Skip to content

Top Best Ask Show New Jobs

Stolen Money on Gittip, Part 1 (opens in new tab)

(blog.gittip.com)

296 pointsheathanderson13y ago162 comments

162 comments

99 comments · 28 top-level

dsl13y ago· 14 in thread

This isn't money laundering (from your initial github ticket its obvious that is what you were looking for, so thats what you found).

Before selling stolen credit cards, bad guys have to verify them. This is often done with small (<$10) donations to charities or small purchases of intangible goods that are considered low risk merchants.

With Gittip they found a way to get the low dollar amounts to come back to them, but since this wasn't really the goal to start with, you'll likely see donations to random leaderboard members that are unaffiliated with the fraud itself in the future.

exratione13y ago

This is exactly correct.

I've supported a number of different online credit card donation forms for various charitable and other causes, and you see this behavior of card testing whenever you set the minimum allowed donation too low, and adopt too few of the necessary precautions.

I wrote a post on the approach to raising the bar I took - it really doesn't require much to get the credit card testers to go away, and if you don't get rid of them rapidly, you'll be dealing with chargebacks from here until eternity:

http://www.exratione.com/2010/10/three-necessary-defenses-fo...

caf13y ago

From your linked page:

Most small online businesses do not store credit card data locally, but that doesn't stop you from using salted hashes of credit card numbers to compare.

Storing a "salted hash" of a credit card number in the manner you describe is only fractionally better than storing the credit card number itself. This is because credit card numbers have very little entropy - less than 36 bits per issuer code, so bruteforcing these hashes can be done very quickly.

whit53713y ago

Thank you, good info. For privacy reasons, we've been hoping to not track IP addresses:

https://github.com/whit537/www.gittip.com/issues/345

Even then, I'm not sure I would trust this approach. I feel much more comfortable white-listing accounts, and for the time being that's not too onerous.

bcoates13y ago

Are the fraudsters using the charity website itself for confirmation that the card works?

Could you run them off by just always displaying success for any sane-looking small value donation, without leaking the result from your payment processor?

huhtenberg13y ago

Ah, I see Vietnam is still at it. Persistent buggers.

pfg13y ago

I've had the exact same experience with donation forms for multiple NGOs last week. We're probably going to implement some kind of IP limiting (similar to your solution) and additional plausibility checks (since it's only used by national NGOs, that's not too much of a hassle).

jusben136913y ago

Agreed. When I read this it looks like a verification process for a batch of stolen credit cards to see which are still valid and which aren't. Note that the "successful" transactions may very well be charged back to you at $15 each or more so you want to refund any suspicious payments quickly to avoid going into the negative.

dangrossman13y ago

You basically have to catch it before the charge is even settled; either within the same business day before your settlement cutoff, or by authorizing without capturing for a day or two so you have time to review. Once the charge is settled, a refund almost never stops someone from charging back the payment -- for whatever reason, when a card is reported stolen, people and banks simply charge back everything unauthorized even if a quick review of the account would show some of the payments were already refunded. You can dispute these chargebacks by providing proof of the previous refund, but you're still out the chargeback fees, and these chargebacks still count against your account -- so they can end up getting you terminated if your CB rate is pushed too high.

whit53713y ago

Informative, thank you both. On this ticket we discussed why Gittip isn't the best system for extracting value from a card:

https://github.com/whit537/www.gittip.com/issues/329

The desire to verify stolen cards with the added benefit of recovering that waste seems to explain the motive for using Gittip.

whit53713y ago

I read up on money laundering, and changed the blog post to talk about "stolen money" instead. Thanks.

rm99913y ago

It's not even about stealing money per se, it's a step in the process of credit card theft. Fraudsters often do the same thing on Amazon and iTunes - they'll make 1 dollar purchases that allow them to 'verify' the cards. In these cases the 1 dollar purchases aren't for any direct material gain.

