Preventing Fraud on Your Payment Website - JSJ 534

Today we talk with Paul Asjes, a developer advocate at Stripe. We get some insight into creating a more secure site for credit card transactions. We also discuss card testing, or account stealing, techniques that are used to gain access to active credits cards. This topic is very important because it can have big financial consequences, and if serious enough, could cause a business to close. Paul gives us some techniques and strategies to discourage and prevent this activity.

Special Guests: Paul Asjes

Show Notes

Today we talk with Paul Asjes, a developer advocate at Stripe.  We get some insight into creating a more secure site for credit card transactions.  We also discuss card testing, or account stealing, techniques that are used to gain access to active credits cards.  This topic is very important because it can have big financial consequences, and if serious enough, could cause a business to close.  Paul gives us some techniques and strategies to discourage and prevent this activity.

On YouTube

Sponsors

  1. Top End Devs
  2. Coaching | Top End Devs

Links

  1. Stripe
  2. Stripe Developers - Discord
  3. Stripe Developers - YouTube
  4. LinkedIn - Paul Asjes 
  5. Twitter: @paul_asjes

Picks

  1. AJ - The Black Prism
  2. AJ - The unnamed city that I now live in
  3. Charles -Machi Koro
  4. Paul - Stripe Sessions
  5. Paul- Takecarebnb
  6. Steve - How to Freaking Find Great Developers By Having Them Read Code
  7. Steve - Dad Jokes

Transcript


CHARLES MAX_WOOD: Hey everybody. And welcome back to another episode of JavaScript Jabber. This week on our panel, we have Steve Edwards. 

STEVE_EDWARDS: How are you from Portland? 

CHARLES MAX_WOOD: AJ O'Neill. 

AJ_O’NEILL: Yo, yo, yo. Coming at you live from the almost new office. 

CHARLES MAX_WOOD: Almost new office. Is this an almost new home office? 

AJ_O’NEILL: Well, it's, it's a new home to us and the office is almost set up. 

CHARLES MAX_WOOD: Gotcha. That's what I was wondering. All right, cool. I'm Charles Max Wood from Top End Devs. And this week we're talking to Paul Oshas. Paul, do you want to introduce yourself, let people know who you are, why you're famous, all that good stuff? 

PAUL_ASJES: Sure thing. Although I don't know about the famous part, but hello, my name is Paul Oshas. I'm a developer advocate working for Stripe and I am based and am from Amsterdam.

CHARLES MAX_WOOD: Very cool. I've been to Amsterdam, cool city. 

PAUL_ASJES: I can only apologize. 

CHARLES MAX_WOOD: I only spent a few days there. 

 

Anyway, hey folks, this is Charles Max Wood from Top End Devs. And lately I've been working on actually building out Top End Devs. If you're interested, you can go to topendevs.com slash podcast, and you can actually hear a little bit more about my story about why I'm doing what I'm doing with Top End Devs, why I changed it from devchat.tv to Top End Devs. But what I really want to get into is that I have decided that I'm going to build the platform that I always wished I had with devchat.tv and I renamed it to Top End Devs because I want to give you the resources that are gonna help you to build the career that you want. Right? So whether you wanna be an influencer in tech, whether you want to go and just max out your salary and then go live a lifestyle with your family, your friends, or just traveling the world or whatever, I wanna give you the resources that are gonna help you do that. We're gonna have career and leadership resources in there and we're gonna be giving you content on a regular basis to help you level up and max out your career. So go check it out at topendevs.com. If you sign up before my birthday, that's December 14th, if you sign up before my birthday, you can get 50% off the lifetime of your subscription. Once again, that's topendevs.com. 

 

CHARLES MAX_WOOD: We brought you on today to talk about talk that you gave at, I think it was a sneak conference about card testing. 

PAUL_ASJES: Yes, that glorious activity that is card testing. 

CHARLES MAX_WOOD: And it seems like more and more across various shows that we do at Top End Devs, that we're talking about security, DevSecOps, stuff like that where we're looking at it and going, how do we make sure that we're not causing people problems and in turn having to clean up some mess that somebody is making in the financial setup? So you want to just set the stage for us as far as what card testing is, what kind of fraudulent activity you're looking at, and then we can dive into how we as developers deal with it? 

PAUL_ASJES: Sure. So I'll start off with just a quick little definition of what it is. So card testing, or also known as carding, or sometimes known as account stealing in other places, is essentially the activity of taking a chunk of stolen credit cards and verifying that they actually still work. So the very abridged TLDR version of how the fraud works is that you, a scrupulous person, go on the dark web you purchase a cache of credit cards with usually expiry dates and CVCs, which is that three to four digit number at the back of your card. And you then try to see of that cache which of those cards actually can be used to make purchases. Because the dark web being the dark web, meaning that you probably can't trust everyone there. So you want to make sure that the cache that you purchased actually has some working cards in there. Then once you have a cache of working cards, cards, you can then sell those onto someone else or use them for your own nefarious purposes. The reason why this is important for web developers is that the target of this card testing is a lot of the times is like small companies or sometimes large companies who use a payment processor like Stripe. They're essentially using your Stripe integration or your secret API key to get to the credit card networks to test whether these stolen cards actually work or not. And this can cause all sorts of problems for absolutely everyone involved, except for the card testers themselves. Predominantly from the, started with just the card side of things, which is the three major networks, Visa, MasterCard, American Express. Actually doing a validation on a charge costs money, right? Even though it's just an API call, everything costs even like the majorest amount of cash. So the more fraud that happens on their systems, the worse they look, and the more- The more fraud happens also means the more disputes happen because if you happen to be someone whose card did end up in one of those caches and you find a charge on your credit card that you don't recognize, you're probably going to tell your bank and they'll probably refund you the whole amount, which opens up a dispute. Disputes are expensive. Disputes also for an end user, someone who's a customer of Stripe, as in a business, disputes basically ruin your reputation and they get more disputes. There's kind of a downward sloping spiral of terribleness. What makes it even worse as well is that if someone successfully car tests against your system, you might end up with thousands of fake customers, fake charges, disputes, and a whole lot of things that you need to refund if the bank already hasn't stepped in and open up disputes against you. So, actually, a successful car testing attack against a developer can be a business ending event because disputes cost money. And if you have enough of them payment processors might just decide to not want your business anymore if they feel that you're not taking adequate steps to protect yourself. And when it comes to protecting yourself, there's a bunch of different ways to do this, but it all kind of comes down really to good security practices. A large one is for very obvious reasons, don't share your secret API key or don't let anyone else have access to it. Now, you laugh Charles, you'd be amazed how often this happens people check their secret API keys into Git all the time. 

