From the moment I began my freelance web design business back in 2014, I was collecting payments via Stripe and happily paying their processing fees for the ability to grow my business from just a desire for more freedom to running a company that employs women and supports them to create their own freedom and financial independence.
It never occurred to me that using Stripe to process payments would become one of the biggest risks to my small business.
My Stripe account was hacked due to Stripe’s lax security, over $70,000 of fraudulent charges were processed by the hacker through a fake connected account, paid out instantly to that person via Stripe’s Instant Payments to the hacker’s pre-paid debit card, and Stripe started pulling the money out of my business bank account to pay back the victims of the theft.
And Stripe says it’s my fault that my account was hacked and that I’m liable to pay back the victims of the fraud.
Listen to the full podcast episode or read on to find out exactly what happened and how to protect your business.
On a quiet Monday morning after the Easter holiday, I was sipping coffee on my couch in Columbus, Ohio like I normally do, snuggling with my dog and going through my normal morning entrepreneurial routine of checking emails and DMs on my business account when I see an email from Stripe with the subject line:
“Subject: [Action required] Closure of your Stripe account”
We recently identified payments on your Stripe account that don’t appear to have been authorized by the customer, meaning that the owner of the card or bank account didn’t consent to these payments.
As a precautionary measure, we will no longer accept payments for [your company].
We will also begin issuing refunds on card payments on April 15, 2023, although they may take longer to appear on the cardholder’s statement.
Please refer to your dashboard for a list of the charges that will be refunded. If there are insufficient funds on your account to cover any refunds, those refunds won’t be processed and any outstanding funds will remain in your account .
If you believe that we’ve misunderstood or miscategorized your business and would like us to conduct another review of your account , please complete the form on your Stripe Dashboard to provide more information about your business.
Request further review
If you have any questions, you can contact us any time from our support site.”
I remember thinking… yeah, this is probably some phishing scam…
So I check out the “From” address, and actually click into it to see the actual address and it’s saying it’s FROM [email protected]…
And I log into my Stripe account from a separate browser, you know, just in case… and after using my Authenticator app because I have 2-factor authentication set up on my account, I see the request at the top of my account asking me to provide proof that I am the owner of my business.
I look at my recent authorized transactions and nothing is out of the ordinary… all of the successful payment listed are from students inside my Web Designer Academy who have been making their monthly membership payments like clockwork.
And I think, “This must just be a mistake. I’ve been a customer of Stripe for 8 years now. I’ll submit all the documentation Stripe requested and I’m sure that will take care of it.”
So I grab my laptop, submit all the documentation right away, and get back to snuggling and scrolling.
Then I log into my back account and see a withdrawal from my business checking account from Stripe for over $600. And another pending transaction for a withdrawal over $2000. And no credits for the payments that were made by students over the weekend.
And I’m feeling very confused thinking, “What is happening?”
I’m starting to feel the anxiety bubbling up, but I tell myself to be patient. Once they review all the documents I submitted to prove that I am who I say I am, this will all get resolved.
A few hours later, I receive another email:
“Subject: Additional review completed for Stripe Shop”
Whew, I think. I’m glad they took care of this so quickly.
I click into the email, and my heart starting pounding in my chest as I read it:
“Thank you for providing additional information about your business.
After reviewing your account again, we’ve confirmed that your business represents a higher risk than we can currently support.
We are unable to accept payments for [your company] moving forward.
Payouts to your bank account have been paused, and we will issue refunds on any card payments by May 10, 2023, although they may take longer to appear on the cardholder’s statement.
If there are insufficient funds on your account to cover any refunds, these refunds will not be processed and any outstanding funds will remain on your account.
Please refer to your Dashboard for a list of the charges to be refunded.
If you’d like to further appeal our decision, please contact us.”
I can feel the panic rising in my body. I tap on the Stripe app on my phone and I see that there’s a negative payout balance… but all the transactions listed in the app are legit.
