#decline-issue-report

Can you share the request ID for this?
req_xxx

OR the PaymentIntent ID?

req_vsgprFxfI9RAO2

AFAIK PaymentIntents generated via Checkout don't support manual confirmation. Is that what you're trying to do?

earlier it was a thing though

oh wait

you should see this first

The idea with Stripe Checkout is to provide customers a way to pay for the product using Stripe hosted UI.

If you're using PaymentElement then you can just use the PaymentIntents API, no?

someone sent me this , is this usual >

Not sure I follow, what are we looking at?

okay can you have a look at this, watch it fully

https://t.me/mohiotto/206

Ah you mean checking out with an incomplete card number, no that shouldn't be possible.

Is there a page/link I can use to reproduce this?

Doesn't this look like a "security threat"to stripe

you must be knowing few weeks back card cvc was also a critical flow threat which was patched recently

Not exactly security threat but in order to understand what's going on here we'll need to look at how the checkout is behaving for you.
Can you share an example checkout session so I can reproduce?

it works on any checkout

I found that tool on telegram

it bypasses critical checks also ( cvc )

https://t.me/s/mohiotto/351

https://cdn1.telegram-cdn.org/file/e6JP_w0GOL-Nhx79tS0mCmCsRYJ-MD5mmqcUouY7KpmYYctmcmzNUq0nISlzpstAaZjUG2jZCRp1PuNUiECNdJ4AX3xRiuCRl8-UM780D-IaTRDfwQJN20JN_2xXL9Zq0cL4QaBuPRUCHkSXHqxDJRSZP3HT4juAnCwylnYhQUbfN-hiTUkQwb1mFYE2H4e1yTEUin84jF4WLRtvC8JlpBSJo7gmYg_BSN9m3Yw7LXHlt-6xPOMwLL7NMFNmx0s9kMiCL4HhTm5r33WDPqSsaOcvTjVafy3-XiFKCUnN3Xhckm3PKhfH77nvLre6BUp-UIlK8iEigsiFl_rzQwWHFw.jpg

you dont seem to understand what I am saying ?

No, I understand now since you shared a video

looking into it

these checkouts also show "powered by mohio" instead of stripe

and this video has basically full view what they are doing ( seems fraud )

Gotcha. I've flagged this internally and a colleague is looking into it.
It could be a scammer with Checkout clone trying to scam folks but not sure since we don't have enough info.

@thin dagger yes, please use this thread for follow ups

later will I get any update regarding my report ?

Yes, we will post an update here

is there an email address regarding these reports specifically?

its related to stolen card testing and fraud payments

rather these terms

carding”,“account testing”, and “card checking.”

At least acknowledge once

@obsidian fossil

We are currently investigating and I am working with multiple users on discord at the same time. Please be patient.

If you'd like to report this via email/chat then you can reach out to our support team via
https://support.stripe.com/?contact=true

They can help escalate this via proper channel.

I asked a colleague to look into the video, they checked the checkout session in the video and looks like nothing was bypassed. It is most likely a scam video that uses a dummy checkout clone.

If you're still concerned then please reach out to our support team via the link I shared above. They can help further.

the link provided guys

aren't interested like you. @obsidian fossil

You can ask them to escalate to the right team for reporting issues like this

I am sure there was a email dedicated to this

issue , will send them directly

If you're asking about bug bounty then you'd want to checkout this page
https://hackerone.com/stripe?type=team

yeah that should be it

Alsothiskeyseemstobeliveandworking

I found someone s live api key

please don't share live secret keys on public server

It's not my

I understand that but you still shouldn't share it

Found it somewhere

I understand but I shouldn't be able to have it right?

Yes it should be kept safe. I understand you want to help by reporting it but there's nothing our team on discord can do to help.

You can report it via support and they can escalate if needed
https://support.stripe.com/?contact=true

But it takes ages for your team to

Like take action

Can't you revoke that key

That's only my request

Woah

Admin 🙂

Not something our team on discord can handle. We work with developers building apps using our APIs/SDKs.
We don't have tools or workflows to revoke keys

But you do have direct contact with the related team

@thin dagger Let's not argue indefinitely. Please work with our support team for help directly, we can not help here.

Ok I can stop here, not rude about this but you don't want your company to be helped 🙂

Have you seen 2023 radar blocked card testing payments?

They are done via these public secret keys

90% of them

Please work directly with our support team