CHARLES MAX_WOOD: Okay, okay, yeah. 

PAUL_ASJES: In public GitHub, happens all the time. And it's always a nightmare. 

AJ_O’NEILL: This is something that I have a hard time convincing people of because even if it's a private repository, you should not commit your keys into a private repository because at some point...You might repartition things and decide, oh, okay, we're actually going to make this little bit of our code open source and it's in the good history and it doesn't go away. 

PAUL_ASJES: Exactly. What I've seen people do as well is accidentally commit their secret key go, oh no. And then they kind of commit over it, deleting it, not realizing that it's in the history. It's there forever unless you actually purge it 

AJ_O’NEILL: and get the OG blockchain. 

PAUL_ASJES: Exactly. Yeah, I mean, it's a scary world out there. People have set up bots to essentially scan random GitHub repositories looking for things that look like secret keys. And you cannot be careful enough with this stuff, especially since if your key does get leaked and it's your fault, there's very little companies like Stripe can do to help you. Because that's kind of a, I know this is going to sound terrible, but it's more of like a, this is a you problem. This is your security wasn't in a right place. And there's only so much we can do to help. So when it comes to like actually protecting yourself, funnily enough, one of the best ways to do so is also one of the common ways to provide some sort of security on the internet is a capture, very simply. And everybody hates them. Nobody likes seeing them. Those are really annoying, but they do take care of a large part of the problem, which is that these fraudsters are using scripts to bypass your front end and go directly to your back end. Right. How that works is that say that you have a storefront on a webpage and in that storefront, you make a request to your backend, which creates a charge on Stripe or a payment intent as we call it. Then you would usually take that client, that payments and client secrets. And then you would verify it and confirm it on your client, on your front end. What fraudsters do is bypass your front end entirely and try to make a post request directly to your backend, which is unsecured, which means that they kind of have access to your secret key without actually knowing your secret key. They're just. using your backend infrastructure as a proxy, which adds another layer of like terribleness to those situations that being DDoS by card testers is a very real thing that happens a lot because they are going to try to get through a huge cache of stolen cards very quickly to make sure they're not detected. 

CHARLES MAX_WOOD: Interesting. So I'm just, I'm trying to think through cause I use Stripe for example, right? And so, and I've done it a couple of different ways, right? I've used Stripe connect. I think that's what it's called, right? Where, where Basically, I just hand it off to you guys, right? It goes to a Stripe page, they pay, hits my webhook, blah, blah, blah. And I've done it the other way. 

PAUL_ASJES: That's Stripe checkout. 

CHARLES MAX_WOOD: That's Stripe checkout. And then I've done it the other way where they submit to my backend and then my backend makes an API call to Stripe's backend using that private key and does all the things, right? So what do I need to be doing in either of those circumstances in order to avoid this kind of a thing? 

PAUL_ASJES: Well, if you use checkout, then you're pretty much covered because...He said checkout is a, well, yeah, for the most part. Checkout is completely hosted on a Stripe domain. And we have these checks in place. So we actually have automatic captures set up for checkout, where if we detect that the traffic to the checkout domain is a little sus, then we will automatically stick a capture in front of the person or bot trying to make the purchase. It's a little different your own site, so that other method that you mentioned. Some people don't like having to use a Stripe page, they prefer to have the entire payment process happen on their own domain in their kind of UI and it matches their visual, those are they're trying to go for, or for whatever reason, they want it to be on their own website. You can still use Stripe for that, as you said, where you basically make a backend request and then from there that talks to Stripes APIs and that makes the charge that way. So the big key here...is, as I explained before, fraudsters will try to bypass your front end entirely and hit your backend endpoints, which is the one that then talks to Stripes APIs. Now, it's really hard to tell if traffic is coming from your own front end or is coming from a random curl request or a script somewhere. It is, as you probably know, ridiculously easy to spoof a user agent, so you can't rely on that. You could do some sort of really advanced stuff like do some RSA fingerprinting, but that's hard to do and also not always effective. The only real way that I found that Reader protects you against this in a reasonable matter is having a capture with server-side verification. Now, what that means is that when you complete a capture on your front end, you send a key that you get back from the capture after successful completion, and you send that key in your post request to your backend so that when your backend receives the payload of, I want to make a charge for this amount, and also here's the capture key. Your backend can then make a third party API request to whatever capture service you're using, like hCapture or reCapture from Google. And basically, with that key, say, hey, was this capture successfully completed or not? Now, that key is very difficult to spoof, because you've got the power of Google engineers thrown at that particular problem to make sure that no one can spoof that particular ID. By that way, your backend might not know where the request came from, but it will know that whoever it came from, it completed a CAPTCHA that is associated with your CAPTCHA account. So that way you can say, okay, this is real. I can now process the payment as I normally would. And that's going to stop about 99% of car testers out there. And not just that, but car testers happen to be extraordinarily lazy. They are a lot of them not really in this because they hate you in particular, they're in this because they're trying to make a quick buck as fast as possible. And if they detect any sort of pushback from your website, they're going to move on to their next easier, juicier target as much as they can. So it's really not so much, it's kind of like that old joke of if you were to find you're running away from a line, you don't necessarily have to outrun the line, you have to outrun your friend. It's kind of the same with car testing where you don't necessarily have to be foolproof in your like as an to make sure that no one can attack your services way. You just have to make sure that you have some protections because already you kind of incentivize anyone from attacking your systems. It's very rare for a car tester in our experience to then say, I'm gonna continue to try and break this one person's integration. Unless they for some reason really hate you, which does happen. 

AJ_O’NEILL: Do you find honey pots to be of any use or is that just stupid to do? 

