jslaybaugh - Bad Actor | Stripe Developers | Page 1

vast heart Jan 20, 2022, 6:11 PM

#

Hello! Can you provide a bit more detail? I'm not sure I fully understand the situation. How are you determining the Customer is bad after adding the card to them?

rapid wadi Jan 20, 2022, 6:14 PM

#

So we're getting hundreds of new accounts a day and they're all clearly spam (names like "asdfas asdfasdf", but they're just being used to scam cards and see which are valid. The customer apparently gets created and the source is stored, but then shortly afterwards, when Stripe attempts to do the subscription/invoice etc, the card gets declined because of the fingerprint block we put in place

#

See

Screen_Shot_2022-01-20_at_12.01.15_PM.png

vast heart Jan 20, 2022, 6:14 PM

#

How did the fingerprint block get put in place though?

rapid wadi Jan 20, 2022, 6:15 PM

#

someone on our team put it in place

#

as an attempt to stop this

vast heart Jan 20, 2022, 6:15 PM

#

Between the Customer signing up and the first charge?

rapid wadi Jan 20, 2022, 6:15 PM

#

no, the fingerprint is the same across all these signups

#

because the fingerprint is associated with the person/location/device that is doing this, from what i understand

vast heart Jan 20, 2022, 6:16 PM

#

Oh, I see what you're saying. Yeah, this is expected. Radar rules and blocklists don't apply to attaching cards directly to a Customer. If you were using Setup Intents you could enable Radar for those though.

rapid wadi Jan 20, 2022, 6:17 PM

#

Ok... but you're saying that is by design? Why wouldn't they all use the same validation?

vast heart Jan 20, 2022, 6:19 PM

#

It's just not how the system works. I don't know why it was designed this way. I do know that Radar is focused on prevent fraud for payments, and there's no payment involved when directly attaching card info to a Customer.

#

Radar also supports Setup Intents as option on top of that.

#

The option is in the Dashboard here: https://dashboard.stripe.com/settings/radar

rapid wadi Jan 20, 2022, 6:32 PM

#

Out of curiosity, in addition to things like setup intents and payment intents... are these rules applied when tokenizing a card?

vast heart Jan 20, 2022, 6:34 PM

#

No.

rapid wadi Jan 20, 2022, 6:41 PM

#

Note that Radar, our integrated solution for automatic fraud protection, performs best with integrations that use client-side tokenization.

#

that's from https://stripe.com/docs/api/tokens

Stripe API reference – Tokens – curl

Complete reference documentation for the Stripe API. Includes code snippets and examples for our Python, Java, PHP, Node.js, Go, Ruby, and .NET libraries.

slate rune Jan 20, 2022, 6:55 PM

#

👋 @vast heart had to step out, but i can help

#

give me a minute to catch up

slate rune Jan 20, 2022, 7:20 PM

#

I don't know what specifically those docs were referring to, but for client-side tokenization the only things that are checked are things like cvc and postal code validation - we don't check the additional radar rules at that point in time

rapid wadi Jan 20, 2022, 7:20 PM

#

ok thanks for confirmation!

#jslaybaugh - Bad Actor