Hi all, this is to let you know that we are making some changes to the Stripe donations on SuttaCentral.
In past months we’ve been subject to increasing amounts of fraudulent attacks. These are thousands of attempts to donate small amounts to SC, from obviously machine-generated accounts. It seems like an odd scam: why are they trying to give us money? It seems the explanation is that these are scammers using stolen credit card details. They try them out with small amounts to see which cards actually process the transaction, then they clean them out.
The bad part is that when a payment is disputed by the bank, we end up having to pay to settle the dispute. We have set up various rules to counter this, which worked for a while, but now we’re being overwhelmed. For the past week or so, we’ve been actually losing money on Stripe: paying more in settlement fees than we get in donations.
Obviously this can’t go on. For now, I have increased the minimum donation to US$10. Sorry to all the small donors out there! This will stop a certain class of attacks, but is by no means a foolproof solution. We will be introducing new security measure in the future, possibly by requiring an extra registration step before donating.
If there’s anyone out there with professional experience in mitigating these attacks, we’d love to hear from you!
Well, that really sucks. Sorry you have to deal with that.
I don’t have any experience with this kind of attack specifically, but I think you’re on the right track: react to whatever the scammers throw at you until they find an easier target elsewhere.
Another thing you might look at is IP Addresses: are all the fraudulent transactions coming from a particular block? Or time: do the fraudulent transactions come in waves? Basically it’s a data science / classification problem: the more variables you have to look at, the smarter you can be.
Best of luck!
Stripe documentation stresses identity verificaiton.
A failed CVC or postal code check can indicate the payment is fraudulent, so review it carefully before fulfilling the order.
Interestingly, the wording of the above implies that identity verification is a shared responsibility between Stripe and its customers. Stripe explains:
If no information is collected, the card issuer can’t perform a verification check. Collect the CVC, postal code, and billing address for every payment to avoid this issue. The results of verification checks help improve the detection of fraudulent activity.
Stripe best practices suggests that SuttaCentral verify donors:
Verify your customer’s identity
For some, verifying the identity of customers can be beneficial. Consider using Stripe Identity to verify a government ID and match with a selfie of the document holder. Alternatively, you can also ask customers to connect their Facebook or LinkedIn accounts as a further proof of identity. Remember that this is an extra step that a fraudster might not take. Of course, some legitimate customers may not want to go through this additional process, and your conversion rate may suffer as a result.
For example, since email is currently required for SC donations, perhaps that email could be verified against SuttaCentral D&D users?
I’ve added a bunch more rules to Stripe. The one you’re most likely to encounter is the requirement for 3DS where supported (rather than where required). This is an additional verification step by banks; it is mandated in some jurisdictions such as Europe, Australia, Brazil, and India; but not, apparently, the US, which is where our fraud attempts are coming from. Now we are it requiring for all supported credit cards.
Please let us know if this or any other changes cause any problems!
By the way, so far we’ve blocked 20,269 fraudulent payment attempts. It’s the wild west out there!
Is there a nice Dhammapada verse you could put on the donations page? Maybe:
Here they’re tormented, hereafter they’re tormented, an evildoer is tormented in both places. They’re tormented thinking of bad things they’ve done; when gone to hell, they’re tormented all the more.
Here they delight, hereafter they delight, one who does good delights in both places. They delight thinking of good things they’ve done; when gone to heaven, they delight all the more.
If those 3DS changes don’t end up working, I’ve read the stripe docs a little, and one doc suggests at some point there was an option to add a captcha to the final payment part on stripe. The official doc says to add a captcha before it gets to Stripe, something like hcaptcha.
Cloudflare also uses hcaptcha, so a cloudflare firewall rule to present a captcha for after /donate-now is submitted might work better. There is likely swathes of people and AIs doing captchas for such people hiring botnets though.
A third option as suggested by Karl is to place the donations page behind a login for this forum which might effect this forum’s security, since there would be some incentive for fake accounts , unsure how likely that is though.
Are there any changes required for regular donations or will they be automatically withdrawn after these changes too?
Also please do add captcha. Do you see any pattern in the fraudulent transactions (same bank or card type, cards issued in certain countries)? Some frauds can only be done on a minority of financial services only (for example fraudsters often use Western Union accounts as it’s easier for them).
I would also advise to introduce another, safer donation platform in paralell and slowly withdraw from stripe if they don’t offer any countermeasures and the attacks continue. They should take some responsibility for these transactions as a financial company. The banks will slowly come up with their own defense mechanisms which will most likely make it easier to file a dispute but that will also take time.
Regular donations will not be affected, unless they fall into the scope of the new rules. After i set a minimum of $10, I noticed that one donor was offering £5 = $9 and that was refused, so I lowered to limit to $8.
We’re definitely looking into it. (I hate captcha tho, it is not good for accessibility.)