PAUL_ASJES: No, not at all. So...One of the things that Stripe actually looked into doing was essentially returning false positives for these verifications. And it's very interesting why you would do that because card testers, when they, although people who sell cards on the dark web, it's all 100% reputation-based because you can't have like trust pilot for people selling stolen stuff on the internet. So if you sell a cache of cards, And it turns out that only 1% are actually real cards. Or I should say even more small than that, like 0.1% are actual valid cards. You might get a bad reputation. Or if you find out that the cards that you are selling as verified turn out to not be verified, you might be annoying your customers down the line. So by returning, it's kind of like a honeypot, I guess. I hope this is what you were talking about, what you meant there. This case, if you return false positives, you can hit the card testers where it really hurts, which is their reputation. And if they lose their reputation, they won't be able to sell any more verified cards. Is that what you were alluding to, AJ? 

AJ_O’NEILL: I realized that my question is quite ambiguous because the honeypots mean a lot of different things. I was thinking of... but I'm glad to hear this. But I was thinking of using honeypot fields, like where you put name equals credit card, but if that gets submitted, then you know that that one is fake. And instead, you look for a field that's name underscore definitely not a credit card. And that's where you have the credit card go and that sort of honeypot. 

PAUL_ASJES: I see what you mean. So that's actually not gonna help a huge amount because the card testers will, it pretty much 99% of the time will actually avoid your front end altogether. They're not gonna hit your, they're not gonna write a bot that's gonna fill out the credit card form on your site and then try to submit it. They're instead going to look at the API request you make from your front end to your backend and try to make a very similar API request to your backend, but you eliminate it in the frontend entirely. Skip taking out the middleman and just hitting your backend. So having a honey putt in that respect won't really do much because they're not really interested in ever looking at your frontend. 

AJ_O’NEILL: Interesting. Got it. 

CHARLES MAX_WOOD: All right, so you put the captcha up. That scares off most of these guys or gals. Let's not be sexist, right? These people. Yeah, so I mean, is that...It sounds like that's kind of the first best step, but are there other things that we should be doing to make sure that we're protecting ourselves and our customers? 

PAUL_ASJES: Yeah, the name of the game really is just adding barriers, adding anything that's going to annoy these car chargers enough to make them think like they want to go somewhere else and try something else. 

CHARLES MAX_WOOD: Without annoying our customers though, right? 

PAUL_ASJES: Exactly. There's a very fine line you have to walk here because you don't want to put up too many barriers where it annoys real customers. So a popular one is making sure that everything is authenticated. So if you have, if your service or sites requires you to create an account, that's already a barrier that most car testers will want to go down. 

CHARLES MAX_WOOD: Do you have them create the account first and then enter their credit card information? 

PAUL_ASJES: Yes, for instance. So obviously the problem here is that if you want people to be able to check out as guests, that makes it a bit more difficult, but this is, this is really, it comes down to how much pain are you willing to tolerate? Are you willing your users to tolerate? What I suggest for a lot of anyone who's accepting payments on the internet is to have a bunch of these mitigations in place, so either disabling guest checkout or having it capture, but have them behind some sort of feature flag so that if you find yourself under attack by card testers, and you'll know this when it happens because you'll see your stripe, your logs will just explode of people trying to create a payment thousands of times per second then you can very easily activate this flag or whatever, turn on the capture, and kill a lot of this traffic. So one thing I should mention here is that I'm kind of making it seem as if Stripe leaves you high and dry. We don't. We actually use all of these mitigations ourselves as well. So we do have, if we detect car testing on your account, we will do everything that we can to mitigate it. And that includes rate limiting. It's a very good way to stop this. Because if you've got someone who's thousands of cards a second. They usually have when they buy these caches from the dark web, you know, there are tens of thousands of cards. So if you make it so that they can only from like a specific IP, if they can only process one charge per second, then their time to completion has gone from, you know, hours to potentially years. That's mostly enough for a lot of people to kind of stop looking like kind of leave you alone. So Stripe is that as well. So we do have rate limits where we we go on a per IP basis, we can say, okay, you've had enough, you need to slow down a little bit. This is of course, this is mitigated as well. Like any one who's listened to this, who knows anything about security can say, but aha, I can just have dynamic IPs. I can use proxies. And like, yes, that is true. But the real thing here is, is by adding these barriers, you hit the card testers where it really hurts, which is their bottom line. This particular step of the fraud, which is kind of the middle step. The first step is, acquire stolen credit cards. The second step is purchase those cards and card test them. And the third one is then take those cards and actually do something with them and launder your money, which is actually a very difficult, expensive process to do. So all these card testers are just the middle part of this fraud ring. And they operate on razor thin margins because buying untested cards is relatively cheap. And because the barrier to entry for card testing can be very low because you can just buy scripts based scale online that do this for you. It means that you can't. And because the...chance of you actually getting caught and suffering any sort of consequences from like a legal point of view is next to impossible as well because you've got people who are doing this are usually behind several proxies, they're in a different jurisdiction, different country, it's almost impossible to catch them. So because it's low risk and because it's cheap to buy these cards to begin with, when they sell these verified cards on to the next person, they sell it for like a razor thin margin. So by adding any kind of barrier, you make it more expensive for them. And by making more expensive, it'd make it not worth their while anymore. 

CHARLES MAX_WOOD: Right. The good old fraud economy, right? 

PAUL_ASJES: Good old fraud economy. It's a, wherever there is money, especially with the internet, it's going to be there. 

CHARLES MAX_WOOD: Yeah. So that makes sense. 

AJ_O’NEILL: The people with these skills, can they not get a job making more money? I mean, if you're operating on razor thin margins, wouldn't you just want to put your skills into the market and get a real job? 

PAUL_ASJES: I mean, that is an excellent question. And the problem is that we really don't know. Like we don't know who these people are. The most information we can usually get is maybe a geographic location. I won't mention country names, but there's a lot of countries where a lot of the stuff tends to come from. And those tend to be countries which are on the lower end of GDP, shall we say. So it could be a reason just because there aren't any other jobs available for this, for these people. And they just turn to this particular life of crime because they can put their skills to use there. But I would say that it also doesn't require a huge amount of skill to do this. I hope that nobody listens to this then decides to pick up a life of privacy or doing this themselves, but it's not necessarily difficult as long as you can write some sort of script that can hit a backend and then do that a lot based on like a database of stolen cards. It's not that hard to do. I think the hardest part really is finding out where to buy and where to sell these things on the dark web or even how to connect to the dark web in the first place. Yay, dark web. 