001sky13y ago

-- Perhaps best to make a conforming edit to the HN title

zalew13y ago

> Before selling stolen credit cards, bad guys have to verify them. This is often done with small (<$10) donations to charities or small purchases of intangible goods that are considered low risk merchants.

They also verified them on SoundCloud without any purchase. Don't know if it's still possible.

pudquick13y ago

Did you mean verify that an account is associated with the credit card?

Or just verify that the credit card number is potentially a legitimate one?

Because if it's the latter, that's just the Luhn algorithm (http://en.wikipedia.org/wiki/Luhn_algorithm) and no transactions are required to perform the verification.

If it's the former, until you make a transaction there's no way to verify in advance whether or not a card has a still valid account attached to the backside of it.

I know you're saying "without any purchase", but maybe it was just for a vanishingly small amount.

shawnee_13y ago· 12 in thread

The most unfortunate thing about this whole situation is that it was poor Chad himself who ended up discovering and shutting down the fraudsters. This should not have been the case, and I apologize on behalf of my former employer. I sincerely wish I would have been able to help catch this before it got out of hand. (Disclaimer: I am the former Operations / Support / Fraud Investigator for Balanced Payments).

As it turns out, the CEO of BalancedPayments is (there is just no nice way to put this) an unethical bag of scum. He recently went on some kind of insane power trip, completely disregarding the needs of his customers, putting me on unpaid leave for ... reporting an incident of fraud to a bank. I reported an incident exactly like the one Chad discusses here, but the dollar amount stolen was much higher, and the fraudster a repeat offender.

Anyway, after that last meeting where he was sneering and enjoying way too much the power trip of getting to "fire" somebody, I can confidently exhort that Balanced should not be trusted.

It's important that any company a marketplace entrusts its financial data with is an ethical one. So, yeah, looks like I'm on the job market; ping me : http://lnkd.in/NuBGDY

steve891813y ago

There are so many things wrong with this post, I would strongly advise you to delete this. Besides the libel, it doesn't really paint you in a good light either, especially if you're going to be looking for a job. I would suggest keeping your dirty laundry off the Internet, and delete this post.

unoti13y ago

I for one appreciated the info. But you're right: shawnee should definitely consider trying to hide the hate, because even well-justified and 100% righteous anger can prevent you from landing the perfect job you want. Pretend you're a zen master; a lot of potential employers only want people who have never been victimized like this at work, particularly in their leadership roles. I speak from experience: it's better to paint a picture of a clear, strong, victorious past than a picture including the truth of having worked for unscrupulous jerks who you had serious disagreements with.

On the other hand, the world would be a better place if we didn't all have to make nice-nice and pretend, so rock on!

Retric13y ago

People are way to uptight about stuff like this when it comes to finding your next job. It's true that it will close some doors, but it will open others. And, for the vast majority of openings nobody will ever know.

jrockway13y ago

I enjoyed reading it. I doubt this will come back to haunt the author with respect to future work. If he's good at programming, pretty much anyone will overlook his "scumbag" remark. After all, who identifies with the group "scumbag" and will be offended?

bduerst13y ago

Agreed - whether or not the CEO is an "unethical bag of scum", this person just made some colorful remarks about the CEO, and linked their real name in the same comment. All on Hacker News, which could be portrayed as a source of news for the industry, thus making the comment damaging.

This is very dangerous ground, and could be a case of libel if the "unethical" CEO catches this.

shardling13y ago

How does it paint them in a bad light?

darkarmani13y ago

> Besides the libel

What libel? You mean his opinion of the CEO? Which statement do you find to be factual and a lie?

shardling13y ago

I looked through some of this poster's other comments and... they generally seem a pretty reasonable person.

http://news.ycombinator.com/threads?id=shawnee_

jtchang13y ago

There is absolutely no doubt that the payment processor should have caught this way earlier. It is in their best interest.

