In honor of Giving Tuesday, a brief meditation on three topics you probably wouldn't usually connect:

* charitable donations
* the supply chain for credit card fraud
* global financial infrastructure
Credit card fraudsters have an extremely sophisticated, professionalized ecosystem which has dedicated infrastructure, social rituals, and market expectations. There are even quality control departments which compete on responsiveness.
Most stolen cards are sold into this market, rather than being used by the thief/hacker directly; this enables specialization of labor. The market has quality standards, enforced by starred reviews and defined dispute resolution practices, to ensure product quality.
"Quality" meaning "Can the buyer actually extract money from this card?" This is ensured prior to (and post-) sale by so-called card testing.
Since cards' utility declines over time post-theft, as they are canceled or otherwise blocked, thieves run test transactions shortly before sale to demonstrate that their cards should fetch a higher price.
The buyer cares because unsuccessful fraud attempts raise alarms and sometimes cause buyers to burn other scarce, valuable resources that they need to use to turn the card into money in their hands.
Legitimate businesses and charities are often used to do scaled automatic card testing (as many as millions at a time). The fraudster doesn't take anything from them directly; they just observe that the card is good and therefore receive more for it from their market.
Charities bear a hugely disproportionate brunt of this; 11% of all card testing attempts we observe. The incidence across other industries is generally much lower.

(The scale here is relative to the incidence faced by charities.)
Why do fraudsters target charities preferentially? One reason is that, aside from extremely large charities with dedicated payments teams, most charities don't think anyone could abuse a charity by giving them money.

E-commerce OTOH invests in anti-fraud because they have to.
In fact, card testing is *really bad* for charities. They of course do not keep the money; it gets reversed after users' complaints to their bank. The charity is penalized by the financial industry for allowing it to happen.
In extreme cases, a business or charity which is unable to stop repeated card testing will lose any ability to process card payments.

That is disastrous, particularly for the smaller charities which often rely on smaller online card-based donations to fund their missions.
(Also, as the CEO of a charity, this is very far from the thing that staff want to be spending their time on. It doesn't advance any charity's mission to try to defend themselves from being collateral damage in the cat-and-mouse game between hackers and the legitimate economy.)
Card testing attacks increased rapidly during the pandemic.

Here in Asia, where I live, we saw a spike 56% above our expectations across the Stripe network.
What can be done about this, and particularly what can be done in the context of smaller charities, which are often resource-constrained?

At Stripe, we're responsible for protecting our users and the financial ecosystem from these sort of threats. We have done a few things.
We continue to work to identify card testing attacks on "the back end."

Even more powerful interventions are possible on the front end, but many smaller teams don't have the resources to implement them.

The typical charity has no programmers on staff, for example.
So we baked interventions into Stripe Checkout. This raises the cost to attackers of scaled card testing attacks, attempting to break hackers' economic model.

Running a million credit card numbers is easy.

Trying to look like a million plausibly unique people is harder.
For predictable reasons we can't go into the secret sauce, but one benefit of seeing millions of businesses' interactions with typical users, and typical patterns in transaction spikes around e.g. shopping holidays or promotions, is that we can identify fishy behavior at scale.
Do we need to block processing for a charity under card testing attack? No! That harms their mission to no purpose.

Instead, we can heuristically increase friction a tiny bit for transactions only while the attack is ongoing; requiring a captcha completion, for example.
This is extremely effective. On days where we know retrospectively that a business was under attack, only 1.6% of captchas get successfully completed. The other attempts don't hit the credit card networks, don't defraud anyone, and don't damage the targeted entity.
Because we're good at targeting which users see captchas, very few legitimate users will even see them.

In the case where they do see them, our data suggests that impact is minimal. (Auth rates not statistically distinguishable even while we're intervening against attacks.)
Stepping back a bit, this is one of the interesting things about working on infrastructure. Tuning machine learning models isn't for its own sake; it increases the aggregate impact of the users of infrastructure. Charities, businesses, and consumers alike benefit from this work.
For more on card testing, see: stripe.com/docs/card-test…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Patrick McKenzie

Patrick McKenzie Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @patio11

1 Dec
Idle thought: one thing I think we'll see more of in coming years is software-mediated revenue management in many more industries than it traditionally happens in.

(This is the practice of dynamically adjusting prices offered to various customers; think hotels/airlines.)
For example, many service providers have an inventory management problem. My father once memorably described it as "Like fishing: sell it or smell it."

You've got N slots. Slots renew, but a particular day's slots are perishable.
Those slots are not equally valuable and they're not statically valuable, but for operational and other reasons they're generally priced identically.

That... does not need to be a law of nature, particularly if you can quote prices dynamically during booking.
Read 8 tweets
29 Nov
I have been taking @DaffyGiving for the paces the last few weeks and am rather enjoying it, if anyone is looking for a low-ceremony way to make their charitable giving a bit more effective.

Got clued onto this product category when running VaccinateCA, on other side of table.
They’re called Donor Advised Funds (DAFs) and the granddaddy in the category is Fidelity Charitable, which several of our donors used. DAFs are typically used for tax planning purposes by very wealthy donors, but can be used by anyone.

Daffy is the modern fintech take on them.
The core benefit to the traditional user is that it decouples when you make tax-deductible contributions and when you figure out which charity gets them, so they can be in different years w/o hurting your tax positioning.
Read 8 tweets
27 Nov
A brilliant little SaaS company which a) sells backups but more interestingly b) did the crufty annoying work of writing the ~100 backup scripts that the typical developer would need.

snapshooter.com
This was, back in the day, one of the major product improvements I suggested for Tarsnap.

After you’re the natural place for geek backups, use that surplus of brainpower applied to the problem to put much more thought into e.g. WordPress backups than a consultant would.
(I still use and love Tarsnap for the security guarantees, but I’d love it even more if I could confidently claim it actually covered all the data I care about right now.)
Read 4 tweets
25 Nov
I hate that this is true, but instrumentally useful: if you ever experience the symptom “I tried to get in contact with a firm but no human will talk to me” your best bet is stop following the obvious process and start cold emailing people arbitrarily high up ladder (tech) or…
… groups which by their nature need to have an open inbox and who are failing if they optimize for resolution speed over resolution accuracy (Legal, Compliance, Investor Relations, etc).
This is a) downstream of a business decision to fob certain customers off at scale and b) functions as a class competence check because firm institutionally assumes that if you’re important enough to talk to you know this w/o needing it explained to you.
Read 6 tweets
25 Nov
In central Tokyo unexpectedly (the pandemic has cut down on seeing the city, sadly) and was struck by two beautiful things so I thought I’d share:
I passed the HQ of my friendly neighborhood logistics firm. It is in very, very expensive real estate.

The first floor has a public accessible customer service counter in case you want to e.g. give them a package.
This is operationally inefficient, but I love it as a statement piece:

All the execs, salesmen, accountants, etc pass drivers and customers on the way up to work every day, and they’re reminded that nothing elsewhere in the building is more important than accepting packages.
Read 7 tweets
23 Nov
The piece about the startup working environment currently making the rounds includes several anecdotes of good startup management, e.g. clearly communicating expectations and management intervention with employees who were clearly pushing themselves in an unsustainable fashion.
I’m not linking to it because it’s a non-story. You get all the signal from the phrase “Startups can sometimes be intense work environments. Here’s a startup.”
In the middle there are some anecdotes to support the indictment the author is attempting to make of the culture, e.g. someone was working during their wife’s labor until senior execs stepped in and told them to please log off.
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Thank you for your support!

Follow Us on Twitter!

:(