AJ_O’NEILL: Well, people throw around the term dark web to me. I just thought that meant.There's no such thing as the dark web. It's just places on the internet that are bad places where criminals hang out. Right? 

PAUL_ASJES: When we say dark web, we usually refer to a tort network really, or any kind of network where the point is that you are somewhat guaranteed full anonymity when going into the network and you have certain sites that only exist within this network and not outside of it. So. As an example, you might remember from several years back, the Silk Road, that infamous website where you could buy drugs, that was on the dark web. And the whole point behind that was that no one knows who you are when you're buying and or purchasing said drugs, and or selling, I should say. 

CHARLES MAX_WOOD: I've only heard it over dramatized in TV shows. 

PAUL_ASJES: Oh yeah, for sure. The dark web, if you look at TV, you'd think that that's where Thanos hangs out or something like that. Or some really, really weird stuff happens there. And you can only access the dark web if you happen to be wearing a ski mask. 

CHARLES MAX_WOOD: I need to get a ski mask.

PAUL_ASJES: makes hacking way easier if you're wearing a ski mask. 

CHARLES MAX_WOOD: I know, right? 

AJ_O’NEILL: I just turn on the lights and put on my hoodie. 

CHARLES MAX_WOOD: I find that works for me. So one thing that I'm wondering about, because you're saying that, you know, yeah, most of these folks, they're going to be going out of their way to find kind of the easiest path to this. But that doesn't necessarily mean that even if I take these mitigation steps, somebody might not just target me, right? 

PAUL_ASJES: Yeah, someone could, somebody who has a grudge against you could just target you. And that is something that we've seen before where certain large companies have just been targeted by a very, I should say, a very stubborn group of fraudsters who for some reason just really wanted to ruin the day of this particular company. And it's kind of baffling because we were actually working together with the company in question where every time we would put up a new mitigation, the fraudsters would then try to circumvent it somehow. And it was this huge game of cat and mouse where a lot of time would turn out to be the best solution was just to be really upfront with our rate limiting and rate limit every time we identified new IPs that were these requests were coming from to ban them almost as soon as they came up and it was just this huge Game of whack-a-mole that lasted if I remember correctly days, but luckily that's pretty rare Like you have to be pretty hated on the internet I think for someone to spend that much effort trying to ruin your day in particular, 

CHARLES MAX_WOOD: right Because if you take these mitigation efforts, then yeah, it makes sense that for the most part, people are going to move on and only somebody who specifically for whatever reason feels like they have to use your site is going to cause you issues. 

 

Hi, this is Charles Maxwood from Top End Devs. And lately I've been coaching some people on starting some podcasts and in some cases just taking their career to the next level. You know, whether you're beginner going to intermediate and immediate going to advanced, whether you're trying to get noticed in the community or go freelance. I've been helping these folks figure out how to get in front of people, how to build relationships and how to build their careers and max out and just go to the next level. So if you're interested in talking to me and having me help you go to the next level, go to topendevs.com slash coaching. I will give you a one hour free session where we can figure out what you're trying to do, where you're trying to go and figure out what the next steps are. And then from there we can figure out how to get you to the place you want to go. So once again, that's topendevs.com slash coaching. 

 

PAUL_ASJES: Another couple of things that I can recommend is one of the, it's not just for protection of car testing, but in general, a mistake that I see lots of people do when it comes to building their first payments integration is never let the clients decide how much you're going to charge. By that, I mean, don't send in your payloads to your back and say, oh, this is posts to my create payment intent amount is like a thousand or whatever, because those are so easily intercepted and changed. It means that generally speaking, anyone could try to purchase something from your website and charge themselves something way different for what you're intending to charge. So the card testers love this because the smallest amount that you can charge with Stripe is 50 cents, 50 US cents or equivalent to your local currency. And you ask yourself the question, like if your credit card happens to be the target Would you notice a 50% charge on your card? Probably not. 

CHARLES MAX_WOOD: 50 cent charge? Yeah, I wouldn't see it. 

PAUL_ASJES: A 50 cent charge, randomly in the middle of somewhere? You probably wouldn't notice that, right? Whereas if you- 

STEVE_EDWARDS: Well, I would. And I have. 

PAUL_ASJES: Okay. 

STEVE_EDWARDS: I had like a couple fraudulent charges on a card one time and I'm anal enough that I noticed it and said, I think there's a couple of charges here that aren't mine. And I think they'd actually bounced off. You guys didn't care. I mean, you are. I will notice those things. 

CHARLES MAX_WOOD: Yeah, I guess that's true. 

PAUL_ASJES: You are one of the few super humans.

STEVE_EDWARDS: I don't know superhuman, just call me anal. 

CHARLES MAX_WOOD: Well, my wife and I, we're talking about some financial stuff these days. And so we're watching our budget a little bit more. So it would get caught if we're saying spending this much out of this category and this much out of this category. Yeah. If we see a 50 cent charge come through and it's like, don't know what this is while we're keeping track of our budget. Yeah. I could see people finding it that way. 

AJ_O’NEILL: So I've switched to one finance. I used, I used to use. Oh, I forget what it was called now before that, but they went away and now there's one finance and what it allows you to do is create an infinite number of bank accounts. So you can have a bank account for each utility so that if any one of them gets leaked or compromised or you just for budgeting purposes, you know, you just put the money and have the money auto go into each of the accounts and then they have them all separate so that you don't. 

CHARLES MAX_WOOD: Interesting. 

AJ_O’NEILL: You know, it's easier to notice things when they're wrong and easier to budget. 

PAUL_ASJES: So fun fact. This is actually how. wallets like Apple Pay and Google Pay work. When you type in your credit card number into Apple Pay or Google Pay, they actually create a digital card to be used instead of your card number, which means that when you make a charge with either of those payment wallets, the card number that goes through in that transaction is different from the card that's in your pocket. And they do this as a way to, if that card gets burned, as in if it's the subject of fraud, they can just delete the card. 

