🧵 View Thread
🧵 Thread (26 tweets)
Credit cards are a legacy system. They are extremely important to commerce worldwide, but exhibit path dependence. Much of their functioning under-the-hood derives from decisions made more than 50 years ago. Stripe is working on upgrading this critical system, for everyone.
Consider the case of credit card fraud. Credit cards were originally designed with the core motivating use case being something like “A business traveler, in a city far from home, wants to pay a restaurant that they will never walk into again for dinner.”
Both of these instructed the business to physically seize your card and return it to the issuing bank. The first one was in the case of an expired or lost card; the second one covertly tipped the business off that the bank suspected the card was being used fraudulently.
You know what was not built? There was no designed pathway for a restaurant to report to a bank “Hey, actually, I think this charge is probably fraudulent. I have the plastic, all right, but something is... off. Maybe you should look into that.”
Why not? Because this made no sense at the time. How is a diner in LA going to know the business of a traveler from Chicago better than their bank does? That was a self-evidently silly notion. The bank has the professionals, the data, and the relationship that matters.
Credit card usage has evolved enormously in the last 50 years. An increasing portion is conducted online, in so-called “card not present” scenarios. This is an important piece of infrastructure empowering the global economy. It also presents new risks, which need new solutions.
Pause to acknowledge that if you told a bank officer in 1983 that “Sometimes hackers buy hundreds of thousands of credit cards from the dark web” they would have thought you had watched War Games one too many times. "The dark web is not a thing in real life, child."
Card testing is frequently done by running those cards, in bulk, against innocent parties. The worst impacted are charities. This is because they, sensibly, frequently do not have fully-staffed anti-fraud operations; who’d try to defraud a charity by *giving them money*?
Credit card thieves, that is who. The donation of money is entirely incidental to the thief; they just want to know whether the card is still active. The charity will not actually receive the money; the transaction will be reversed and the charity will pay a penalty fee.
Stripe uses machine learning models, heuristics, and human fraud analysts to catch card testing across the Stripe network, including at e.g. charities. When we detect that a particular organization is under attack, we can quickly act to protect them and the financial ecosystem.
Even tiny amounts of friction are undesirable for online payments generally. Friction decreases the amount of commerce that happens! But, if one knows one is being actively exploited, a tiny amount of friction can break the economic model of the attack very, very quickly.
This doesn’t just stop the card testing quickly. It prevents one’s organization from being responsible for chargebacks (as legitimate users dispute payments made with stolen credit cards), saves them penalty fees, and minimizes the future victimization of third parties.
Improvements like this by Stripe don’t just help our own customers. Card testing attacks use the first organization targeted as a stepping stone to further abuse of the financial system. When we stop the first attack, _later_ abuse is less likely to happen.
Without knowing which of their cards are still valid, fraudsters have less economic incentive to steal cards or purchase them. Their active exploitation of the cards for value, which may be against our customers or any other business in the economy, becomes harder to pull off.
Running several invalid cards prior to a valid card is *noisy*. A casher (person attempting to turn purloined cards into money) who cycles through twelve cards trying to buy a Playstation 5 is signaling to the e-commerce site “I am probably not a good-intent customer.”
Forcing fraudsters to be noisy makes direct harm less likely (the e-commerce site would be less likely to ship the Playstation and bill an innocent) and makes enforcement efforts more likely to succeed (because now a single actor has an evidentiary trail demonstrative of fraud).
This is just one example of a change we’ve recently made to passively upgrade the credit card ecosystem, for all users of it. We have actually done much more, and will continue to do so. I hope to be able to discuss some of the magic in the future.
If you’d like to read more about card testing specifically, see https://t.co/9Pgduu0cft It has some recent figures about the scale of the problem and some success in fighting it.