In honor of Giving Tuesday, a brief meditation on three topics you probably wouldn't usually connect:
* charitable donations
* the supply chain for credit card fraud
* global financial infrastructure
* charitable donations
* the supply chain for credit card fraud
* global financial infrastructure
Credit card fraudsters have an extremely sophisticated, professionalized ecosystem which has dedicated infrastructure, social rituals, and market expectations. There are even quality control departments which compete on responsiveness.
Most stolen cards are sold into this market, rather than being used by the thief/hacker directly; this enables specialization of labor. The market has quality standards, enforced by starred reviews and defined dispute resolution practices, to ensure product quality.
"Quality" meaning "Can the buyer actually extract money from this card?" This is ensured prior to (and post-) sale by so-called card testing.
Since cards' utility declines over time post-theft, as they are canceled or otherwise blocked, thieves run test transactions shortly before sale to demonstrate that their cards should fetch a higher price.
The buyer cares because unsuccessful fraud attempts raise alarms and sometimes cause buyers to burn other scarce, valuable resources that they need to use to turn the card into money in their hands.
Legitimate businesses and charities are often used to do scaled automatic card testing (as many as millions at a time). The fraudster doesn't take anything from them directly; they just observe that the card is good and therefore receive more for it from their market.
Charities bear a hugely disproportionate brunt of this; 11% of all card testing attempts we observe. The incidence across other industries is generally much lower.
(The scale here is relative to the incidence faced by charities.)
(The scale here is relative to the incidence faced by charities.)
Why do fraudsters target charities preferentially? One reason is that, aside from extremely large charities with dedicated payments teams, most charities don't think anyone could abuse a charity by giving them money.
E-commerce OTOH invests in anti-fraud because they have to.
E-commerce OTOH invests in anti-fraud because they have to.
In fact, card testing is *really bad* for charities. They of course do not keep the money; it gets reversed after users' complaints to their bank. The charity is penalized by the financial industry for allowing it to happen.
In extreme cases, a business or charity which is unable to stop repeated card testing will lose any ability to process card payments.
That is disastrous, particularly for the smaller charities which often rely on smaller online card-based donations to fund their missions.
That is disastrous, particularly for the smaller charities which often rely on smaller online card-based donations to fund their missions.
(Also, as the CEO of a charity, this is very far from the thing that staff want to be spending their time on. It doesn't advance any charity's mission to try to defend themselves from being collateral damage in the cat-and-mouse game between hackers and the legitimate economy.)
Card testing attacks increased rapidly during the pandemic.
Here in Asia, where I live, we saw a spike 56% above our expectations across the Stripe network.
Here in Asia, where I live, we saw a spike 56% above our expectations across the Stripe network.
What can be done about this, and particularly what can be done in the context of smaller charities, which are often resource-constrained?
At Stripe, we're responsible for protecting our users and the financial ecosystem from these sort of threats. We have done a few things.
At Stripe, we're responsible for protecting our users and the financial ecosystem from these sort of threats. We have done a few things.
We continue to work to identify card testing attacks on "the back end."
Even more powerful interventions are possible on the front end, but many smaller teams don't have the resources to implement them.
The typical charity has no programmers on staff, for example.
Even more powerful interventions are possible on the front end, but many smaller teams don't have the resources to implement them.
The typical charity has no programmers on staff, for example.
So we baked interventions into Stripe Checkout. This raises the cost to attackers of scaled card testing attacks, attempting to break hackers' economic model.
Running a million credit card numbers is easy.
Trying to look like a million plausibly unique people is harder.
Running a million credit card numbers is easy.
Trying to look like a million plausibly unique people is harder.
For predictable reasons we can't go into the secret sauce, but one benefit of seeing millions of businesses' interactions with typical users, and typical patterns in transaction spikes around e.g. shopping holidays or promotions, is that we can identify fishy behavior at scale.
Do we need to block processing for a charity under card testing attack? No! That harms their mission to no purpose.
Instead, we can heuristically increase friction a tiny bit for transactions only while the attack is ongoing; requiring a captcha completion, for example.
Instead, we can heuristically increase friction a tiny bit for transactions only while the attack is ongoing; requiring a captcha completion, for example.
This is extremely effective. On days where we know retrospectively that a business was under attack, only 1.6% of captchas get successfully completed. The other attempts don't hit the credit card networks, don't defraud anyone, and don't damage the targeted entity.
Because we're good at targeting which users see captchas, very few legitimate users will even see them.
In the case where they do see them, our data suggests that impact is minimal. (Auth rates not statistically distinguishable even while we're intervening against attacks.)
In the case where they do see them, our data suggests that impact is minimal. (Auth rates not statistically distinguishable even while we're intervening against attacks.)
Stepping back a bit, this is one of the interesting things about working on infrastructure. Tuning machine learning models isn't for its own sake; it increases the aggregate impact of the users of infrastructure. Charities, businesses, and consumers alike benefit from this work.
For more on card testing, see: stripe.com/docs/card-test…
• • •
Missing some Tweet in this thread? You can try to
force a refresh