CHARLES MAX_WOOD: Just turn it off. 

PAUL_ASJES: And then...They can just turn it off and then they can or they can just roll a new card number for you to use without you the card holder having to get a new card issued. It's pretty smart. 

AJ_O’NEILL: So I've wondered how that works because there's not that many digits on a credit card. And what is it 60% of them are to identify the bank and the the sub merchant. So there's only what four or five numbers left over for you at the end of it all. Or maybe I've got that completely wrong.

PAUL_ASJES: So you kind of touched on a bit of a problem here. So it is actually surprisingly easy to guess a card number. So most cards in the world, there are some exceptions, but most of them have 16 digits in the end. The first, which is called a bin, B-I-N. So the first six digits are the identification for the bank in question or the issuing bank. And then the rest of the digits are just to differentiate from others. So it's...What makes it interesting as well is that the, to how like front end components determine whether a card that you type in is a real card or not, which happens in real time, is that there's actually something called the LUN algorithm where you can actually run to check to see if the card entered is real or not. It's kind of a self-checking algorithm. 

AJ_O’NEILL: It's just a check sum, right? It takes, if the first three digits start with this, then you multiply by that and you add seven at the end. And if it, you know, if it's divisible by three, then it's a real card.

PAUL_ASJES: Exactly, which means that guessing card numbers is actually really easy because it's not that difficult to brute force this stuff once you have the algorithm, which is public domain, like everyone knows how to do this. But what differentiates cards is the it's much harder to guess a correct card number, but also have the correct expiry date and the correct CVC. That is way harder to do. And that's how you differentiate because you're absolutely right. Like you think that with only 16 digits, we would very quickly run out of numbers, but numbers get recycled all the time. Like when old numbers are burned, as long as you provide a new expiry date and a new CVC, it adds enough randomness into the mix that it's sustainable for a while. But also bear in mind that this is like most things in the financial system. This is something that was created in the 50s and 60s and I didn't really think about long term how this is going to work. So I don't know, who knows? Maybe one day we'll swap out credit card numbers for UUIDs and that'll be a problem some billion years in the future. 

AJ_O’NEILL: So what about with the chipped cards? I mean, I guess this is not really your domain because you're looking at online where somebody's manually entering in something. But the chip cards have more digits available to them in the chip? 

PAUL_ASJES: No, the chips that actually as far as I mean, I'll admit this isn't my particular area expertise. But to my understanding, the chip basically just it communicates the same data you would find on the card. So card number, CVC and expiry date all kind of in one quick. So same with like the NFC technology. And if you swipe the magnetic strip as well, it gives the same information you would find on the card otherwise. And this is kind of a, this is not to hate on the US or anything, but this is one of the reasons why credit card fraud is so prevalent in the United States compared to the rest of the world, is that in most other regions, if you provide like a debit card, for instance, you have to provide a PIN as well to be able to successfully create a charge. That adds just enough extra protection to stop your card from being stolen and to stop this kind of fraud from happening. Because as of right now, there's nothing really stopping me from taking, for instance, AJ's card and going online and starting a shopping spree. Even though it's recommended that you provide a billing address when you make a charge, it's not actually necessary to create a charge. All I need is the 16 digits expiry date and CVC, which means if I go online, I could go on a shopping spree as soon as I know that I have a card with those valid digits. However. In most other systems, you need to not just have the card, but you need to have some sort of two-factor authentication-esque information, like a four-digit PIN or a two-step process on an app, for instance. This is actually something that I talk about as well, like how do we solve card testing once and for all? Because everything that I've explained so far is really not so much like, how do we solve it, but more, how do I get them to not target me? Now The sad thing, well, I guess the good news is that there is a way to stop this once and for all, and that's to require some sort of two-factor authentication for every single online purchase that you make. Now, the EU has actually already done this. In 2019, they passed a new law called Strong Customer Authentication, or SCA, and what it means is that for every single transaction made within the EU, like any card or otherwise online transaction must be accompanied by some sort of two-factor authentication. So this can either be like a password or a pin or like a fingerprint on an app afterwards. But what this does by adding this two-factor authentication is that even if someone manages to steal your card digits and either guesses or steals the expiry date and CVC, they can't make any charges with it because they're lacking that extra two-step authentication. So the good news is that this is live in Europe. And it works because we've seen already that there's a significant decline in car testing coming from European cards. The bad news is that, to my knowledge anyway, there is absolutely no movement in getting something similar passed in the United States. So until this needs to be changed from a policy level, it needs to come from high up to be able to say, okay, this is how we combat car testing forever. And then it comes down to what would you prefer? flashing your card, punching in some digits, and getting the thing that you want delivered? Or do you have to go for the extra step of receiving a phone call, or getting a text, or punching in a pin? 

CHARLES MAX_WOOD: Is this only online, or is it when I go to the grocery store and stuff too? Because if I have the physical card in hand, I think that might be a little bit different than if I'm doing it online and want somebody to text me and say, did you really spend this money? 

PAUL_ASJES: Well, usually when you're in person, your card will be accompanied with some sort of pin, normally. 

CHARLES MAX_WOOD: Okay.

PAUL_ASJES:Not in the US, where they basically make you sign for something. And then, at least in my experience, nobody ever actually checks the signature of the card with the signature that you put on the bill. 

CHARLES MAX_WOOD: I will admit, I've done some funky stuff on the signature pad. I've drawn some really interesting pictures. Anyway, because nobody looks at it. 

PAUL_ASJES: Yeah, no one cares. Nobody looks, and even the banks don't particularly care. They just assume that as long as you have the card in hand, then you probably are the rightful owner of it, which from a security point of view is kind of ridiculous. 

CHARLES MAX_WOOD: Anyway, AJ, what were you going to ask?

