like Stripe need much tougher regulation.
In fact, you as the co-founder of Stripe should NOT be answering here on Hacker News. You should make it a point to NOT personally resolve such issues because if you have to, then you are acknowledging serious failure in your companies systems and serious letdown of your customers. In fact you should be appalled that Stripe so fails it's customers that they must go to social media to solve valid problems. You should simply be able to rely on some lower level person in Stripe finding this and posting a short message saying "please contact our ombudsman", and being assured that your ombudsman will give it due and fair consideration.
So surely this is not the only time Stripe has mistakenly cancelled an account - but this is the one case where the person who's account was cancelled was able to get their issue on the front page of Hacker News. Therefore is can be said that many people have their accounts mistakenly cancelled by Stripe and have no recourse - again where is your ombudsman?
This is serious systemic failure of Stripe. And the worst thing is it is not just Stripe - this is what people have now come to expect from giant companies that are a critical part of business - such as Apple's app store - people now expect that the company might one day send a random email saying, in effect that your business is over. You can't or won't fix it, so the law should.
Stripe founder need to hear this: "sorry" ain't enough.
> We actually have an ongoing project to reduce the occurrence of these mistaken rejections by 90% by the end of this year. I think we’ll succeed at it. (They’re already down 50% since earlier this year.)
How can you tell? It seems, naively as an outsider, like the problem is precisely that you can't tell if they should have been rejected, in which case you can't tell how often it happens?
Yeah, good question. First, we aren’t trying to calculate the absolute rate, just relative changes. (The absolute rate would be nice to know but it’s not needed to know whether we’re getting better or worse.) Methodologically, we sample/scrutinize rejections manually and also look at the occurrence of discovered false rejections. But you’re right that there could be some dark matter that we never become aware of.
Well it looks like the Brains Trust inside Stripe has found a way to duke your OKRs, because this guy's appeal was denied and he was cut off anyway. No wonder your "incorrectly identified as fraud" metric is trending down if your staff are simply doubling down on incorrect accusations instead of copping them. Sounds like Goodhart's Law in action - do you happen to tie bonuses to OKRs?
> Stripe can easily lose very large amounts of money on individual accounts, and thousands of people try to do so every day.
Not sure what case you refer to, but in our case someone was able to place multiple clearly (in my own hindsight) fraudulent orders on our woocommerce store. And it wasn't Stripe who lost on these chargebacks - it was us. The only way for Stripe to lose money in such scenario if seller (us) would be an active part of the fraudulent transaction. I.e. work together with someone placing fraudulent orders and immediately funnel money away and throw away stripe account. That is clearly not an option for an established business...
And no, it wasn't a niche attracting fraudsters - we sell pyrography tools, not electronics or some other similarly attractive products for fraudsters.
You figured out a way to do it (and people will set up businesses solely to do this) without having to think too hard. The creative things fraudsters will do is pretty wild. The time horizons they'll work on is also surprising - sometimes they move fast, sometimes they are quite patient and pose as an established business. And... sometimes they start out legit and then go to fraud when their business starts failing.
Give these guys a break - they are trying to onboard customers as fast as possible to reduce the headache involved. The only way to do it is automation. There will always be cases where things go wrong.
And sometimes the scammers will buy legit, aged accounts, or take them over, so just because an account has been in good standing for years, with what looks like real human interactions with support, isn't enough of a signal to know that a scam isn't taking place from that account.
Stripe’s customer support is absolutely horrible and ineffective, in my opinion. I have multiple firsthand data points, including three ongoing issues.
I've just forwarded you multiple threads now where at least 5 agents (each) have passed the buck, resolved the ticket without actually reaching a resolution, closed it, or just gone silent.
I don’t understand the stripe hate in the replies. In the past when I worked with stripe on a mobile project they were always quick to reply, and I felt like they did a good job of helping us through difficult problems (at the time a new platform) that is rare from a customer support perspective.
"We try to make it easy to get in touch with the humans at Stripe"
You used to offer live chat which is no longer the case, correct ? I understand that stripe has exploded as a business but with all the money being invested in Stripe, I would seriously recommend getting live chat back so at least we know we have someone out there looking for us. Perhaps offer this to customers who are diong a min. MRR (could be controversial).
The attraction behind Stripe is the ease of API but at some point, that will become unimportant if support is not good when we are talking about dollars. Just my 2 cents as an overall Happy Stripe customer for almost 7 years.
Seems like we got rolled into the same wave, just received the same email about our account. we have not had a single dispute, so clearly just an automated decision.
wrote back to the support asking to reconsider, really hoping for a quick answer!
Reading this, it seems like part of the problem was the false message. If there aren't any unauthorized charges, the system shouldn't be sending people rejections falsely claiming that there are. Mistaken rejections are unavoidable, but they can still accurately describe the reason for the rejection.
Every time. Every fucking time. And what if this post hadn't blown up on HN? This guy would just be screwed? If I want to use Stripe should my risk matrix include "fingers crossed HN picks up my story if I get shafted"?
I don't think crypto would solve this particular issue. Stripe needs the ability to back out of moving money, so there's several settlement periods for different parts of the transaction and ways to appeal transfers retroactively.
I suspect fraudster's are able to wait out this period without detection so they can cash out. If this is the case, then even time locking smart contracts won't help, as the fraudsters just wait out the time period. At that point Stripe would have even less recourse to recover money, as retroactive transfers are not possible at that point.
I could see services such as their debit card offering being abusable too.
They also likely have to worry about things such as predatory recurring payments as those will result in chargebacks which could ultimately fall on Stripe to foot.
As I understand it: When A pays B with Bitcoin via the Lightning Network, B can almost instantly be sure that they have the money. There is no way for A or an intermediary to take it back.
Edwin from Stripe here. (OP, I've just sent you an email and we can talk more over there—I'm terribly sorry for the trouble.) I can't get into too many specifics about an individual business publicly, but unauthorized charges have high potential to be disputed in the near future—and while Stripe itself doesn't have a dispute threshold, the card networks require businesses to keep disputes low.