That said I am not sure how BalancedPayments is built. By that I mean how much risk they are taking in being part of this payment ecosystem. It looks like they hold the money in their own bank account so BalancedPayments themselves uses another processor to do their payment processing. The other alternative is that they are big enough to communicate directly with the backend network like IPPay, First Data Omaha, or FNBO...but they don't seem that large.

whit53713y ago

Well, this thread just took a turn for the ... wow.

whit53713y ago

In my experience, both firing someone and being fired are fraught exercises, and can generate a lot of heat on both sides of the relationship. I'm not going to leave Balanced just because they're clumsy at HR. If you think there are structural issues with regard to fraud prevention, that's a much more serious charge, and would need to be substantially substantiated, probably in a new thread.

danso13y ago

These claims, valid or not, are tangental to this situation, right? I mean, is there something specific to how Balanced handles payment processing that would be conducive to the kind of fraud alleged in the OP? It seems processor-agnostic.

dmethvin13y ago· 10 in thread

Openness about the problem is good, but I am not sure that it helps to provide that much detail about the ways you detected the fraud. That just give the attacker more information about how to circumvent your detection.

taylonr13y ago

My favorite part was the 3 primary & 3 secondary factors they looked at to identify. So if the people doing this can tweak those factors it will help them out.

whit53713y ago

There were two primary factors, not three. And the point is that I'm planning to individually review and whitelist all new accounts. I'm able to adapt my heuristic in real time. ;^)

Trufa13y ago

Yes, but it's so simple I don't really think you're enlightening criminal minds here.

reidmain13y ago

Security through obscurity is never the solution.

dasil00313y ago

You're cargo culting on security dogma.

Information assymetry is probably your only advantage against credit card fraudsters, because there is no security hole, rather they are exploiting your core business flow.

scott_s13y ago

Obscurity is necessary for fraud prevention. If perpetrators know exactly what behavior gets flagged as fraud, it's easier for them to figure out ways to avoid it. If they don't know, perpetrating fraud is harder.

rm99913y ago

This is true if a system can freely be reverse-engineered by the attacker. If not, the obscurity provides an added cost to the attacker. Obscurity can actually be one of the stronger weapons in an anti-fraud solution (I used to work in anti-fraud).

RickHull13y ago

The maxim is that you cannot achieve security through obscurity, where security offers some guarantees (mathematical, physical, etc.). Obscurity, while offering little to no guarantees, can certainly be a quite useful part of your protection plan.

darkarmani13y ago

Just stop. There are so many layers of security that use obscurity. Most basic example is not exposing valid account usernames during failed logins.

TheAmazingIdiot13y ago

Since your HN password is obscure, how bouts you publicise it here?

After all, hidden passwords are security through obscurity, and that's "just the wrong way".

flibble13y ago· 6 in thread

Looks like you have just discovered chargebacks, something that just about every merchant discovers at some point.

What to do? Some options to reduce your fraud are - outsource the problem by using an indemnified payments system (a payment processor who do their own fraud checks and don't pass on any chargebacks to you). Pros: easy. Cons: expensive and lots of valid payments will be refused.

- Use an e-wallet that usually has few/no chargebacks, eg Skrill & Neteller. Pros. Easy, not too expensive. Cons: more difficult for people to make payments as they need to create an account with the e-wallet first.

- Use services to help with your fraud detection. Eg. Iovation. Pros: you can keep it easy for your customers to make payments. Cons. a lot of work to implement (relatively speaking).

- Use bitcoin, eg bitcoin247.com. Pros. no chargebacks ever. Cons. about 0.00001% of your customers use Bitcoin.

Edit: I forgot to add: - require 3D Secure / Verified by Visa payments. This removes the chargeback liability from the merchant in most cases and shifts it to the card owners bank. Pros. much fewer chargebacks. Customers can still deposit directly on your site using their card (apart from the 3D redirect). Cons: entering 3DS details another barrier to making payments so will reduce payments. Plus I'm not sure of the penetration of 3DS cards in the US.

antiterra13y ago

Gittip's professed concern is with ethics (and possibly sustainability), not losing money from chargebacks. The author realizes he has stolen money in his bank account, and that bothers him.

jerguismi13y ago

I'm pretty sure that their concern is also not needing to do the dirty legwork related to these cases. The time they need to deal with these problems is away from productive development time.

mpclark13y ago

Don't worry, it won't be there long.

