7
6 Comments

How do you prevent fraud with a stripe integration?

Most of us probably know the story from Quincy Larson founder of freecodecamp.org, who saved his compagny from $53,000 of Chargeback.

So what did you do to prevent hacker/carder to abuse your Stripe integration ?

  1. 2

    We've been fortunate not to run into any major fraud yet but it was a considering when building our payment functionality. We built following Stripe's own guidelines and seems to have worked fairly well. We also have a manual review process for connect account payouts before the funds are transfered.

    If it got bad we would probably also just look at stripes own fraud presentation service https://stripe.com/en-au/radar

    1. 1

      Thanks for the reply!
      Did you code a webhook endpoint ?

  2. 1

    My 9–5 had huge issues with it (we were renting access to AWS instances). We used Radar and collected full addresses from people when checking out.

    Meanwhile, for my side project I’ve done literally nothing and it hasn’t been a problem. I think it depends on what you’re charging for.

    1. 1

      Did using radar (+ infos on your customers) help a lot ? Was it worth it ?

      I checked your payment integration for songrender.com, and it seems I can make a payment without even creating an account ?
      If I am not mistaken, it would be really easy to abuse your Stripe integration to check the validity of stolen cards...
      (Btw I really like your UI)

      1. 1

        Yeah, a combo of requiring more credit card info + tightening up the radar rules worked for the most part. We also had limits on how much money people could spend at once.

        You shouldn’t be able to pay without signing up. How did you get to the purchase screen?

        Regardless, I think you’re right — it’s probably possible to use it to check the validity of stolen cards. In practice, though, I’ve had zero disputed charges, so it’s not something I’m too worried about.

        Thank you re: UI, that makes me really happy 😊

  3. 1

    Here is what we are currently doing

    1. Limit the number of account per IP address
    2. Ask for email validation
    3. Block temporary email domain (example)
    4. Limit the number of usable card per account per week
    5. Limit number of transaction per account per week
    6. Use bot detection/prevention
    7. Setup notification for every transaction
Trending on Indie Hackers
Competing with Product Hunt: a month later 33 comments Why do you hate marketing? 29 comments My Top 20 Free Tools That I Use Everyday as an Indie Hacker 18 comments $15k revenues in <4 months as a solopreneur 14 comments Use Your Product 13 comments How I Launched FrontendEase 13 comments