Although that email in the post was admittedly a template, a human did review the transaction activity and actively sent the email. We're digging more into exactly what happened here to prevent the confusion from happening again. Over the past few weeks, we've been overhauling how we work with businesses in situations like these and are rolling out some meaningful improvements soon.
I understand that you probably don't have the power to directly change anything about this, but what does it even mean when a company says they're "improving how they work with businesses in situations like these".
Every time some big tech company makes promises like these, nothing really ends up changing. The emails always remain vague templates without details from a seemingly anonymous source. Companies end up changing the wording of their email templates, but that's about the only noticeable difference.
I have no doubt that a real human verified the problem and decided to send the email, but I've never seen any big company that swore their dedication to better communication actually change their policies to not make these emails look so... auto-generated. When you're ending a business relationship, even for good reason, you shouldn't come off as a robot.
Such comments on public websites always feel like damage control to me. I'm not claiming your comment is part of some specific damage control operation or anything, but I do wonder if adding that line does much for the credibility of the rest of the post. In my opinion, it adds a layer of corporate pixie dust on top of the rest of your words.
That being said, responding in public, especially in a place like HN, is a pretty brave thing to do, especially with all the other negative threads from others here, so I definitely appreciate the effort you put into this!
As somebody who helped write that email a while ago, I actually agree with you. We think the improvements we're working on will be pretty tangible—as pc mentioned above, we're not just rewriting the emails, but are working on a project to reduce these types of rejections entirely.
In this case, would that mean justuseapp's account being shut down earlier in the process? Neither your reply nor pc's seem to indicate (to me, at least) that justuseapp is likely to be reinstated and kept as a customer for a long time.
Based on my guess of what's happened (informed by working on card dispute systems), is sounds like JustUseApp have been exploiting a little loop hole in how card transaction work, which creates quite a bit of liability for Stripe if they're pushing through a significant amount of transactions.
My guess is that Stripe would work with them to tweak their product so it can work without expose Stripe to all this risk. Might result in something clunkier and harder to use, but at least it'll still work.
Great point. This does seem like an important vulnerability.
I think one method of protection would be using Stripes Radar service to screen transactions for malicious patterns.
While it probably won’t catch all fraudulent charges, it’ll catch a bunch. You can use that increase in rejected transactions as a canary to take a closer look at the other transactions coming through.
Does anyone else have ideas on how you can protect yourself from this kind of attack?
Edit: thinking about this more, it would be a pretty expensive attack to attempt. Stolen credit cards aren't cheap, like email addresses are. You'd need a lot of them to attempt the attack and you likely wouldn't succeed.
I think you'd need 1% of the target merchant's transactions to be chargebacks in order to get them kicked off. I'd assume at least 50% of your attempts would get caught before the chargeback even happens, so you'd need at least 2% of their transactions.
Seems like you'd need a large number of cards. Anyone know the value of a stolen card?
You’d need to come close to 1% in total charges. That’s roughly what Visa and MasterCard set as limits. This would work with anyone who accepts credit cards, not just Stripe customers.
You probably don't gain the entire market share even if the attack succeeds in leaving them permanently without a payment gateway, except in situations where the answer to "who is attacking us?" is fairly obvious...
Risk is relative thing the activity has to cross threshold for the appropriate gov entity to investigate and since they are swamped that threshold keeps going up.
I just want to echo here that Edwin is superhelpful in the past. He proactively reach out and get the problem fix on my first post, and on the second time I reached out to him and again, he's superhelpful to help me resolve and regain access to Stripe.
> a human did review the transaction activity and actively sent the email. We're digging more into exactly what happened here
I can already tell you what happened, Edwin. From your CEO himself:
> We actually have an ongoing project to reduce the occurrence of these mistaken rejections by 90% by the end of this year. I think we’ll succeed at it. (They’re already down 50% since earlier this year.)
Your staff are duking your metrics because you don't understand Goodhart's Law.
I went through the same thing.
Some ML algorithm at Stripe randomly classified my business (bog standard WooCommerce/WordPress e-Commerce store selling a single product in low volumes) as a risk and I found that the process for escalating it was Kafkaesque and slow.
Switched to Pin Payments[1] shortly after that experience and have never looked back. Of course, we live in the 2021 century and algorithms will flag issues automatically (I ported my phone number and changed my bank account on the same day, which was fun!), but they've always made sure to contact me and resolve the issue within minutes instead of cutting access. The few times I've contacted them, a competent person has both understood the issue and responded to it appropriately and promptly.
This product was leaning heavily on Stripe’s issuing API, so I don’t think pin payments is a viable alternative. I’m actually not sure if anybody else is a viable alternative. Is there another service that offers card issuing as an API?
Offtopic but I'm amazed you can legally hand out free (virtual) credit cards like these without anything close to a banking license.
The sales pitch, to pay for services anonymously, would make it trivial to use this service for money laundering. I hope the website is lying about how private those transactions really are.
I'm also a little sketched out by the fact the business resides in Wyoming while the person writing the blog says that Stripe wasn't available "in my country". The company has two directors, both of which are a vague "Cloud Peak Law" company which owns a bunch of unrelated LLCs, but no reference to any foreign owners. That's not very confidence inspiring either, in my opinion. I can find a similarly named company from Nigeria but there's no clear connection between the two.
Edit: the company's Cloud Peak Law P.C. "director" is a service used by a Wyoming company set up specifically to allow anonymous registration of a business, set up there specifically because anonymous businesses are allowed by the state. I wouldn't be surprised if one of this law company's other clients used their anonymous-business-as-a-service for something sketchy, causing Stripe to go up the chain and mark the entire Cloud Peak Law "person" as unreliable and disputed. After all, going by the public record, the company is actually run by this law company, not the person writing this blog post. That may be why Stripe is able to claim a dispute that doesn't exist in their own management system. I don't know if that's the reason, of course, because there's little transparency from other side here.
I don't think Stripe should be lying about the nonexistent disputes, but if I were to design a money laundering detection algorithm, this kind of stuff is exactly what I would watch out for. I'm guessing Stripe's machine learning triggered on this company and that they just picked a random TOS bullet point to end the contract by knowing that you won't be able to sue them for it anyway.