AJ_O’NEILL: I'm going to comment. I think that the problem started with the top down approach is that the card companies essentially have bullied merchants into requiring the cards and the consumer, everything's transparent to the consumer. I don't, what do I care about fraud? I don't have to pay for it. There's no incentive for an American consumer to care at all about fraud because all of our credit card agreements say...Hey, if you can't find something after you bought it within 30 days, just, you know, file a police report and we'll reimburse you. And so from our perspective, it looks like these cards are very generous and using that 3% to our benefit. But what's happening in reality that I think most people don't realize is that all of that detriment falls on the merchant. The merchant can get contacted 30 days later and have to pay for that thing.so on and so forth. 

PAUL_ASJES: That and also the credit card companies are not as, to receive magnum as you're portraying them. You are paying for those fraudulent charges. You might not realize it, but on average you are. So the American, this is probably strange, a bit far from the point here, but you still pay a certain fee for a credit card per year. And you might notice that those fees have been kind of steadily increasing over the years processing fee, which is 2.9% plus 30 cents in most places. That as well. 

AJ_O’NEILL: Paid for it in terms of the prices we pay or higher because an aggregate, the, the, but that's the merchant responsibility is transparent to us. We don't pay per year for a credit card. Although our credit cards are free except for some of the very Lux, you know, if you, if you want the American express black, yeah, you got to pay for that. But none of the typical cards have any sort of fee associated with them. I mean, maybe if you. I don't know under what conditions there would be a fee, but it's, if you pay on time, then that the card is free for you. All of, we have stores, there's a store called WinCo where they do not allow credit cards and everything is 50 cents cheaper. But that's one of a kind. 

PAUL_ASJES: But yeah, I mean, you might not get a charge like for using the credit card itself, but as you kind of said, yeah, this is all on the merchants who then have to pay the price for it kind of disputes or fraud. And then their response would naturally be to increase their prices and kind of pass the cost on to you, the consumer. 

CHARLES MAX_WOOD: Yep. Well, they have to in order to stay in business. 

AJ_O’NEILL: But this is the same as quote unquote free shipping, right? I mean, everything on Amazon costs $5 more. 

PAUL_ASJES: Absolutely. 

AJ_O’NEILL: You can't buy back in the old days, they used to have the order at least so much and then it was free. But now, yeah, just so many of these costs as you pay a lot more, there's a lot of a premium that you pay as a consumer that you don't. You don't really realize and you don't really have much of a choice unless you happen to have one of these super specialty stores in your area like Winko where they take it. Well, I mean, it's only people that want to be inconvenienced shop at Winko, but if it's worth it to save more and to have to type in the pen or whatever, then that's fine. But in general convenience, convenience always wins over security. I mean, name, name any instance where consumers have chosen security over convenience. 

PAUL_ASJES: Absolutely agree which is kind of why I was saying that in order to really kind of fix this problem of card testing, it needs to be like a fundamental policy change and shift in thinking about how we deal with this industry. Because I think if you leave it to individual consumers and merchants, you're absolutely right. Convenience is always going to win out. 

CHARLES MAX_WOOD: Yep. But I think you have made the case that if I'm running an e-commerce site or something else, or I'm taking credit cards to a membership site, it may wind up costing me. So I need to be vigilant about it.

PAUL_ASJES: You do, like I don't want to cause too much distress or alarm to people, but if you accept payments on the internet, for example, your e-commerce site, it behooves you to find out about card testing and how this fraud works and to protect yourself in this way. Because trust me, it's way better to have the mitigations in place and have nothing happen because it probably is rare that something happens because there are only so many fraudsters and there are millions of e-commerce websites. But if you get hit by this, it is potentially a company ending event. It can be very pricey. 

CHARLES MAX_WOOD: Gotcha. 

PAUL_ASJES: Didn't mean to end on a grim note there, 

CHARLES MAX_WOOD: but is there anything else? Yeah, I was going to say, is there something else that we should be talking about here before we start winding down? 

PAUL_ASJES: I'll say that you should especially be careful if you are a donation website, for instance, if you're accepting donations. Uh, cause the, what I mentioned earlier was that to make sure that your client never sets the amount, what you're looking to pay. Well, donation sites often operate in that model where you type in, okay, I will give $50 to this particular charity. And those websites, especially to be careful because they are the favorite targets of card testers. They get to set their own amount, which means a lot of them will try to set the lowest amount they can potentially set, which is 50 cents in the U S and they can, they tend to be able to fly under the radar for a long time before they caught caught out. Uh, we I've seen, you know, charities basically have to shut their doors because between refunding all the fraudulent donations and resolving all the disputes, they basically were left with nothing, which is very sad to see. 

CHARLES MAX_WOOD: Yeah. Good to know. All right. Well, I hope I didn't scare you guys too much. No, I have a website where I'm taking donations right now because I'm running for public office. 

PAUL_ASJES: Yeah. Use something like Stripe checkout or get a capture. You want a capture. Yeah. 

CHARLES MAX_WOOD: Sounds good. 

AJ_O’NEILL: I've got a question about... So what do you think about digital currencies and the future the web there. Do you think that that will solve any problems, create new problems, no opinion? 

PAUL_ASJES: Do you mean like cryptocurrency? 

AJ_O’NEILL: Yeah. Specifically? 

PAUL_ASJES: Well, it's hard to say. And I have to be careful here because my employer has kind of dipped their toe into crypto as well. But the problem that I personally have with cryptocurrencies is that, to my knowledge, it's not actually being used for its intended purpose, which is to buy and sell things. I think most cryptocurrencies today are used either purely speculatively, as in just a way to quickly make money, or it's being used for fraudulent criminal activity. So there's a reason why whenever you get ransomware, do they demand a payment in crypto. Because the problem that I really have with crypto is that if you are the... Sorry, go ahead.

AJ_O’NEILL: Sorry, that's why I said digital currency rather than cryptocurrency. Because whenever you say cryptocurrency, you're not really talking about digital currency. You're talking about investment scams. But there are a few digital currencies out there that technically fall into the category of cryptocurrency. But they're actually currencies. So Dash is the number one that comes to mind, because that's the one that I work with. And it's essentially like Venmo. But, you know, it's. It defies the crypto scam genre. 

CHARLES MAX_WOOD: Well, I would also just to weigh in on this a little bit further. I've been hearing from various governments, including the US government, that they're exploring digital currencies. And I'm not going to weigh into all the political or economic whatever, but yeah, just from a security standpoint, you know, if you have some kind of digital wallet where you can or can't be identified, do those exchanges change the game? 

