<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /></head><body style='font-size: 10pt; font-family: Verdana,Geneva,sans-serif'>
<p>Hi,</p>
<p>Oh yes, now I remember it - now that you dug out this thread - thanks!</p>
<p>However, it is strange that for some users it seems to fail (at least sometimes).</p>
<p>And for some reason, the reCaptcha test expires relatively soon.</p>
<p>Anyway - since it is a bit hard to reproduce in what circumstances the reCaptcha test fails, let's leave it as it is. There were not many people complaining. Just one or two.</p>
<p>Thanks,</p>
<p>Andreas</p>
<p id="reply-intro">On 2022-01-20 02:22, Dimas C wrote:</p>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">
<div id="replybody1">
<div>
<div dir="ltr">Hi all, <br /><br />Yes we decided to implement reCaptcha to prevent fraudulent transactions. Here's the email thread from 2019 :<br /><br />
<div class="v1gmail_attr" dir="ltr">---------- Forwarded message ---------<br />From: <strong class="v1gmail_sendername" dir="auto">Andreas Neumann</strong> <span><<a href="mailto:andreas@qgis.org" rel="noreferrer">andreas@qgis.org</a>></span><br />Date: Tue, 24 Dec 2019 at 14:40<br />Subject: Re: Your Stripe Account for<br />To: Stripe Support <<a href="mailto:support@stripe.com" rel="noreferrer">support@stripe.com</a>>, Tim Sutton <<a href="mailto:tim@qgis.org" rel="noreferrer">tim@qgis.org</a>>, Andreas Neumann <<a href="mailto:finance@qgis.org" rel="noreferrer">finance@qgis.org</a>>, Dimas Ciptura <<a href="mailto:dimas@kartoza.com" rel="noreferrer">dimas@kartoza.com</a>></div>
<br /><br />
<div dir="ltr">
<div>Hi Ezra and Stripe Support,</div>
<div> </div>
<div>Thank you for letting us know about the card testing attempts going on on our website.</div>
<div> </div>
<div>From the measures you ask us to do, we want to implement option 1 with the reCaptcha. We will need a couple of days for this to be implemented, because of the holidays over Christmas.</div>
<div> </div>
<div>Thank you for your patience with us in order to get this set up at our website.</div>
<div> </div>
<div>Have a good Christmas,</div>
<div>Andreas Neumann</div>
</div>
<br />
<div class="v1gmail_quote">
<div class="v1gmail_attr" dir="ltr">On Tue, 24 Dec 2019 at 03:33, 'Stripe Support' via stripe admin account <<a href="mailto:stripe@qgis.org" rel="noreferrer">stripe@qgis.org</a>> wrote:</div>
<blockquote class="v1gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left: 1px solid #cccccc; padding-left: 1ex;">
<p><br /></p>
<div style="color: #2b2e2f; font-family: 'Lucida Sans Unicode','Lucida Grande',Tahoma,Verdana,sans-serif; font-size: 14px; line-height: 22px; margin: 15px 0px;">
<p dir="auto" style="line-height: 22px; margin: 15px 0px;">Hi Andreas,</p>
<p dir="auto" style="line-height: 22px; margin: 15px 0px;">We believe a type of fraudulent activity called card testing is occurring on your Stripe account. We wanted to let you know and ask that you take action immediately.</p>
<p dir="auto" style="line-height: 22px; margin: 15px 0px;">Card testing is a type of fraud in which a bad actor attempts to test stolen credit card details using the payment or donation flow on your website in order to tell which credit cards are live[0]. Fraudsters often use sites with unprotected payment forms to make a high velocity of charge attempts in a short amount of time. If you see any successful card testing attempts, please refund them immediately to avoid disputes.</p>
<p dir="auto" style="line-height: 22px; margin: 15px 0px;">The two main preventative measures are:<br />1) Adding reCaptcha to your payment flow. This is the industry standard method for minimizing card testing; Google offers an "invisible" option to preserve a great customer experience in your payment flow. Learn more: <a href="https://support.stripe.com/questions/mitigating-card-testing-with-a-captcha" target="_blank" rel="noopener noreferrer">https://support.stripe.com/questions/mitigating-card-testing-with-a-captcha</a></p>
