[Qgis-psc] Stripe donations on QGIS.ORG

Andreas Neumann a.neumann at carto.net
Wed Jan 19 21:52:18 PST 2022 

Hi,

Oh yes, now I remember it - now that you dug out this thread - thanks!

However, it is strange that for some users it seems to fail (at least 
sometimes).

And for some reason, the reCaptcha test expires relatively soon.

Anyway - since it is a bit hard to reproduce in what circumstances the 
reCaptcha test fails, let's leave it as it is. There were not many 
people complaining. Just one or two.

Thanks,

Andreas

On 2022-01-20 02:22, Dimas C wrote:

> Hi all,
> 
> Yes we decided to implement reCaptcha to prevent fraudulent 
> transactions. Here's the email thread from 2019 :
> 
> ---------- Forwarded message ---------
> From: Andreas Neumann <andreas at qgis.org>
> Date: Tue, 24 Dec 2019 at 14:40
> Subject: Re: Your Stripe Account for
> To: Stripe Support <support at stripe.com>, Tim Sutton <tim at qgis.org>, 
> Andreas Neumann <finance at qgis.org>, Dimas Ciptura <dimas at kartoza.com>
> 
> Hi Ezra and Stripe Support,
> 
> Thank you for letting us know about the card testing attempts going on 
> on our website.
> 
> From the measures you ask us to do, we want to implement option 1 with 
> the reCaptcha. We will need a couple of days for this to be 
> implemented, because of the holidays over Christmas.
> 
> Thank you for your patience with us in order to get this set up at our 
> website.
> 
> Have a good Christmas,
> Andreas Neumann
> 
> On Tue, 24 Dec 2019 at 03:33, 'Stripe Support' via stripe admin account 
> <stripe at qgis.org> wrote:
> 
>> Hi Andreas,
>> 
>> We believe a type of fraudulent activity called card testing is 
>> occurring on your Stripe account. We wanted to let you know and ask 
>> that you take action immediately.
>> 
>> Card testing is a type of fraud in which a bad actor attempts to test 
>> stolen credit card details using the payment or donation flow on your 
>> website in order to tell which credit cards are live[0]. Fraudsters 
>> often use sites with unprotected payment forms to make a high velocity 
>> of charge attempts in a short amount of time. If you see any 
>> successful card testing attempts, please refund them immediately to 
>> avoid disputes.
>> 
>> The two main preventative measures are:
>> 1) Adding reCaptcha to your payment flow. This is the industry 
>> standard method for minimizing card testing; Google offers an 
>> "invisible" option to preserve a great customer experience in your 
>> payment flow. Learn more: 
>> https://support.stripe.com/questions/mitigating-card-testing-with-a-captcha
>> 
>> 2) Using Stripe Radar to monitor and block charges. Radar is not 
>> specifically designed to prevent card testing, though block lists and 
>> rate limiting can be effective in slowing down attacks. If you have 
>> not already received it, we are happy to offer a three month free 
>> trial of Radar for Fraud Teams[1] while a more robust mitigation such 
>> as a CAPTCHA is implemented. To gain access to the free trial, please 
>> respond to this email stating that you would like to do so. Please 
>> note that you will need to either cancel your access to Radar for 
>> Fraud Teams after the three months or you will be billed going 
>> forward. Learn more: 
>> https://support.stripe.com/questions/mitigating-card-testing-with-radar
>> 
>> We understand that there is not a single best solution for all 
>> businesses, and we want to leave the decision making to you. However, 
>> if the card testing is not stopped by the method you choose, we may 
>> require implementation of a CAPTCHA.
>> 
>> We take the safety of your Stripe account seriously and this is an 
>> urgent issue for your business and for Stripe[2]. Therefore, we ask 
>> that you please respond within 7 days including your plan and a 
>> timeline for remediation. We understand that it may take longer than 7 
>> days to implement new preventative measures. If we do not hear from 
>> you, we will temporarily pause transfers to your bank account and may 
>> significantly block charge attempts that are coming through your 
>> account in order to minimize this fraudulent activity.
>> 
>> We hope this information is useful and thank you for helping us 
>> prevent this type of fraudulent behavior. Please let us know if you 
>> have any questions!
>> 
>> Best,
>> Ezra
>> 
>> [0] https://support.stripe.com/questions/card-testing-overview
>> [1] https://stripe.com/radar/fraud-teams
>> [2] 
>> https://support.stripe.com/questions/why-card-testing-is-an-urgent-issue-to-resolve
>> 
>> [7OYOEX-X2V2]
> 
> --
> 
> --
> Andreas Neumann QGIS.ORG [1] board member (treasurer)
> 
> On Thu, 20 Jan 2022 at 07:50, Tim Sutton <tim at kartoza.com> wrote:
> 
> Hi
> 
> I think it was a requirement with the new API or something. I will 
> check with Dimas.
> 
> Regards
> 
> Tim
> 
> On Sun, Jan 16, 2022 at 8:21 PM Richard Duivenvoorde 
> <rdmailings at duif.net> wrote: On 1/16/22 18:37, Andreas Neumann wrote:
>> Dear colleagues,
>> 
>> I heard from one person who wanted to donate through Stripe.com from 
>> https://donate.qgis.org/ <https://donate.qgis.org/> and it did not 
>> work for him.
>> 
>> Then I tried myself - once it failed, the other two times on different 
>> browsers (Chrome and Firefox), I had to fill in ReCAPTCHAs - quite 
>> annoying - I have to say. Certainly not a good experience for our 
>> donors.
>> 
>> Is the ReCAPTCHA thing now a required thing from stripe.com [2] 
>> <http://stripe.com>?
>> 
>> Thanks if you could try it if it works for you (you don't have to 
>> donate - just test).
> 
> Mmm, I tried 2x both with Firefox and Chromium (on Debian Linux), and 
> never have to fill in a ReCAPTCHA, only check the "I'm not a 
> robot"-checkbox every time.
> 
> Tim's colleagues did implement the ReCAPTCHA, not sure if it was a 
> requirement or we had a lot of fake payments, I think Tim is the best 
> source for this?
> 
> Regards,
> 
> Richard Duivenvoorde
> _______________________________________________
> Qgis-psc mailing list
> Qgis-psc at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/qgis-psc
> --
> 
> ------------------------------------------------------------------------------------------
> 
>> Tim Sutton
> Visit http://kartoza.com [3] to find out about open source:
> * Desktop GIS programming services
> * Geospatial web development
> * GIS Training
> * Consulting Services
> 
> Tim is a member of the QGIS Project Steering Committee
> -------------------------------------------------------------------------------------------

   --

Dimas Ciputra - Software Developer
Email : dimas at kartoza.com
Tel : +62 812 1679 2585
Visit https://kartoza.com to find out about open source :
  *  Desktop GIS programming services

  *  Geospatial web development
  *  GIS Training
  *  Consulting Services



Links:
------
[1] http://qgis.org/
[2] http://stripe.com
[3] http://kartoza.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-psc/attachments/20220120/9f695d34/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: blocked.gif
Type: image/gif
Size: 118 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/qgis-psc/attachments/20220120/9f695d34/attachment-0001.gif>

More information about the Qgis-psc mailing list