PAUL_ASJES: It's I'd say they do. And the main reason is it just that as long as you add that extra layer of two factor authentication where you can prove out of a shadow of a doubt that the person initiating the transfer of funds is who they say they are, then yes, that could absolutely help fix this. And I'm assuming that with, I'm not really familiar with Dash, but I'm assuming that there must be a layer there of if you do want to move money around, you have to be an authenticated identified user and potentially even use some like biometrics to prove you are who you say you are. In that case, yes, that would absolutely help. But that's the same as what the European Union is doing with SEA, which is requiring that extra step of security before you can move funds around. 

AJ_O’NEILL: No, this one's more like cash. It's just you use it like you would use Venmo. You trade with people that you trust. 

PAUL_ASJES: So if you only trade with people that you don't send money to, like a random merchant who then promises to send you goods?

AJ_O’NEILL: I wouldn't do that at this point. I think it makes sense in the online content scenario because it enables the scenario of micro payments. So you know how every single news site wants you to buy a 10 year subscription in order to view one article if you've exceeded your quota of one half of an article per month. I think that in that scenario, something like Dash has real potential because you could just pay 30 cents to see it. It would be below credit card minimums. Yeah, I would never use, well, I can't say never, but yeah, I wouldn't use Dash to transact with a website that I don't feel has a lot of trust or that the payment is really small. 

PAUL_ASJES: Yeah, that would really come down to the nice thing of using Dash in the respect is that a lot of the security is being built by the Dash team. So you as a Dash user, on the one hand, you have to rely on Dash's security team, on the other hand, you don't have to worry too much about it yourself. But in terms of like card testing, it really depends on how Dash has implemented their system and whether that can be abused. 

AJ_O’NEILL: Oh, well, yeah. So there actually is. There's Dash Direct and you get a MasterCard, but at that point, it's you're transacting in your local currency. So when you go to run the card, you load the card with the amount that you're going to pay and you're paying in your local currency. But it's a a fairly decent experience and it doesn't require KYC, which I mean, this is not a talk of, we're not talking about privacy here, but there's- 

CHARLES MAX_WOOD: Now we're just laying in the weeds. 

AJ_O’NEILL: Well, but think about it this way, right? So on the one hand there's verification, but on the other hand there's, do I not have a right to just transact with someone without having to be tracked and traced? 

CHARLES MAX_WOOD: Yeah, absolutely. Fair enough. 

PAUL_ASJES: That's fair enough. But then I guess the counterpoint to that would be that if you go down that route of I want to transact with anyone that I want, then that kind of opens up the door to bad actors to doing stuff like car testing, where if they can get away with anonymously making these transactions, they might be able to use that in a detrimental way. So it's a huge trade-off. 

CHARLES MAX_WOOD: Yeah. I think we're way off in the weeds here. It's definitely an interesting thing to consider. But yeah, it sounds like to me that it really comes down to how it's all set up in practice as to how you transfer funds from one account holder to another account holder, you know, whether they're at the same institution or not. 

STEVE_EDWARDS: So I'm shocked that we got into weeds with AJ here. I, I don't understand how that happens. 

CHARLES MAX_WOOD: It's, it's, it's not always AJ Steve. 

STEVE_EDWARDS: Oh, okay. 

AJ_O’NEILL: Well, it's usually mean, but here's the thing. I mean, when you, when you listen to a podcast, don't you like it when they just start going down the road and figuring stuff out and learning? 

CHARLES MAX_WOOD: Sometimes it depends, but in this case, it was definitely an interesting exploration into something that I think is still kind of I don't think we know all the implications as far as security. 

PAUL_ASJES: No, it's new territory. It's uncharted territory, I should say. 

CHARLES MAX_WOOD: Yeah, but I think we know enough to kind of speculate some as to what it might look like. So anyway, I'm going to push this to Pix. 

 

Hey folks, if you love this podcast and would like to support the show, or if you wish you could listen without the sponsorship messages, then you're in luck. We're setting up new premium podcast feeds where you can get all of the episodes released after Christmas 2020 without the ads. Signing up will help us pay for editing and production, and you can go sign up at devchat.tv slash premium. 

 

CHARLES MAX_WOOD: AJ, do you want to start us off with picks? 

AJ_O’NEILL: I do. Let's see, what am I going to pick? So I'm going to pick again the book series that my wife and I have been listening to, which actually, I think this is because of you, Chuck, the Black Prism. You were the one that first mentioned it, weren't you? 

CHARLES MAX_WOOD: Yep. 

AJ_O’NEILL: Yeah, so again, the language is a bit foul, but gosh, the story's intriguing. And so I'm, I'm now in the fifth book, my wife already finished. So she's been waiting for me to finish so we can talk more about it. And I'm also going to pick the unnamed city that I now live in. It is just so cool to be a homeowner in a real neighborhood with other homeowners and the city, every interaction that I've had with the city transferring utilities and all this other stuff stuff. And this is more of a homeowner city than a metropolitan apartment city. And so I think the city behaves differently because it's servicing a different type of customer maybe. I don't know. I'm just speculating there. But every interaction that I've had with the city has been pleasant. The people are really, I don't know, they seem to be happy in servicing the citizens. And I don't know. It's nice to live in a place that is that is predominantly homeowner, homeowners. It's a different feel. So not to knock on people who live in apartments because I was doing that my whole life and I didn't have any plan of stopping, but it's what my wife wanted and we did it and I'm happy about it. 

CHARLES MAX_WOOD: Nice. Steve, what are your picks? 