Hey, the blog post says we incorporated in the U.S from abroad. We did that with FirstBase.io.
Concerning the cards, we do KYC before the cards are issued and we submit same to Stripe. In extreme cases, we ask for users Govt-issued IDs. Our service might be anonymous to the outside facing world but our users are not anonymous to us and Stripe.
Earlier, your website apparently had the statement:
> Our credit card comes with a U.S. billing address, so you can unlock features restricted to the U.S or Western markets especially if you don't live there.
Allowing customers to easily "spoof" their billing address could be very problematic for me as a merchant. There are countries that I don't want to serve customers in, and in some cases am even prevented (by law or agreement) from serving customers in.
This is no different than using any virtual PO Box as a billing address.
There is a (very) large number of people who do this, especially in Canada, because US credit cards offer vastly better rewards even after taking foreign transaction fees into consideration.
Are you talking about American citizens residing in Canada, or Canadian citizens? Issuers are required by law to know certain things about you, which includes where you reside. Some US issuers will allow you to apply with an ITIN instead of a social security number but if you have no credit history in the US, your chances of approval are slim.
You cannot use a PO box as your residential address when you apply for a credit card. Assuming you have an SSN or ITIN, if you use a private mailbox as your residential address on a credit card application in the US, your mileage will vary. Some financial institutions maintain databases of private mailbox addresses and flag these if you use them but no matter what, falsely representing that you reside in the US on a credit card application by using a private mailbox with a US address will always put you at risk of an account closure.
Many issuers will allow you to set a mailing address that's different from your residential address. This can typically include a PO address. That's not the same thing as lying about your country of residence.
I'm referring to people who are not US citizens, living in other countries (Canada is a popular one).
As long as you get your foot in the door and pay the bills on time, your credit history only grows -- and it is extremely unusual for accounts in good standing to be closed. In theory they can close your account at any time, yes. In practice, this rarely happens, because it's common for people to move around the world these days and it doesn't make sense to close someone's account for that.
I've worked in fintech (lending specifically) and your claim that "there is a (very) large number of people who do this" is simply not true.
To get access to the half decent rewards credit cards in the US will at a minimum require you to have an ITIN. To obtain an ITIN, you need to submit an application to the IRS and provide a bunch of documentation related to your identity and foreign status. This documentation needs to be original or certified. If you don't use your ITIN at least once to file a tax return in 3 years, it will expire.
If you jump through the hoops to get an ITIN, as I mentioned, financial institutions usually have a database of private mailbox addresses. Technically these are called CMRAs - commercial mail receiving agencies. If you use a CMRA address when applying for a credit card, there's a good chance it will be detected. So you're going to need a friend or family member in the US to let you use their address. Also, if you apply with a foreign IP address, this too will likely be detected. Use of a VPN can trigger extra scrutiny.
The American credit cards that offer attractive rewards have the highest requirements in terms of credit score. If you have no credit history, you will not be approved for these. The average non-resident foreign national isn't spending enough every year on their credit cards to gain any meaningful benefit from a crappy American rewards credit card, or to spend years building up a credit history to get a better card.
As for people moving around the world, it's imminently easier for American citizens to keep their credit cards and get new ones when they become expats, especially if they don't change their addresses or set up alternative US addresses (with friends or family) before they move abroad.
I'm not entirely sure how you would launder money through this service. From what i can tell no money is actually passed through it. It just generates a temporary credit card which is never billed. It is just used to bypass the "please enter your credit card for this free trial" prompts.
I don't see them claiming they don't keep track of the transactions, so what's the problem? It's just a temporary card so the merchant doesn't know your original one, but in case of problems the intermediary still knows who you are, what your original card is, and who you paid to.
yes, except it is generated and maintained by a faceless, nameless holding company in the US.
I'm a businessman trying to hide my wealth, I get one of these cards and top it up with 100k from my CAyman islands bank account, and use it for all my daily spending. That's a very common method of tax evasion.
Strip could now be on the hook for facilitating this, which means they need to trust justuseapp to do proper KYC that complies with global anti money laundering policies, etc. That is a HUGE task, and if they get it wrong, the consequences are serious. So, when stripe says they're worried; they're right to be.
The intented use of this companies service might be altruistic, but it's really easily absued for nefarious purposes.
This is not possible. You cannot fund your account with more than $30 per day unless you are have the highest verification and right now, the limit at those levels is just $60.
It will take you years to move $100k at $60 per day.
It's entirely possible for an attacker with 100 stolen identities to make 100 $30/day accounts and move $3,000/day. or $6,000/day if they've stolen the person's government ID. It'll take just over 2 weeks to move $100k at that rate.
I guess stripe wasn't kidding when they said they would disrupt online payments.
On a more serious note; How much further is society going to allow this kind of thing? Hiding behind templated e-mails without any explanation. Disrupting people's lives who become collateral damage with no way out.
> The typical duties of an ombudsman are to investigate complaints and attempt to resolve them, usually through recommendations (binding or not) or mediation. Ombudsmen sometimes also aim to identify systemic issues leading to poor service or breaches of people's rights. At the national level, most ombudsmen have a wide mandate to deal with the entire public sector, and sometimes also elements of the private sector (for example, contracted service providers). In some cases, there is a more restricted mandate, for example with particular sectors of society.
I don't want to sound too cynical but I don't know of an ombudsman which has binding authority. Here in the Netherlands all ombudsman I know are non-binding.
I personally know of 2 dealings with an Ombudsman in the Netherlands. One involved me personally and another one of a good friend. In both cases the ombudsman advised in our favor. In both cases the reaction on the advice was: "Thanks for the advice, ombudsman, but we are not going to act on it.".
A non-binding ombudsman is in my experience just a paper tiger to make an organization look good and I have never seen a binding one.
Ive had an experience with an Ombudsman in the UK. I was stuck in a loop with a major broadband provider in the UK who were giving me the run around. I contacted the ombudsman and within 14 days of my first email the company resolved the issue, (after 4 months of back and forth before that). Despite being non binding, the moment they were involved my problem was resolved.