AUmrysh13y ago

I'll take it off his hands for him if it makes him feel better.

jerguismi13y ago

Bitcoin would also enable payouts - globally. Payouts limited to US limits the possibilities of gittip.com.

And yeah, you could also kiss goodbye to chargeback, fraud etc problems. These are not a problem in a "hard" currency like bitcoin.

whit53713y ago

Would you like to implement it?

https://github.com/whit537/www.gittip.com/issues/14

ig113y ago· 5 in thread

Pull this post and talk to lawyers if you haven't already.

Depending on where you're based you'll have legal obligations that'll define what you should be doing at this point. This may well involve lawyers, your regulators and the police.

Some countries make it a criminal offence if you let a criminal know that you suspect them of money laundering or similar offences (this is known as "tipping off") so you should be very very careful about what you're disclosing both to your users and the general public.

bmj113y ago

Just wanted to +1 on this - this is a fairly severe offence in the UK

whit53713y ago

Thanks for weighing in. I'm based in the US. I am going to proceed along the path of openness for now.

wtracy13y ago

This.

This is one of the reasons that PayPal will lock accounts without giving a reason why--it's potentially criminal for them to tell you why!

whit53713y ago

And that's a regrettable state of affairs, if you ask me.

shardling13y ago

Can you provide any specific examples where, acting in good faith, someone was never-the-less prosecuted under such laws?

VBprogrammer13y ago· 5 in thread

I'm impressed at how quickly the criminal underground pivots. To identify Gittip as a potential money laundering scheme while it is relatively unknown even with Tech circles is, in a slightly discussing way, actually quite impressive.

It does make me wonder, did the bad agent happen across Gittip independently or are they active within Tech communities?

jasonlotito13y ago

Anyone that knows about these things would see this immediately. Anything that involves transferring money from one agent to another is quickly pounced upon. That HN is a popular place for launching new startups would make this an obvious target to watch. And most people starting new money transfer systems are ignorant of the potential for fraud and laundering.

Essentially, this is standard practice.

whit53713y ago

For the record, I've been waiting and watching for this to happen. It did happen sooner than I expected, however. Not sure if that means Gittip has grown faster than I expected, or our Jokers are earlier to adopt than I expected. ;^)

moxie13y ago

What shocks me is the opposite -- that Gittip is only just now thinking about this.

Their first round of chargebacks are going to be insane, and if they're this far behind they're going to be eaten alive by fraud.

pyre13y ago

Makes me think that it's probably some blackhat with a few stolen credit cards, looking for a way to extract some value out of them (other than using them to pay for hosting). This isn't necessarily a large-scale operation.

neilk13y ago

I am shocked, shocked to discover criminals on boards dedicated to hacking.

Just kidding, but it is funny how outsiders might not understand why you are surprised to find criminals in the "hacking" world.

Even so, a significant proportion of the people who go to something like DefCon have done some low-level fraud with credit cards, and some have done much more than that.

brandonb13y ago· 4 in thread

My company (Sift Science) helps sites fight credit card fraud. We work with a few large ($100m+ revenue) marketplaces, and here are some things I've learned.

First off, strictly speaking, this is most likely to be a stolen credit card (i.e., fraud) rather than money laundering. You do NOT benefit from fraud, because when the cardholder notices the charges, they'll call up their bank and issue a chargeback. The $488.15 in your account will actually be removed and given back to the original cardholders. In addition, each fraudulent charge carries a $15-$25 fee, which you're liable for. https://www.balancedpayments.com/docs/testing#chargebacks---...

What's worse, chargebacks can take 60-120 days to reach you, since there's delay at every step: the customer's bank, the credit card networks, your payment gateway, and the acquiring bank (your bank). Unfortunately, that means you won't know how much fraud you have today until February (!). It's a broken system, but that's how all the major card networks work, so it's something that everybody who sells online has to deal with.

If your fraud rate is higher than about 2% for two months in a six month period, Visa and Mastercard reserve the right to block payments entirely to your (or Balanced's) account unless you prove you can get the chargeback rate down. This is called an "excessive chargeback program."

In terms of heuristics, fraudsters adapt rapidly to whatever counter-measures you use. The half-life of a good heuristic is maybe a couple of months. The best approach is to evaluate hundreds of different signals, using a machine learning algorithm to constantly adapt to changing fraud patterns. My company is running a private beta of exactly this technology and we're happy to help: http://siftscience.com. Even if you don't use us, I can recommend other services or give you general pointers.

Hope that helps! Let me know if you have any questions: brandon@siftscience.com.

whit53713y ago

Thanks Brandon! Great info. If you see a way for Sift Science to add value to Gittip then I'm open to a proposal. Balanced won our business by stepping forward and contributing the integration themselves:

http://blog.gittip.com/post/28351995405/open-partnerships

I'd welcome a conversation with Sift Science along the same lines.

whit53713y ago

I started a GitHub issue to track this for Gittip:

"use a fraud detection service"

https://github.com/whit537/www.gittip.com/issues/357

ggreiner13y ago

Do you have any data on what percentage of fraudulent charges get past your system. (i.e. of all fraudulent charges received how many does your system not catch) and what percentage of your fraudulent charge alerts are non-fraudulent? Just curious! I'm a co-founder of an eCommerce company and our average transaction is around $5,000 so this is pretty important to us and we already have some pretty strong systems in place, but I'm curious how well this more automatic approach works.

brandonb13y ago

Good question. We measure these using "precision" (of the users that users Sift flags, which percentage are actually fraudsters?) and "recall" (what percentage of fraudsters on the site does Sift flag?). We can get 90% precision or 90% recall, although not currently both at the same time, and it's the customers choice as to which to optimize for. We can just adjust a threshold to tune our system to their needs.

Companies that have high transaction amounts often use the machine learning system to detect likely fraudsters, but then have a human review each one and make the final decision to approve/deny. We have a visualization "widget" that shows the reviewers which signals made a particular user look suspicious. The advantage of using machine learning is then that you: a) catch fraudsters you wouldn't have noticed otherwise, b) don't have to review every single transaction, just the subset that are most suspicious, c) make it faster for your staff to review transactions since the visualization tools will help point them at what to look at.

Does that make sense?

hcarvalhoalves13y ago· 2 in thread

Welcome to the nightmares of dealing with money.

Any good payment gateway should be managing the risk of stolen credit cards, but it's likely that because Gittip works with small recurrent payments instead of big upfront payments, it doesn't trigger any red alerts.

mbesto13y ago

Hence also why most people don't realize that Paypal was the side effect of a company that originally was created to handle fraud. Source: http://www.amazon.com/gp/product/1430210788/

To take this to the next step, this is also why I believe Paypal is one of the very few companies that has been able to scale online payments. I'd love to see anyone challenge their ability to balance customer service with fraud prevention at scale.

jacquesm13y ago

Starting a new payment service, even from the point of view of a company specializing in fraud prevention is a lot harder now than it was in the past. You're basically entering an arms race that has been going on for a decade+ as a rookie or at best a semi adept. Likely your main contribution to the field before folding is target practice.

Gittip should work with a party that is already in the possession of the required knowledge or they'll be shutting down. This post raised their visibility as rookies considerably and you can expect the sharks to move in now that there is blood in the water.

zzzeek13y ago· 2 in thread

what's the responsibility of Balanced in this regard, isn't it on them to ensure the validity of credit card numbers?

dangrossman13y ago

It's impossible to tell, with certainty, if a credit card is being used by its rightful owner or someone else. That's not something anyone anywhere in the payment processing industry guarantees. In terms of who can do the best at predicting the likelihood a transaction is fraudulent or not, it's definitely the merchant/website, not their processor. He has much more information available to him (IP address, github account, etc) than Balanced has.

zende13y ago

There's a field (meta) on the Debit resource that allows a marketplace to pass fraud signals like IP address and shipping address. Gittip is facing this issue much earlier than another marketplace in comparison to their volume. Otherwise, we don't ask a marketplaces to pass in more information until they've grown more. The problem in being restrictive too early is that you can hinder a marketplace from growing by having false positives.

In the end, I think we (Balanced) should have done a better job here, and we'll work hard to do so in the future.

olalonde13y ago· 2 in thread

Another alternative would be freezing money transfers for 30 days or so. Or use a payment processor that is used to deal with high risk websites (for example, CCBill).

> The uncomfortable truth is that Gittip, Balanced, and our legitimate users are financially incentivized to turn a blind eye to laundering, because we have benefitted and are benefitting from it.

That's only true until you start getting chargebacks.

whit53713y ago

> That's only true until you start getting chargebacks.

Phew. I'm saved from the moral burden by the financial burden. :^)

zende13y ago

> That's only true until you start getting chargebacks.

There are compliance ramifications of permitting money laundering, but collusion isn't always money laundering. Here's a few different scenarios:

1. Legitimate money laundering where someone is trying to obfuscate the origin of the money for some illicit reason. The ramifications of permitting or not having strong enough systems to prevent money laundering results in being shutdown. That's a bigger incentive than financial loss

2. Fraud where someone is trying to get cash off of someone else's card. This is the number one form of fraud on a marketplace and, by far, the hardest to catch. This is where the incentive is financial due to chargebacks

3. Cash advance where a marketplace has set their fees low (sometimes even lower than the fees Balanced charges) and someone is incentivized to get money off their card or simply get miles/points. Venmo and a lot of similar services experienced would get targeted by this form of collusion when they didn't charge any fees. This should be prevented due to card network (Amex, Visa, MC, Discover) policies, but they generally won't result in a chargeback

noeltock13y ago· 2 in thread

This doesn't seem to be a case of money laundering, but credit card fraud. Thanks for the share!

pyre13y ago

It's both. Gittip is 'laundering' the money, so that it's clean on the other side. It's not the greatest money laundering scheme as the launderer is unwitting, and therefore can 'flip' exposing the source of the ill-gotten gains.

noeltock13y ago

Negative. The layering stage of ML does indeed lead to "cleaning" funds, but Gittip isn't doing that. ML means giving money a clean-slate with virtually no history. Everything from casinos, offshore entities, to wiring funds through FATF blacklisted countries will be closer to what ML actually is.

davepeck13y ago· 1 in thread

This is unfortunate, but quite common. If you accept credit cards online, you're at risk. The specific kind of fraudulent behavior you see will depend on several factors (the nature of your business; whether you enable transfer from users to just yourself, or whether you push money from one user to another.)

Credit card companies will, some time later, probably notice the fraud. At that point, you'll get a chargeback: you'll have to pay back the money you charged in addition to a fixed penalty per fraudulent charge (usually $15.) Especially if you're enabling a marketplace, like gittip does, these fees can be devastating. Regardless, if chargebacks become too common, your merchant account may be suspended.

