We're going to automatically refund the transactions and fees, but also support any write-ins if you feel we missed any. (We have some ways to identify the transactions after they happen).
I agree with you, it's very counter-intuitive why these transactions are getting through Radar. We're iterating on some fixes right now that should stop this going forward by addressing this type of attack.
Really sorry to hear about that experience — we need to do better here. If you want to shoot me an email (wmegson [at] stripe [dot] com) I can take a closer look at those specific charges. We are identifying those charges and are going to automatically refund any impacted transactions and waive the fees for those payments. We'll also waive the dispute fee (if a payment has been disputed).
The team is digging into why the risk score is low. In general, the types of signals you describe weigh pretty heavily in Radar’s risk assessment, and should result in higher risk scores. In this particular attack, fraudulent actors are using some pretty sophisticated scripts to try and obtain lower risk scores. We’re iterating quickly to address and stop these types of attacks and score them correctly going forward.
[I lead Radar at Stripe] We're still investigating but have blocked the majority of this attack from the Stripe network. We're going to refund any impacted transactions and waive the fees for those payments. We'll also waive the dispute fee (if a payment has been disputed).
More broadly, we’ve seen an uptick in card testing attempts across Stripe. While the absolute rate of successful card testing across the Stripe network is flat-to-somewhat-down, it’s not evenly spread—some businesses are seeing more than others. For these new testing attacks, we’re deploying mitigants in real time.
Hi! I work on card testing at Stripe and would love to help. Sorry to hear about this experience, would be great to dig in and see how we can fix it and improve our system.
If you could, shoot me an email and we can dig in? I'm at wmegson [at] stripe.com (will DM you as well).
Congratulations!! Love the philosophy around the product and the dynamic treatment of higher risk transactions with Checkout routing to 3DS.
It must feel great to be able to support such a "simple" product, as I know there must be a ton of complexity under the hood enabling the simple form factor.