I logged back into my Stripe account via my computer trying to figure out what in the world they are talking about, what are all these charges that they are saying are fraudulent? I’m looking for a phone number I can call to talk to someone.
I start clicking through every link in my Stripe dashboard, and when I get to the “Connect” menu item, that’s when I see it.
Two accounts with the business name of “Netflix.com” under the name “Albert Dawkins” which between the two accounts had racked up over $70,000 in credit card charges in the 3 days over the Easter holiday weekend.
Looking more closely, the ill-gotten gains were paid out instantly to a pre-paid debit card via Stripe’s Instant Payouts feature the moment the transactions were successful.
I realized my Stripe account was hacked. …
This is terrible, shouldn’t there have been limits keeping the issue from growing to such a high amount?
This is why I fence off my finances from products and sources like this.
I have Venmo/Cashapp/paypal etc. but they are only linked to a secondary checking account that keep the minimum in it. If I need to move $ to Venmo etc I transfer money into that checking account.
All other purchasing, especially online, goes through another credit card. That card is paid monthly, manually, through bill pay from my main account via bill pay. We avoid auto pay entirely. Just go schedule the payment monthly.
I don’t carry a debit card for my bank accounts at all. Just CCs.
The reason I do this? When I was young and selling stuff on eBay witb a linked paypal account. Some fraudster took an modded Xbox I sold him and reported it as fraud to eBay. They summarily sided with him, back charged paypal. Since my PayPal account had no credits they auto deducted from my main checking which occurred right after a rent check cleared and it put me in overdraft for about 1/2 a day. Unscrewing that was a frustrating adventure that had me leave both my bank and PayPal as a customer
This is wise, though maybe not easy for a lot of people and does it add costs? Seems worth it though, I need to implement more of this.
Generally no. Doesnt add costs. CC’s are cheap and easy to come by if you have good credit. When my credit was shit i used a secured CC (aka sorta like a VISA gift card, but a legit CC# that I could pre-load money onto). Dont just use a gift card and reload it. Some gift cards have different numbers and some services wont take them as payment (ie: Cell carriers). It also doesnt help your credit.
Bank accounts have free checking, and thats what i use. Frankly I use credit unions more often, which are community owned and financed and generally better customer service (another takeaway from that story, the bank was suntrust. They also tried to tell me cash deposits weren’t immediate and they couldn’t close my account. I had to read their customer agreement out loud to the branch manager to get them to 0 out and close the account).
Bill pay is also often free.
The only catch is free checking often has a minimum balance. For my account its 1000 dollars. So that’s what i keep in there. The rest i toss in a savings account. So my max loss should something like this happen is 1k and theres no way they can get at my main account (different bank/Credit Union entirely).
If you are a student, you can often get free checking accounts with crazy low balance requirements too, like $5 etc.
The entire point of all of this setup is it allows me to handle fraud and theft without having to go without my money or trying to recover it. Its on the CC merchant and generally they are more motivated to take care of it if they dont already have payment in hand (from your account). Once i validate the charges are valid on my CC account I pay them every month. When you challenge or charge back, the line item is frozen and wont be put on your balance until the investigation clears.
That’s a great setup!
Any email program and provider should be blocking and requiring extensive user interaction to successfully respond to or interact with email addresses with different “From” and “Reply to” values. It’s a low hanging fruit area of improvement for email.
Congratulations! You just blocked all emails from the users’s subscribed mailing lists and support ticket systems. And they’re pissed.
I’m curious if any security engineers have covered this incident.
Stripe does support generating Restricted API Keys. With “Restricted API Keys” you’re able to mint a key that can live on your e-commerce website that has permission to accept payments but does not have permission to modify your merchant account’s payout methods (eg adding a new “Instant Payments” debit card to the merchant account as this attacker did).
Unfortunately, I’ve asked WooCommerce to support Restricted API Keys 1 year ago, but they marked it as “low priority”
…I would appreciate if more people would jump-in on ^ that ticket and scold WooCommerce so that they add support for Restricted API Keys ;)