I've written some about my company's experiences with fraud, if it's of interest:

http://davepeck.org/2011/11/17/fraudsters-gonna-fraud/

http://davepeck.org/2011/12/01/dealing-with-credit-card-frau...

whit53713y ago

Thanks, Dave, lots of good pointers. I made these new Gittip issues based on your posts:

use a fraud detection service: https://github.com/whit537/www.gittip.com/issues/357

detect and prevent botnets: https://github.com/whit537/www.gittip.com/issues/358

detect and prevent scripting: https://github.com/whit537/www.gittip.com/issues/359

singingwolfboy13y ago· 1 in thread

Kudos for being open and honest about this sort of thing. Publicly acknowledging difficult issues makes me support a company even more.

whit53713y ago

:^)

huhtenberg13y ago· 1 in thread

> My heuristic boiled down to the following:

So that's that for that heuristic. They will adapt now.

whit53713y ago

The problem with hiding heuristics is that false positives get squished. I want to avoid the horror stories we hear about people getting their Google account shut off or their PayPal funds withheld.

jacquesm13y ago· 1 in thread

Any system handling funds should be approached from the angle of minimizing the potential for fraud. If you don't do that right from day one there will be a lot of hard lessons which are more than likely to kill your company. Please team up with a company that has the experience to deal with this, balanced (which should have been your first gatekeeper here) dropped the ball in a terrible way, their anti-fraud measures should have definitely tripped over this so clearly they're not in control of the situation. From your posting and the comments here it is clear that you have the right general idea but you lack the relevant experience and tools.

whit53713y ago

Thanks, I started a ticket for this:

https://github.com/whit537/www.gittip.com/issues/357

driverdan13y ago· 1 in thread

Nice job being proactive and catching on quickly. Have there been any chargebacks? Chargebacks are usually what alerts people to credit card fraud.

whit53713y ago

I am not aware of chargebacks yet. My understanding from other comments in this thread is that it takes months for chargebacks to hit.

maplesyrupghost13y ago· 1 in thread

looks like Bitcoin could prevent this.

colindean13y ago

We'd love help implementing it.

https://github.com/whit537/www.gittip.com/issues/search?q=bi...

Codhisattva13y ago· 1 in thread

So basically this is the most popular article about Gittip?

whit53713y ago

Yes, though HNSearch hasn't quite caught up yet:

http://www.hnsearch.com/search#request/submissions&q=git...

japhyr13y ago

I am a strong supporter of Gittip. I think it is an important funding model to make available, across a variety of disciplines. I hope there are some people around with experience identifying money laundering patterns, who can keep Chad from having to reinvent the wheel on this.

davidu13y ago

Good catch. You'll be fine.

For what it's worth, a little bit of fraud is a good thing. It means people are using your system and it's growing. Too much fraud and people will lose confidence and your payment processors will punish you. Too little fraud and your system is probably too complicated to be useful to anyone, including fraudsters.

splicer13y ago

My GF just found out a few hours ago that she was the victim of a similar scheme. Someone used her Amazon account (which has her credit card info) to donate to a Kickstarter account. Unfortunately, she has no way of finding out which Kickstarter account. Luckily, her credit card company took care of everything without a hassle. She also spoke with Amazon customer service, and they "were completely useless and almost hung up because they didn't know what Kickstarter was."

PeterisP13y ago

This is why banks frown upon offering CC merchants to "marketplaces" - anyone who is not charging cards for their own business, but allows one user to give money to another.

You didn't get money laundering, but if your volumes would be larger, you would get also money launderers.

sdrgalvis13y ago

The link is broken. the tumblr page is down. you can still read the post at Altavista's cache at http://74.6.117.15/search/srpcache?ei=UTF-8&p=http%3A%2F...

kmfrk13y ago

This is always a concern when new value exchange services are invented.

None have been as open and ethical about this as you, though, so it's very comforting to know that gittip won't be a free-for-all bonanza for asshats.

loceng13y ago

Best of luck. I imagine noone imagines themselves being in this situation.

noagendamarket13y ago

Should have used bitcoin :X

tkahn613y ago

IANAL but isn't this one of those things where you need a lawyer?

arjunbajaj13y ago

Looks like Tumblr can't handle HN! The site is down. :(

Haha! That's why i'm never gonna use Tumblr! :P

j / k navigate · click thread line to collapse