I'm not sure about that. The companies employing these kind of techniques are typically making huge profits. I suspect supply and demand would dictate that a bunch of the cost came out of those
Maybe I wasn't clear. I meant, why have the ML algorithm disable the account automatically if human review happens nearly 100% of the time, rather than simply have ML flag the account for human review, and let them decide whether to disable the account.
How much further is society going to allow this kind of thing?
"what these corporations are doing is literally destroying the basis for a developed economy.... [They] have all collectively routed around the rule of law which is necessary for sustained economic growth over time.
In countries with strong rule of law:
1. Property rights over land, equipment, and personal items are clear and protected by law.
2. Contracts between people, businesses, and the government are effectively enforced by the legal system.
3. Political accountability is high and corruption is low.
4. Business regulations are clear and enforced in a transparent manner.
In such environments people make long-term investments and build large organizations. In contrast, if the property rights and contracts are not enforced and the business regulations are not clear, most of the economy consists of small family owned firms with little modern equipment. A high-tech, prosperous economy would not develop.
Effectively, there are no contracts anymore in the digital economy. There is no predictability anymore. There is no accountability. There is no responsibility. There are no requirements for performance anymore. In sum, the US digital economy is rapidly becoming the equivalent of a third-world economy, complete with crony capitalism and digital robber barons."
It requires a paradigm shift. Automated escrow services could handle almost every dispute where both parties are honest, APIs for validating shipping and handling of goods/egoods could handle another large chunk, and human dispute resolution could handle the remainder.
Such a service could be offered by the legacy payment providers.
I have used such services in the past, but still feel the field is ripe for disruption.
I have considered this too. The issue I have encountered is that the vast majority of potential users/customers do not have and cannot quickly obtain Monero or Bitcoin or whatever.
Most all of them have VISA cards.
Expecting customers to carefully create a wallet, an exchange account (so they can buy the crypto) and considering how difficult that can be (even for technical users) is really unreasonable. When people can use crypto as easily as they can use a credit card, then it would be an alternative.
IMPO, this problem is very similar to the PGP problem. You'll get a lot less email if you only accept PGP encrypted and signed emails. You cannot expect your customers to do that. They won't, but they will send you plaintext emails from their Gmail accounts, just as quickly as they will pay using a VISA card.
Why would "society" care whether company A makes money instead of company B? This kind of thing is only remotely concerning to, like, VCs and tech workers hoping to strike it rich in the startup game.
That's a weird take. Society wants stability. Having large companies companies use a random number generator to determine whether they will arbitrarily blacklist (and thereby try to destroy) smaller companies isn't leading to stability.
Yes, society doesn't break down. Just as it doesn't break down if 1% of people were murdered each year. But society won't accept 1% being murdered. And once it's public enough, they'll also not accept that companies do stuff like that. Case in point: banks are tightly regulated exactly because of that, we need to rely on them to handle money efficiently, so we don't want randomness in their processes. Maybe it's time that Stripe & friends get more regulatory oversight as well, since they don't seem to be capable of managing themselves.
How are we a "high risk" merchant when our business is not different from Truebill.com (subscription tracking) and Ramp Inc (spend management) a company Stripe recently invested in?
The cynical me says there is your answer right there. You are a bit to close to something Stripe invested in, or at least close enough to something they will offer as a service soon.
Or, alternatively, the business (issuing virtual credit cards to consumers, seemingly worldwide) is pretty different from truebill.com (subscription tracking, yes, but doesn't issue cards, AFAICT) or Ramp (issues corporate cards instead of consumer cards, where I would assume there's a bit more due diligence).
> Our credit card comes with a U.S. billing address, so you can unlock features restricted to the U.S or Western markets especially if you don't live there.
Isn't this just straight up fraud?
Admittedly I'm not familiar with any of the services mentioned, so correction is welcome.
>Is everyone learning from the best (cough Amazon)?
You mean learning from the 5th highest market cap company? Isn't that sort of expected? The question you should ask if why the government doesn't step in since companies will do what they can to optimize stock price.
If that actually worked as some people think it does, the corporate income tax rate would be 0%, there would be no labor laws, no OSHA, no EPA, and so on.
If they wanted the biggest part of the cake, the should keep the small businesses next to their own. The know their competitors and, in the case of them failing, they'd still be on the winning side.
As the saying goes, to make money in a gold rush, sell pickaxes.
I really feel for the author. We had once decided to participate in Stripe's Identity Verification beta. After submitting the form to request participation, Stripe's system locked our account pending verification.
We were fortunate in that we had a backup payment gateway integration "just in case", because otherwise we would have been completely unable to accept any payments at all for a full week.
That week was still extremely stressful. They offered no explanation or reason for putting our entire business on hold.
>We were fortunate in that we had a backup payment gateway integration "just in case"
This seems like the key point here. I'm not a software guy or even a payments guy, I'm a network infrastructure engineer.
For anything that we want more than 99% uptime, we put in two of everything, sometimes more. Two separate service providers, ideally coming down different physical paths where practical.
"Treat infrastructure as possible failure points and prepare accordingly" holds just as well for the payment infrastructure. Interesting and fresh perspective, thank you for sharing.
It's not possible to increase availability with redundancy in all cases, because not all financial actions are idempotent.
For example, sending money via a banking wire. If the bank goes down, you can't send a second wire through another bank without loss because the first wire is not retractable.
Great practice, specifically determining how much redundancy you need, and making sure it is available. The theme also goes with your acct name quite nicely!
I have a hunch their main concern is this kind of marketing on your site:
"Access the American market
Our credit card comes with a U.S. billing address, so you can unlock features restricted to the U.S or Western markets especially if you don't live there."
Stripe might not even be allowed to say the reason if they brushed up against anti-money laundering policies. This is probably the exact reason for the ban, and the reason they wouldn't talk to the company about it.
That would be more believable if you didn't specifically call out allowing foreigners to pretend to be from the US to "unlock services": aka - violate the TOS of said service and likely breaking one or more US laws.
Said gym memberships tend to be because you signed an annual contract, with specific requirements to cancel early.