<p dir="auto" style="line-height: 22px; margin: 15px 0px;">2) Using Stripe Radar to monitor and block charges. Radar is not specifically designed to prevent card testing, though block lists and rate limiting can be effective in slowing down attacks. If you have not already received it, we are happy to offer a three month free trial of Radar for Fraud Teams[1] while a more robust mitigation such as a CAPTCHA is implemented. To gain access to the free trial, please respond to this email stating that you would like to do so. Please note that you will need to either cancel your access to Radar for Fraud Teams after the three months or you will be billed going forward. Learn more: <a href="https://support.stripe.com/questions/mitigating-card-testing-with-radar" target="_blank" rel="noopener noreferrer">https://support.stripe.com/questions/mitigating-card-testing-with-radar</a></p>
<p dir="auto" style="line-height: 22px; margin: 15px 0px;">We understand that there is not a single best solution for all businesses, and we want to leave the decision making to you. However, if the card testing is not stopped by the method you choose, we may require implementation of a CAPTCHA.</p>
<p dir="auto" style="line-height: 22px; margin: 15px 0px;">We take the safety of your Stripe account seriously and this is an urgent issue for your business and for Stripe[2]. Therefore, we ask that you please respond within 7 days including your plan and a timeline for remediation. We understand that it may take longer than 7 days to implement new preventative measures. If we do not hear from you, we will temporarily pause transfers to your bank account and may significantly block charge attempts that are coming through your account in order to minimize this fraudulent activity.</p>
<p dir="auto" style="line-height: 22px; margin: 15px 0px;">We hope this information is useful and thank you for helping us prevent this type of fraudulent behavior. Please let us know if you have any questions!</p>
<p dir="auto" style="line-height: 22px; margin: 15px 0px;">Best,<br />Ezra</p>
<p dir="auto" style="line-height: 22px; margin: 15px 0px;">[0] <a href="https://support.stripe.com/questions/card-testing-overview" target="_blank" rel="noopener noreferrer">https://support.stripe.com/questions/card-testing-overview</a><br />[1] <a href="https://stripe.com/radar/fraud-teams" target="_blank" rel="noopener noreferrer">https://stripe.com/radar/fraud-teams</a><br />[2] <a href="https://support.stripe.com/questions/why-card-testing-is-an-urgent-issue-to-resolve" target="_blank" rel="noopener noreferrer">https://support.stripe.com/questions/why-card-testing-is-an-urgent-issue-to-resolve</a></p>
<p><br /></p>
</div>
<span style="color: #ffffff;">[7OYOEX-X2V2]</span></blockquote>
</div>
<br clear="all" /><br />--<br />
<div dir="ltr">
<div dir="ltr">
<div><br />--<br />Andreas Neumann</div>
<a href="http://qgis.org/" target="_blank" rel="noopener noreferrer">QGIS.ORG</a> board member (treasurer)</div>
</div>
</div>
<br />
<div class="v1gmail_quote">
<div class="v1gmail_attr" dir="ltr">On Thu, 20 Jan 2022 at 07:50, Tim Sutton <<a href="mailto:tim@kartoza.com" rel="noreferrer">tim@kartoza.com</a>> wrote:</div>
<blockquote class="v1gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left: 1px solid #cccccc; padding-left: 1ex;">
<div dir="ltr">
<div class="v1gmail_default" style="font-family: arial,helvetica,sans-serif; font-size: small;">Hi</div>
<div class="v1gmail_default" style="font-family: arial,helvetica,sans-serif; font-size: small;"> </div>
<div class="v1gmail_default" style="font-family: arial,helvetica,sans-serif; font-size: small;">I think it was a requirement with the new API or something. I will check with Dimas.</div>
<div class="v1gmail_default" style="font-family: arial,helvetica,sans-serif; font-size: small;"> </div>
<div class="v1gmail_default" style="font-family: arial,helvetica,sans-serif; font-size: small;">Regards</div>
<div class="v1gmail_default" style="font-family: arial,helvetica,sans-serif; font-size: small;"> </div>
<div class="v1gmail_default" style="font-family: arial,helvetica,sans-serif; font-size: small;">Tim</div>
</div>
<br />
<div class="v1gmail_quote">
<div class="v1gmail_attr" dir="ltr">On Sun, Jan 16, 2022 at 8:21 PM Richard Duivenvoorde <<a href="mailto:rdmailings@duif.net" rel="noreferrer">rdmailings@duif.net</a>> wrote:</div>