STEVE_EDWARDS: Well, we'll go with an article. First thing out of the gate, other than the high point of the dad jokes, is an article that I came across yesterday on...Hacker News. And to me, it sounded intriguing because I've heard entire podcasts about this subject before. And we're in the process of hiring or rather trying to hire as the case may be, which is very difficult at this point in time. But, you know, speaking for myself, when I have been through hiring processes in the past, sometimes they're involved in multiple interviews, sometimes they'll involve like take-home projects. Don't get me started on those. Or maybe some online code tests or something like that. But this article talks about the benefits of find great developers by having them read code. Like I said, I've heard, I think I've interviewed people. I lose track of everybody over the years. We're talking about reading code, getting into reading the source code and trying to understand and explain how it works. And it's what I have to do every day when I get a new assignment on the application that I work in. So the specific title is, quote, How do freaking find great developers by having them read code? It's on a website called Freaking Rectangle, so the title makes sense. So anyway, I will put the link to that in the show notes. Now for all of you math people, some of you might catch this right out of the gate. But what is a pumpkin's circumference divided by a pumpkin's diameter? 

CHARLES MAX_WOOD: Pumpkin pi. 

STEVE_EDWARDS: There you go. Very good, Chuck. That's very good. Yes. Most people don't get that. So pumpkin pi, just P-I, not P-I-E. 

AJ_O’NEILL: I was muted, but I audibly groaned.

STEVE_EDWARDS: Thank you. I always appreciate the groans. Now in the past, I've talked about my sometimes spotty job history, where I've gotten fired from different jobs. Here's another example. One day I saw someone waving. I wasn't sure whether they're waving at me or someone behind me, but that was how I lost my job as a lifeguard. Sorry, I forgot the drum jokes today. I got so caught up in my jokes. 

CHARLES MAX_WOOD: We need a groan sound effect on there. 

STEVE_EDWARDS: Yes, we do for sure. If you can find it, let me know and I can upload it and we can use it. I'm more than happy to diversify. And then finally, my wife thinks it's weird that I stare out the window during a heavy rainstorm, but it would be a lot less weird if she'd just let me in. Thank you. So those are my jokes for the week. 

CHARLES MAX_WOOD: They were awful. 

AJ_O’NEILL: When did we stare through a heavy rainstorm? Uh, through the window? Cause if you're looking through the window, wouldn't you be inside? 

STEVE_EDWARDS: Thank you for that semantic correction. Yes. I agree through might be a little better. I'll, I'll contact the writer of the joke and let them know. 

AJ_O’NEILL: Yeah, thanks. Because I think it's really important that we have honesty and joke clarity, yeah. Transparency and joke writing and telling. 

CHARLES MAX_WOOD: Especially transparency and window jokes. All right. I'll, I'll quit while we're ahead. You know, somebody is taking all these and telling them to their kids, right? Anyway, I'm going to throw in some picks. So the first pick I have is, I'm not sure if I've picked this one before. I need to actually go make a list. It's, it's on my list of things to list, but I'm going to pick this game. I always pick a board game, Paul, for my picks. And this one's called Mashi Koro. It's actually a card game. And what you do is you're building out a town, I guess. And so you bring in different cards, give you different resources that allow you gold so you can build more buildings, which are just the cards in your town, right? And so the way you win is you build out the four kind of special buildings. And so you roll dice and whatever you roll is how much money you get from the different resources. So, and each card's numbered. So when you roll a two, some of them are if it's a two and it's your turn, some of them if it's a two and it's your opponent's turn and some of it's a two and anybody's turn, right? And so if, for example, if you roll the three on the marketplace, if your opponent rolls a three, then you get a coin from them kind of thing. And if you have two of them, then you get two coins. So you kind of get the idea. The idea is to have the most or to be the first person to build all four of those buildings. And the most expensive one of them, I think, is like 21 coins. So you have to build your deck in order to get it. But anyway, it's pretty fun. Pretty interesting to see what kinds of strategies people view put together. A friend of mine gave it to me for Christmas and we've enjoyed it plenty. I know that there are expansions for it, right, that have other buildings on the cards, but I haven't gotten into any of those yet. So anyway, I'm just gonna shout that out and then I was gonna shout something else out and I just I can't remember what it was so I will probably pass on it and come back to it next time. Paul, do you have some picks for us? 

PAUL_ASJES: I do. I have two picks. The first one is...shameless self-plug, which is Stripe Sessions, which is our virtual conference that we hold once a year, is happening soon. It's happening on May 24th of this year. I'm going to be in this one, so it'd be great if everyone could register and tune in. And my second pick is more relevant to any Dutch listeners that might be out there, but there is a charity called Take Care BNB, which I like a lot. They match refugees and host families. What that means is that you can register on their sites as a host family. And when refugees enter the country, you can provide them with temporary lodgings. So this is especially important now that we're starting to get a influx of Ukrainian families fleeing the war. And if you have the space and you are willing to make a difference, then please do go to Take Care of BNB, sign up and give a Ukrainian family some sense of normalcy. 

CHARLES MAX_WOOD: That's cool. That's really cool. Just to be clear, Stripe sessions are all online, right? 

PAUL_ASJES: All online, all virtual, all, there'll be like a keynote and some breakout sessions, all happening exactly at the same time on May 24th. 

CHARLES MAX_WOOD: Very cool, I got an email about it and I was looking at it yesterday and it looks like they've got some interesting topics to be sure if you're working through financial stuff with your website, so. All right, and if people wanna connect with you online, usually people hand out like Twitter and LinkedIn and stuff like that. What are the best places to find you or any content that you're putting out?

PAUL_ASJES: Best place to find me is probably going to be on Twitter, where you'll find me on poll underscore ashes. You might put that the show notes because no one's going to know to spell my name. I hang out on the Stripe discord, which is where we kind of talk about Stripe stuff and we help you with your Stripe integration. And you can find us as well. We put a lot of video content on like how to do stuff with Stripe on our Stripe dev YouTube channel. So check us out in all those places. 

CHARLES MAX_WOOD: Awesome. All right, we're going to go ahead and wrap it up here. Thanks for coming, Paul. 

PAUL_ASJES: This was really cool. Thanks for having me. 

CHARLES MAX_WOOD: Hope you enjoyed. All right, folks, till next time, Max out. 

STEVE_EDWARDS: Adios. 

 

Bandwidth for this segment is provided by Cashfly, the world's fastest CDN. Deliver your content fast with Cashfly. Visit C A C H E F L Y dot com to learn more.

 

Album Art
Preventing Fraud on Your Payment Website - JSJ 534
0:00
54:21
Playback Speed: