Stripe Risk Evaluation

WebProject

At last for providers decent payment evaluation tools as you will be able to set various rules, like if client IP address does not match card issue country = possible fraud or 20 times attempts to pay using stolen card can be blocked, as previously the Stripe just ignored that.

https://stripe.com/docs/radar/risk-evaluation

What do you think about this option/tool?

jar

I think it's quite helpful. It can hit false positives, like anything, but it will learn and get better over time. I've had a lot of fraud through Stripe that I had trouble filtering at the WHMCS level.

jenkki

WebProject said: client IP address does not match card issue country

This does not mean anything Many use non-local virtual cards, it does not mean that they are stolen

WebProject

@jenkki said:

WebProject said: client IP address does not match card issue country

This does not mean anything Many use non-local virtual cards, it does not mean that they are stolen

where it's stated stolen? can you read the following again:

WebProject said: possible fraud

lets be more logical and clear about, example: Iranian client can't open the USA bank account, exactly the same as Egyptian client can't have the UK bank account.

As for the following usage of card:

WebProject said: 20 times attempts to pay using stolen card

I call this method is masturbation, simply people trying to use stolen card and don't have the details to pass the validation.

jar

jenkki said: This does not mean anything Many use non-local virtual cards, it does not mean that they are stolen

That's cute in theory and all, and you can always explain it away like that, but those of us dealing with it on a regular basis know very well that IP and billing mismatch increases the risk of fraud significantly. Quarantining such cases for manual review or rejecting them is better for business than allowing them through because "Well one out of a hundred might be legit because someone on some forum said so."

Everything about risk assessment means potential false positives. It's about identifying variables that carry with it higher percentages of high risk situations. It's not about developing flawless algorithms that capture 100% fraud with 0% failure rate for today and forever. It's a never-ending battle and it changes all the time.

That single rule alone has saved me over $500 in fraud in the last few months. Upon manual review it was obvious that it was fraud, but that one detail was the only reasonably automated check.

WebProject

jarland said: Quarantining such cases for manual review or rejecting them is better for business

The Stripe risk evaluation, has such option to put on manual review such payment to avoid the chargebacks.

I do use virtual card in my Android Pay app, as system automatically generate virtual card for it.

TheOnlyDK

@WebProject said:
I do use virtual card in my Android Pay app, as system automatically generate virtual card for it.

Too bad they don't allow rooted phones, who doesn't root their Android?

WebProject

TheOnlyDK said: Too bad they don't allow rooted phones, who doesn't root their Android?

Me.

black

jarland said: That's cute in theory and all, and you can always explain it away like that, but those of us dealing with it on a regular basis know very well that IP and billing mismatch increases the risk of fraud significantly.

Are the IPs proxy / VPN ips? I'm just curious.

jar

black said: Are the IPs proxy / VPN ips? I'm just curious.

Sometimes, but I've been seeing a fair number of residential ISPs as well. Probably internet cafes or something like that.

OnApp_Terry

@jarland said:

jenkki said: This does not mean anything Many use non-local virtual cards, it does not mean that they are stolen

That's cute in theory and all, and you can always explain it away like that, but those of us dealing with it on a regular basis know very well that IP and billing mismatch increases the risk of fraud significantly. Quarantining such cases for manual review or rejecting them is better for business than allowing them through because "Well one out of a hundred might be legit because someone on some forum said so."

Completely agree with this - nothing hurts more than getting hit with a huge chargeback, or massive IP cleanup because a spamming fraudster got through.

We do machine learning with Cloud.net (though through Sift Science, instead of direct with Stripe). Through about 30 'rules' we're able to detect about every case of fraud - in fact we went from averaging about 10 charge backs per month in April-July, down to zero in September & October.

Some of the hard rulesets ...

1.) Single-use email addresses are completely blocked. No way around it. Our system won't even let you create an account with one.

2.) An identified VPN/Proxy will block any ability to add funds to your account, until verified.

3.) IP/billing country mismatch requires validation

4.) Free email + at risk country will trigger validation.

5.) Multiple accounts on a single IP address triggers validation

6.) Orders over $100, without validating a phone number, in first 90 days triggers validation.

Sift Science actually gives us the ability to detect abnormal account behavior. I'm currently working with our UX guys to try and figure out the best way to implement that so we could even detect when an account could be hacked.

TheOnlyDK

@WebProject said:

TheOnlyDK said: Too bad they don't allow rooted phones, who doesn't root their Android?

Me.

Oldschool

black

jarland said: Sometimes, but I've been seeing a fair number of residential ISPs as well. Probably internet cafes or something like that.

Yeah, there are a noticeable amount of proxies on residential ISPs these days, especially in EU & Asian countries. If you're bored one day, consider adding getipintel.net's services into your fraud prevention toolset. It should at least be another piece of information that's useful