Using one of these one-time-use cards won't get you out of the debt itself, and these sorts of gyms will happily wreck your credit by sending it to collections.
I've heard of some cases where the contract auto-renews and requires an in-person presence during a limited time window to cancel when they're quite busy.
While I'm sure these places have it in their terms, just making someone sign a contract to agree to it doesn't make it not-unethical or not worth criticising. It just makes it "not illegal in some jurisdictions"
So any business that accepts cash generates suspicion? I think not.
The reporting you are referring to only relates to bank transactions. In the US, When a business deposits their cash receipts, the bank generates a report. There is no obligation on the business (e.g.a car dealership that sells a car for $100k in cash has no incremental reporting burden)
More importantly - because x can be used in the commission of y crime, but the vast majority of the use of x is in perfectly normal/legal use, one should not cast suspicion on the use of x or reverse the burden of proof on for using x.
That's an interesting point, because Stripe also doesn't handle cash.
Something can be perfectly fine for people to do, and it can be just as fine for Stripe to not want to handle it. They can choose what types of businesses they want to allow on their network. It potentially creates opportunities for other service providers.
My SaaS business serves corporate law firms and investment banks that invest in large corporate bankruptcies (think Hertz). When I launched, I first applied for a merchant license from Stripe, and was quickly denied by an automated system, citing violation of TOS (no reference to what violation). But given there are a ton of alternatives, I just used Braintree instead and it's been a great experience so far.
It’s disappointing that they didn’t give you a clear explanation, but it seems like the second email is saying their humans looked at your business model, issue US cards to consumers all around the world so they can manage subscription spend - and, implicitly, so they can dispute charges or cut off cards as a way to stop paying a shady subscription service - is high risk and Stripe doesn’t want to do it.
I can understand that point of view. What I don’t understand is why they couldn’t write a clear email explaining their position so you would actually know what’s up.
Funny how this has beeing a tendency last years. Big american corps just banning small users/companies without any reason and not giving them support whatsoever.
As a developer this puts a big dent on Stripe's reliability and I'm not advising it to any client. Ever.
I think big companies tend to do this by accident, more out of incompetence than malice.
Yet this sort of thing just begs for future draconian government interference. Seems to me a smart company would find a way to not invite that unpleasantness on themselves.
> I think big companies tend to do this by accident, more out of incompetence than malice.
They have bots deciding the future of their users. And when the bots make some kind of mistake they don't give support for the costumer or neither check if the user got wrongly banned. It's some kind of sick blind trust they place on automated systems. Nothing wrong against these systems, but they should have a system in place to check wether these made a mistake or not.
Silicon Valley wanting to "disrupt" industries seems to have a bad habit of becoming the thing they tried to disrupt. Guess you can put some money in an iceblock in front of their HQ and see what happens.
Reminds me of when people loved online video like YouTube because of the lack of commercials.
As someone with a pre-launch SaaS who just signed up for Stripe, reading this has me shook up a little bit. I'm Stripe-integrated for payments, and poised to go through Stripe Atlas soon, or at least I was.. Now I have no idea what to do. I know that OP's story isn't spotless, but what if it's my thing that gets in this situation too?
I wish I could say I'm joking but I don't need this right now, I'm ~90 days out from launch, I should be tweaking final touches, not building just-in-case backup integrations with other processors.
Proceed with launch as planned and validate your market first of all.
After you have validation of customer buy-in and market acceptance, when you have time and/or funds to spend on your Stripe-alternative feature sprint, setup and integrate a 2nd payment gateway for redundancy.
(as per the commenter above whose biz was banned from Stripe for 7 days by the imperfect non-recourse ban-bot)
Maybe even choose a different gateway that is more cost effective per transaction for a subset of your global customers, and code your system to route customers payments to the preferentially lower-priced gateway for their country.
Then if one gateway bans you, it's not a showstopper and your business is not severely damaged.
> I have a hunch their main concern is this kind of marketing on your site: „Access the American market Our credit card comes with a U.S. billing address, so you can unlock features restricted to the U.S or Western markets especially if you don't live there."
I saw this, and even though my thing is nowhere near what OP is doing, the amount of what-ifs going through my mind right now is causing undue concern. My SaaS is a podcast host, what if someone I'm hosting says something "wrong" in their show description and Stripe's algo doesn't like it?
Edit: There's a lot on my mind right now, editing to stop for a moment and say thank you, your comment is somewhat reassuring which is what I think your intention was.
Think about it from their point of view. Stripe's algo isn't going to go into your platform and investigate podcast guests political opinions - that's some AGI level-5 self-driving car stuff if their automated flagging system could do that. No, their algo is gonna look at the credit cards your system is sending them, how much and how frequently you're charging them, and how much that looks like you're doing bad things (like stealing money from people). From your very limited description, you're totally in the clear.
We got rejected by braintree, and went on a multiple month long back-and-forth and in the end it got nowhere.
Fixed it by using Fastspring. It is a fully integrated solution, with a slightly higher fee, but saves you a lot of dev hours. Their support is amazing.
Edit: it might sound clunky, but asking for wire transfers costs almost 0 dev hours, but can still used to prove your potential clients would really pay.
Use a middleware like Chargebee. Your subscriptions will be saved and there will be no change in UX when you are forced to change the underlying payment processor. Even before launch (assuming you’re a US business) you can have a backup in form of PayPal Payflow Pro, which integrates fine with chargebee.
Like another commenter said, think about your payment processor like another thing which needs redundancy. Have another one prepared - braintree or whatever.
You're the customer, but you're a business customer, not a consumer customer. B2C vs B2B is different, and the contracts involved are different, and it's different way of thinking. The Internet I have at my house prohibits reselling because I'm buying it as a consumer. If I'm buying a business Comcast account, there's an expectation by Comcast that I'm going to be reselling the Internet access (like if I own a coffee shop or something). Thus, imo it's not common, but it's also not prohibited. (But I am not a lawyer and this is not legal advice.)
As for having two integrations, what's your opportunity cost? You'll want a backup integration, but imo that's in the same category as having a backup cloud to run on in case AWS goes down. Which, you do, but the time spent working on that is time spent not working on the product.