<blockquote class="v1gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left: 1px solid #cccccc; padding-left: 1ex;">On 1/16/22 18:37, Andreas Neumann wrote:<br />> Dear colleagues,<br />> <br />> I heard from one person who wanted to donate through Stripe.com from <a href="https://donate.qgis.org/" target="_blank" rel="noopener noreferrer">https://donate.qgis.org/</a> <<a href="https://donate.qgis.org/" target="_blank" rel="noopener noreferrer">https://donate.qgis.org/</a>> and it did not work for him.<br />> <br />> Then I tried myself - once it failed, the other two times on different browsers (Chrome and Firefox), I had to fill in ReCAPTCHAs - quite annoying - I have to say. Certainly not a good experience for our donors.<br />> <br />> Is the ReCAPTCHA thing now a required thing from <a href="http://stripe.com" target="_blank" rel="noopener noreferrer">stripe.com</a> <<a href="http://stripe.com" target="_blank" rel="noopener noreferrer">http://stripe.com</a>>?<br />> <br />> Thanks if you could try it if it works for you (you don't have to donate - just test).<br /><br />Mmm, I tried 2x both with Firefox and Chromium (on Debian Linux), and never have to fill in a ReCAPTCHA, only check the "I'm not a robot"-checkbox every time.<br /><br />Tim's colleagues did implement the ReCAPTCHA, not sure if it was a requirement or we had a lot of fake payments, I think Tim is the best source for this?<br /><br />Regards,<br /><br />Richard Duivenvoorde<br />_______________________________________________<br />Qgis-psc mailing list<br /><a href="mailto:Qgis-psc@lists.osgeo.org" rel="noreferrer">Qgis-psc@lists.osgeo.org</a><br /><a href="https://lists.osgeo.org/mailman/listinfo/qgis-psc" target="_blank" rel="noopener noreferrer">https://lists.osgeo.org/mailman/listinfo/qgis-psc</a></blockquote>
</div>
<br clear="all" />
<div> </div>
-- <br />
<div dir="ltr">
<div dir="ltr">
<div>
<div dir="ltr">
<div style="text-align: center;">------------------------------------------------------------------------------------------</div>
<div style="text-align: center;">
<div style="color: #000000; font-family: arial,helvetica,sans-serif; font-size: small; display: inline;"></div>
<img style="color: #000000; font-family: Helvetica; font-size: 12px;" src="cid:164265793861e8f89277ada677131534@carto.net" /></div>
<div style="text-align: center;">Tim Sutton</div>
<div style="text-align: center;"><span style="text-align: start;">Visit </span><a style="text-align: start;" href="http://kartoza.com/" target="_blank" rel="noopener noreferrer">http://kartoza.com</a><span style="text-align: start;"> to find out about open source:</span><br style="text-align: start;" /><span style="text-align: start;"> * Desktop GIS programming services</span><br style="text-align: start;" /><span style="text-align: start;"> * Geospatial web development</span></div>
<div style="text-align: center;"><span style="text-align: start;">* GIS Training</span></div>
<div style="text-align: center;"><span style="text-align: start;">* Consulting Services</span></div>
<div style="text-align: center;">
<div style="text-align: center;"> </div>
<div style="text-align: start;">
<div style="text-align: center;">Tim is a member of the QGIS Project Steering Committee</div>
<div style="text-align: center;">-------------------------------------------------------------------------------------------</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br clear="all" />
<div> </div>
-- <br />
<div class="v1gmail_signature" dir="ltr">
<div dir="ltr">
<div>
<div dir="ltr"><span style="color: #0b5394;"><strong style="font-family: 'arial narrow',sans-serif;">Dimas Ciputra - Software Developer</strong><br /></span><span style="font-family: arial black, sans-serif;">Email : <a href="mailto:dimas@kartoza.com" rel="noreferrer">dimas@kartoza.com</a><br />Tel : +62 812 1679 2585<br />Visit <a href="https://kartoza.com" target="_blank" rel="noopener noreferrer">https://kartoza.com</a> to find out about open source :<br /></span><span style="font-family: sans-serif; font-size: 16.8px;"> •</span><span style="color: #000000; font-family: Helvetica; font-size: 12px;"> Desktop GIS programming services<br /></span>
<div style="text-align: left; color: #000000; font-family: Helvetica; font-size: 12px; margin: 0px; line-height: normal;"><span style="font-family: sans-serif; font-size: 16.8px; color: #222222;"> •</span> Geospatial web development<br /><span style="color: #222222; font-family: sans-serif; font-size: 16.8px;"> •</span> GIS Training<br /><span style="color: #222222; font-family: sans-serif; font-size: 16.8px;"> •</span> Consulting Services</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<p><br /></p>
</body></html>