[Qgis-psc] Stripe donations on QGIS.ORG
Tim Sutton
tim at kartoza.com
Fri Jan 21 14:08:36 PST 2022
Noted, thanks @Andreas. If the complaints grow, pop us a note and we will
look into it some more.
Regards
Tim
On Thu, Jan 20, 2022 at 5:52 AM Andreas Neumann <a.neumann at carto.net> wrote:
> Hi,
>
> Oh yes, now I remember it - now that you dug out this thread - thanks!
>
> However, it is strange that for some users it seems to fail (at least
> sometimes).
>
> And for some reason, the reCaptcha test expires relatively soon.
>
> Anyway - since it is a bit hard to reproduce in what circumstances the
> reCaptcha test fails, let's leave it as it is. There were not many people
> complaining. Just one or two.
>
> Thanks,
>
> Andreas
>
> On 2022-01-20 02:22, Dimas C wrote:
>
> Hi all,
>
> Yes we decided to implement reCaptcha to prevent fraudulent transactions.
> Here's the email thread from 2019 :
>
> ---------- Forwarded message ---------
> From: *Andreas Neumann* <andreas at qgis.org>
> Date: Tue, 24 Dec 2019 at 14:40
> Subject: Re: Your Stripe Account for
> To: Stripe Support <support at stripe.com>, Tim Sutton <tim at qgis.org>,
> Andreas Neumann <finance at qgis.org>, Dimas Ciptura <dimas at kartoza.com>
>
>
> Hi Ezra and Stripe Support,
>
> Thank you for letting us know about the card testing attempts going on on
> our website.
>
> From the measures you ask us to do, we want to implement option 1 with the
> reCaptcha. We will need a couple of days for this to be implemented,
> because of the holidays over Christmas.
>
> Thank you for your patience with us in order to get this set up at our
> website.
>
> Have a good Christmas,
> Andreas Neumann
>
> On Tue, 24 Dec 2019 at 03:33, 'Stripe Support' via stripe admin account <
> stripe at qgis.org> wrote:
>
>
> Hi Andreas,
>
> We believe a type of fraudulent activity called card testing is occurring
> on your Stripe account. We wanted to let you know and ask that you take
> action immediately.
>
> Card testing is a type of fraud in which a bad actor attempts to test
> stolen credit card details using the payment or donation flow on your
> website in order to tell which credit cards are live[0]. Fraudsters often
> use sites with unprotected payment forms to make a high velocity of charge
> attempts in a short amount of time. If you see any successful card testing
> attempts, please refund them immediately to avoid disputes.
>
> The two main preventative measures are:
> 1) Adding reCaptcha to your payment flow. This is the industry standard
> method for minimizing card testing; Google offers an "invisible" option to
> preserve a great customer experience in your payment flow. Learn more:
> https://support.stripe.com/questions/mitigating-card-testing-with-a-captcha
>
> 2) Using Stripe Radar to monitor and block charges. Radar is not
> specifically designed to prevent card testing, though block lists and rate
> limiting can be effective in slowing down attacks. If you have not already
> received it, we are happy to offer a three month free trial of Radar for
> Fraud Teams[1] while a more robust mitigation such as a CAPTCHA is
> implemented. To gain access to the free trial, please respond to this email
> stating that you would like to do so. Please note that you will need to
> either cancel your access to Radar for Fraud Teams after the three months
> or you will be billed going forward. Learn more:
> https://support.stripe.com/questions/mitigating-card-testing-with-radar
>
> We understand that there is not a single best solution for all businesses,
> and we want to leave the decision making to you. However, if the card
> testing is not stopped by the method you choose, we may require
> implementation of a CAPTCHA.
>
> We take the safety of your Stripe account seriously and this is an urgent
> issue for your business and for Stripe[2]. Therefore, we ask that you
> please respond within 7 days including your plan and a timeline for
> remediation. We understand that it may take longer than 7 days to implement
> new preventative measures. If we do not hear from you, we will temporarily
> pause transfers to your bank account and may significantly block charge
> attempts that are coming through your account in order to minimize this
> fraudulent activity.
>
> We hope this information is useful and thank you for helping us prevent
> this type of fraudulent behavior. Please let us know if you have any
> questions!
>
> Best,
> Ezra
>
> [0] https://support.stripe.com/questions/card-testing-overview
> [1] https://stripe.com/radar/fraud-teams
> [2]
> https://support.stripe.com/questions/why-card-testing-is-an-urgent-issue-to-resolve
>
>
> [7OYOEX-X2V2]
>
>
>
> --
>
> --
> Andreas Neumann
> QGIS.ORG <http://qgis.org/> board member (treasurer)
>
> On Thu, 20 Jan 2022 at 07:50, Tim Sutton <tim at kartoza.com> wrote:
>
> Hi
>
> I think it was a requirement with the new API or something. I will check
> with Dimas.
>
> Regards
>
> Tim
>
> On Sun, Jan 16, 2022 at 8:21 PM Richard Duivenvoorde <rdmailings at duif.net>
> wrote:
>
> On 1/16/22 18:37, Andreas Neumann wrote:
> > Dear colleagues,
> >
> > I heard from one person who wanted to donate through Stripe.com from
> https://donate.qgis.org/ <https://donate.qgis.org/> and it did not work
> for him.
> >
> > Then I tried myself - once it failed, the other two times on different
> browsers (Chrome and Firefox), I had to fill in ReCAPTCHAs - quite annoying
> - I have to say. Certainly not a good experience for our donors.
> >
> > Is the ReCAPTCHA thing now a required thing from stripe.com <
> http://stripe.com>?
> >
> > Thanks if you could try it if it works for you (you don't have to donate
> - just test).
>
> Mmm, I tried 2x both with Firefox and Chromium (on Debian Linux), and
> never have to fill in a ReCAPTCHA, only check the "I'm not a
> robot"-checkbox every time.
>
> Tim's colleagues did implement the ReCAPTCHA, not sure if it was a
> requirement or we had a lot of fake payments, I think Tim is the best
> source for this?
>
> Regards,
>
> Richard Duivenvoorde
> _______________________________________________
> Qgis-psc mailing list
> Qgis-psc at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/qgis-psc
>
>
>
> --
>
> ------------------------------------------------------------------------------------------
>
> Tim Sutton
> Visit http://kartoza.com to find out about open source:
> * Desktop GIS programming services
> * Geospatial web development
> * GIS Training
> * Consulting Services
>
> Tim is a member of the QGIS Project Steering Committee
>
> -------------------------------------------------------------------------------------------
>
>
>
> --
> *Dimas Ciputra - Software Developer*
> Email : dimas at kartoza.com
> Tel : +62 812 1679 2585
> Visit https://kartoza.com to find out about open source :
> • Desktop GIS programming services
> • Geospatial web development
> • GIS Training
> • Consulting Services
>
>
>
--
------------------------------------------------------------------------------------------
Tim Sutton
Visit http://kartoza.com to find out about open source:
* Desktop GIS programming services
* Geospatial web development
* GIS Training
* Consulting Services
Tim is a member of the QGIS Project Steering Committee
-------------------------------------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-psc/attachments/20220121/05a63325/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: blocked.gif
Type: image/gif
Size: 118 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/qgis-psc/attachments/20220121/05a63325/attachment.gif>
More information about the Qgis-psc
mailing list