If I understand correctly you use Stripe Issuing to give people cards that they can then spend with in a way that you control? How do people recharge their Justuseapp cards? You charge their real card and credit their virtual ones? And if one of the apps being used makes a unauthorised charge do you then raise a dispute on behalf of the customer?
I'm not trying to apologise for Stripe, I'm trying to see what's special about this financial arrangement. It's obviously not a SaaS nor are you selling anything physical.
"You can then use the virtual credit card to signup for free trials on the web and on apps without worry. We approve only free trials and not actual purchases."
I assume when you sign up to a free trail, they'll charge your card £0.00 to confirm it's a valid card, then when the trail ends and they try to automatically charge you for a full subscription they'll block the transaction.
This is not the intended use for stripe issuing at all, and would lead to stripe handling thousands of disputes from companies trying to charge cards with 0 balance after trials end.
Hiring humans is not as scalable as technology is. You can't just hire 150 more customer support agents _each month_ like you can fire up another Kubernetes cluster. They need training, middle managers, leads, special training, good tooling, office space, adjusted KPI-s, etc.
Ideally, good companies will find a balance with AI and human operators that's also sustainable as a business.
You're saying, however, "We can scale our tech but not our business." If you could scale everything but payroll, that wouldn't make it okay to use an automated payroll system that left some employees unpaid with no recourse. Leaving your customers unjustly banned with no recourse is no more justifiable.
> Ideally, good companies will find a balance with AI and human operators that's also sustainable as a business.
This is the crux of it. What do you define as a balance? In this example, Stripe shouldn’t be using ML to actually ban accounts but instead to flag accounts for manual review.
My company distributes advertisements. We need to watch every ad we ever distribute to ensure both its quality and legality. We have and still are investigating ML to improve this process, but because regulations put the cost on us for false negatives, we would use ML only to identify when it knows an ad fails our checks. It would then pulls it from the QC queue before any tech manually reviews it and emails the client informing it was blocked and why it was blocked and a link to a form where they can request a manual review if they think it was a false positive.
Our contracts allow for a fee to be imposed on the client if they challenge a block which is upheld after manual review.
Doing it this way we reduced our tech workload by removing clearly violating ads from QC queue and we give the client a clear and quick way to challenge the results of the ML.
At least, that is the plan here. It’s still in R&D.
I agree with this sentiment in general, but in this case it sounds like a human at Stripe did review the case, and Stripe still decided not to do business with them.
Hiring more customer service humans is not a guarantee that every customer will get what they want.
Stripe is company that boots people off due to their political positions[0]. I would be very careful while doing business with them. A few bad news reports and you are gone[1].
> 0: Sources told the Journal that the reason for the company’s decision was the violation of company policies against encouraging violence.
Seems like a valid reason to ban someone from a platform. Reading further, Stripe was being used to collect money to make hundreds of frivolous lawsuits. (Legal definition thereof)
> 1: The latest payment platform to refuse to accept payments made to Loomer is Stripe.
Looks like Stripe is far the first company to do this. Reading between the lines, this person is specifically trying to get banned to prove a point. At some point, their history of doing so becomes the reason for kicking them off, rather than their political views.
I can easily see this happen and I'm sure its affecting many others too and you just don't hear about it.
A couple of years ago I was unable to make some online purchases with my debt card.
It was always vendor specific and there didn't seem to be any logic to it. I talked to my bank, and they talked to MasterCard, and I would speak with vendors technical support or billing. Nothing out of the ordinary.
This was happening for over a year and I got by with using a credit card as needed (which I don't like to use in general).
Anyway, the common denominator was all these vendors used Stripe for payments. I email Stripe and eventually someone noted that my card number had been flagged by some algorithm in the past and had been blacklisted. For background, to my current knowledge, I've never had an issue with identity-theft, had others fraudulent charge my account, or done anything out of the ordinary.
That fact that this happens, and you have no notification or no clear recourse is frustrating. To be clear, I do not think this is specific to Stripe - I think all large services are vulnerable to this.
Recently quality of service at Stripe has gone seriously down the drain.
They arbitrarily closed my account a while ago, and after following their draconian re-activation process (somehow my government issued ID is not good enough to identify me, they need to verify the same information and ID in a video call) I think we’re now at 20+ emails and counting.
I just gave up and will go with a different provider or open a new account since it’s easier.
At some point Stripe was the provider that took everyone, but they’ve become allergic to any kind of risk and trust nothing.
My speculative guess is they raised the bar on the low-pass filter by tightening up the algorithm after losing way too much to credit card fraud.
It was absolutely scary the amounts of fraud I dealt with running a dropshipping shop a decade ago.
Every bad fraud order that I dropshipped ate the entire profits from a dozen legit orders, and card fraud was attempted on approximately 25% of orders we received.
After a few years I shut the site down as it was just barely making a profit as the fraud costs escalated and I felt I was wasting my time screening every order with my own (imperfect) hand-rolled fuzzy logic fraud detection algorithms and manual investigation of every single order.
I false-rejected a lot of legit customers in the final year, vowing to stamp out the scammers I drove some customers away... it's hard to be perfect when card fraud is easy to achieve.
Actually what the final straw was for me, that made me delete the server, was not the regular identity fraud stolen-card scumbags, but the pathological liars who you could validate as 100% legitimate, but after they received and signed for the goods, would call their bank and lodge a chargeback to get a full refund, because he banks ALWAYS take the customers side and ALWAYS charged me an extra $35 penalty for every dispute I lost (which was every single one, despite sending pages of strong proof showing the customer was a baldfaced lying thief)
I’m just not sure what to think about practices surrounding these chargebacks any more. When I was working at a company where they were a thing, I don’t think we ever lost one. Does the whole thing just depend on who you are friends with? Or does anyone actually look at the proof you send?
The banks in your country sound much more reasonable and fair.
I'm in Australia and our 4 banks are way too powerful, and some of the worlds most profitable on a percentage basis, with nearly the highest paid executives globally.
