Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
MichaelZuo 21 hours ago

Stripe needs all that byzantine fraud prevention, on top of what they had a decade ago, because they are a huge concentrated target.

A smaller firm could be way simpler. Because they simply wouldnt have enough money to provide a decent payday for dozens of malicious geniuses going at them 24/7/365.

woodruffw 21 hours ago | parent | next [-]

Is this true? I would expect most of Stripe's fraud overhead to be statutory in nature, not something they hire for because they're a concentrated target.

(They certainly have more staff because more volume, but the actual regulatory requirements I'd expect to be roughly the same for the service they provide.)

the_bear 20 hours ago | parent [-]

When we used Stripe, we opted out of all their fraud prevention stuff to save money (not sure if that's still an option). As a b2b SaaS where payment happens after a free trial (not at signup), we're just not a target for fraud, so it was totally fine.

I can't speak to why Stripe's fraud protection is so expensive. Is it because they're a target? Or maybe because they realized people will pay for it (it seems valuable for something like ecommerce)? I dunno, but I can confidently say that as of ~5 years ago, it wasn't required by any regulation, and my business was perfectly fine without it.

Now we use Paddle, and they also try to sell us a bunch of stuff we don't need at ridiculous prices. We're just using them because we wanted a merchant of record (where they handle taxes and stuff), but no, I'm not going to pay a % of my revenue for basic dunning emails, fraud prevention, vague "optimizations" that "increase conversions" (lol no they don't), etc.

hibikir 18 hours ago | parent | next [-]

Look at what happened to, say, Cards Against Humanity: You don't have to be a really bit store for some random card tester to ruin you.

hmokiguess 16 hours ago | parent [-]

what happened with them? I'm not aware of it

woodruffw 20 hours ago | parent | prev [-]

Oh, that makes sense. I was thinking fraud as in AML requirements, not fraud as in scammers and card theft.

hibikir 18 hours ago | parent | prev | next [-]

Stripe was already a big target for basically anyone and anything 10 years ago. Fake merchants, card testers, the works. People were selling guides to defraud Stripe. And we are not even counting just losees due to nonsense like the Fyre festival.

You really don't have to be that big a payment processor for dozens of malicious geniuses to decide that they want to fleece you. If anything, the ROI is better in less sophisticated companies. Most ways to trick a payment company are, if anything, standardized. The smaller company can often be attacked by just changing the API calls, but otherwise taking basically the same actions you would to try to defraud a bigger fish.

krainboltgreene 16 hours ago | parent | prev [-]

> Stripe needs all that byzantine fraud prevention, on top of what they had a decade ago, because they are a huge concentrated target.

This is not true. Every payment processor needs this effort because as soon as you broadcast that you're a payment processor you're going to get about 3-5 scammers a day.

As an aside I really think Mercury bank should audit their onboarding process.