In the decade since I deleted that site in despair, there have been several royal commissions /
public inquiries into the shocking unfair and outright illegal actions all the 4 banks systematically entrenched, including forging customer signatures, ripping off customers at every opportunity, including siphoning customers money when the bank knew they had died, facilitating money laundering of cash earned from drugs on vast scales, influencing our captured politicians to roll back recently-legislated consumer protection laws the previous govt enacted, to absolve them from any culpability whatsoever by writing larger "liar loans" they knew people would struggle to live with, and these are which still going strongly (approx 1 in 3 recently admitting to this in a follow-up survey).
The AUD$35 per chargeback was an easy profit centre for them a decade ago, and no way would they ever take my side when it was free money for them.
I had a USD bank with them for the ecommerce dropship account. Our average order was around USD$51 with a little over 10% gross profit.
I was the only one losing out. The bank, my dropship supplier, and the card fraudsters all got paid and received their goods.
I think the OP would make a stronger case if they were more literal: they had exactly 1 dispute according to the evidence provided. In a sense the idea that you could be shut down for one dispute would be even more extraordinary.
well their website banned me from viewing it because I use a VPN, so I can't comment on the justice/injustice of their position. My irony sensor went off though.
Top Free
Best Selling
Streaming Softwares
Tv Softwares
VPN Softwares
IPTV Softwares
Movies Softwares
Job Softwares
Editing Softwares
Crypto Softwares
Kodi Tv Softwares
Video Editors
As categories could trigger some red flags, half of those are extremely risky categories. It's also not really obvious what you offer and some low paid scanner person reviewing your site for information probably had no idea what you do but saw VPN, Crypto, streaming, etc and said no.
My bank (Bunq) also has virtual cards and allows to track subscriptions. Pretty nice to have. It doesn't have an easy option to cancel subscriptions though, but I actually don't need that to be honest. Still, nice niche idea.
Interestingly, because you can get these debit cards and IBANs with the subscription, Bunq is often used by money mules and the like, giving Bunq a bad name in the process. Wouldn't surprise me if something similar happened here, even if just as a preventive measure.
I do think its strange Justuseapp.com allows people to get a virtual debit card with an address in USA, even when they're not in USA (their customer). Either way, if you're using this ("financial VPN based in USA") to steer away from US government you're doing it wrong. A proper use case would be to avoid PII getting leaked on all kind of online services.
In both case Edwin has helped me a lot to recover my access.
But it's a hear sinking moment and a few anxiety days because without Stripe I don't really know what option I had out there. Paypal is probaly what I will do next in those case.
PS: if you're here Edin, thanks so much for helping me solve those issue in the past. I finally be able to bootstrap by SaaS and profitable with it.
Kudos for stepping in. But you should really have a process in place where the CEO does not have to look into it based on the issue being posted on Hacker News.
No, I don't blame you for trying and I'm glad you've got attention, but don't people think it should be possible for all those founders, CEOs and other Stripe luminaries to trawl their own support channels?
Do you have an issue with them reading HackerNews and responding to a relevant post? Its not feasible for the CEO of a huge company to review every support ticket, no
On a related note: Stripe, have you considered tackling the customer side of fraud at all? I recently had an obviously fraudulent Stripe transaction on my credit card statement (questionable storefront that disappeared shortly after I placed my order). My only recourse was to dispute the charge with my bank. The transaction on my statement showed “STRIPE” and not a comprehensible merchant.
Has Stripe considered having a link on the main page for questions about a charge? If I could have typed in charge details and gotten direct confirmation that the merchant account was closed for fraud (I bet it was) and that I could ask online for my money back, it would have saved me a phone call, saved Stripe a chargeback, and earned a bit of goodwill.
2. Stripe did not say "someone asked for a dispute"
3. Stripe banned your app for not being low-risk. And why not? They have the right to decide for themselves
To me, Stripe is showing an outstanding support overall. You can even ping anyone on Twitter or send an email, and they respond.
I really don't understand why so many HN users are so freaked out.
And yeah, it's not a great case of support by Stripe right here. But guess what, thy don't care about you anymore, so they'll dedicate their time to existing/potential clients.
This reminds me of the false-positive vs false-negative dilemma faced in medical testing. Either you optimize for low cost and convenience, or for catching true-positives or true-negatives. For HIV testing for instance, if someone does test HIV-positive falsely, their changed safer behavior in the short-term wouldn't harm anyone, and follow-up tests could catch that they're actually negative. But if we falsely say someone does not have cancer, when they do, it could grow a lot in the short-term before symptoms arise and another test is given. They may also use a lot of unnecessary care trying to diagnose the issue after that false-negative cancer test.
What's the right solution? It's case by case, down to a mixture of morality and expertise to decide.
Seems these tech algorithms often generate a lot of false-positives wrongfully, or that's what's posted online afterwards. It'd be interesting to dig into the numbers for various platforms, see if they're falsely negative for spam accounts and bad actors. We wouldn't hear posts on HN about spam bots that cut into FB's bottom line, would we?
> What's the right solution? It's case by case, down to a mixture of morality and expertise to decide.
I think the idea of minimizing harm is a really good one.
I've never done any machine learning type stuff, but, based on my limited understanding, I think there are probably a few issues at play that make things difficult.
I think the feedback loop for an algorithm is likely important. If you're training an algorithm to match fingerprints, you have a few things that work in your favor. First, matching is easier with fewer samples, so you can train the model incrementally with larger and larger data sets. Second, the process of identifying false positives is easy, relatively definitive, and isn't influenced by external factors. If the ML algorithm only has X% confidence you send it to a human who assesses the match and tells the algorithm the answer so it can "learn" for the next situation that's similar.
Contrast that with something like payment processing. First, you need to scale with demand and it's not easy to incrementally train the algorithm. Second, false positives don't have a tight feedback loop. A false positive negatively affects a customer and every case is different. You need to rely on external, subjective data that isn't definitive enough to be useful to an algorithm (IMO).
I think matching fingerprints is a good analogy to illustrate some of the problems, especially when you hear things along the lines of "looked too similar to fraudulent activity." With fingerprints, you could give 10 to an amateur and they could probably match them accurately. Scale that up to 10,000 and you have so many that look similar, but not identical and you need a professional to do the matching.
I think ML is similar. It's better on a small scale than it is on a large scale and just doesn't scale up as well as the sales pitch says (unless it's assessing problems with definitive solutions). The issue here is that tech companies are treating ML like it scales in a linear fashion. Just throw more compute at it and 10x the scale, right? Wrong (IMO).
There was another comment here that said something along the lines of getting to 98% accuracy and deciding not to serve the other 2%. I think that's what's happening everywhere, but rather than explicitly telling customers they're not welcome, companies are simply letting their ML algorithms run to find the equilibrium where they can manage the "not positive" rate.
And that goes back to your idea of minimizing harm. They don't want to. They don't care if they promise you service even though you're borderline in terms of triggering false positives. You're part of the data set for their machine learning algorithm and that means you're viewed as acceptable collateral damage. They'll ruin your life to train their ML algorithm(s).
What scares me most is what happens when this happens to you and you can't get to the HN front-page? Will you get the same resolution from Stripe/Google/Apple/Aws if it didn't?
Making the front-page is often random luck I think, which is also why I personally always upvote such submissions when I find the person making it is a solopreneur/small company - as this may be their last and final resort to get things sorted.
> What I can tell you, unequivocally, as that these are the End of Days and whatever it is you are here doing it is more consistent with a discriminatory policy of something like the Anti-Christ than anything actually just.
This might be the craziest thing I've ever seen in a support email.
OP, I symphatize with your pain. I've been trying to get approved for Stripe Issuing for 4+ months now.
I have been "approved" multiple times, but the Issuing-related features never get turned on. Every time I complain, there's another review cycle. The most kafkaesque experience I have had with a business.
Sounds exactly like Stripe and PayPal. Arbitrarily turn you off anytime they feel like it for any reason they please.
Never build your whole business on using either or you are just a daily dice throw from being turned off.
The difference between you and TrueBill or Ramp is they have legal teams and founders/backers that have inside access and special approvals that ordinary start ups do not. Certain start ups get special treatment by the banks and payment processors because of behind the scenes actions you cannot take.
Banks and payment processors currently have the power to decide which companies can exist and which cannot. Sometimes for perceived moral or risk reasons and sometimes for random reasons. We really could use some sort of uniform legal appeals process rather than the standard of going to social media to beg for reinstatement.
There's an interesting efficiency/reverse-opportunity-cost issue here.
If you set up your ML so that it works x% of the time, you might very well have a profitable business even if you end up accidentally screwing over a bunch of folks. But no competitor can challenge you in the marketplace because the human cost of answering phones and emails to find that last little bit of efficiency is overwhelmingly disproportionate to any economic value the business would gain.
Many of us like to bang on businesses as being amoral and impersonal, but most are trying to do something people want, only better and more efficiently. ML may be providing an upper limit to efficiency by taking out any opportunity to do some serious analysis. Because in many cases removing that last 1-5% in inefficiency is the bit that leads to a completely new way of working, in many areas we may be boxing ourselves in to a very long-term status quo.
You can build a system that efficiently serves the 98% case of "simple" customers. Then you can ignore the 2% unprofitable/complicated customers, forcing them to go to other vendors.
If you're big enough, you starve your competitors of the low-cost/simple customers. So their cost structure goes way up, which in turn prices the services out of reach of all other customers except the stupidly profitable, which is to say: gambling and porn.
(This has parallels to the USPS v. FedEx/UPS problem in the US, with the exception that the USPS is required to serve all customers, so no one is completely without service)
Reading between the lines here, and based on the reply from Edwin in this thread, it looks like JustUseApp was collecting money for the virtual cards by pushing through unauthorised payments to the users original card.
So payment using their privacy card would look a little like this.
Merchant --> Privacy Card --> Users Real Card --> Users Bank
Where the step between Privacy Card and Real Card doesn't involve a checkout process and transaction authorisation. In bank speak they're just presenting transactions to the users bank, without first getting a transaction authorisation.
These details are important because presented transactions can't be stopped (that's what authorisation is for), they immediately move money from the users bank to the merchant, regardless of available funds or user consent, they can only be reversed via chargeback. These types of payments are called unauthorised payments, and due to the inability of bank to prevent, you're never really meant to use them, and the receiving bank has very strong rights during the chargeback process.
As a payments processor on the other side of the card network you don't want to be dealing with unauthorised payments. They're trivial to dispute, you're almost certainly breaking the card networks rules, and when they go wrong (which they 100% will), they're extremely expensive and time consuming to deal with.
Additionally in the EU, the introduction of Strong Customer Authentication basically makes these types of transaction completely illegal, and as a customer if such a transaction happened on your account you would have a right to full refund in the event of dispute, and your bank would be forced to provide it even if you had published your full card details online. You're bank would of course then go after the merchant via the card network, and then payment processors like Stripe get caught in the middle, and potentially find themselves liable for money they can no longer reclaim from the merchant, because they've already paid out the money and the dispute only happened 3 or 4 months later.
Ugh, apologies. Something very clearly went wrong here and we’re already investigating.
Zooming out, a few broader comments:
* Unlike most services, Stripe can easily lose very large amounts of money on individual accounts, and thousands of people try to do so every day. We are de facto running a big bug bounty/incentive program for evading our fraudulent user detection systems.
* Errors like these happen, which we hate, and we take every single false rejection that we discover seriously, knowing that there’s another founder at the other end of the line. We try to make it easy to get in touch with the humans at Stripe, me included, to maximize the number that we discover and the speed with which we get to remedy them.
* When these mistaken rejections happen, it’s usually because the business (inadvertently) clusters strongly with behavior that fraudulent users tend to engage in. Seeking to cloak spending and using virtual cards to mask activity is a common fraudulent pattern. Of course, there are very legitimate reasons to want to do this too (as this case demonstrates).
* We actually have an ongoing project to reduce the occurrence of these mistaken rejections by 90% by the end of this year. I think we’ll succeed at it. (They’re already down 50% since earlier this year.)
reply