From the moment I began my freelance web design business back in 2014, I was collecting payments via Stripe and happily paying their processing fees for the ability to grow my business from just a desire for more freedom to running a company that employs women and supports them to create their own freedom and financial independence.

It never occurred to me that using Stripe to process payments would become one of the biggest risks to my small business.

My Stripe account was hacked due to Stripeā€™s lax security, over $70,000 of fraudulent charges were processed by the hacker through a fake connected account, paid out instantly to that person via Stripeā€™s Instant Payments to the hackerā€™s pre-paid debit card, and Stripe started pulling the money out of my business bank account to pay back the victims of the theft.

And Stripe says itā€™s my fault that my account was hacked and that Iā€™m liable to pay back the victims of the fraud.

Listen to the full podcast episode or read on to find out exactly what happened and how to protect your business.


On a quiet Monday morning after the Easter holiday, I was sipping coffee on my couch in Columbus, Ohio like I normally do, snuggling with my dog and going through my normal morning entrepreneurial routine of checking emails and DMs on my business account when I see an email from Stripe with the subject line:

ā€œSubject: [Action required] Closure of your Stripe accountā€

We recently identified payments on your Stripe account that donā€™t appear to have been authorized by the customer, meaning that the owner of the card or bank account didnā€™t consent to these payments.

As a precautionary measure, we will no longer accept payments for [your company].

We will also begin issuing refunds on card payments on April 15, 2023, although they may take longer to appear on the cardholderā€™s statement.

Please refer to your dashboard for a list of the charges that will be refunded. If there are insufficient funds on your account to cover any refunds, those refunds wonā€™t be processed and any outstanding funds will remain in your account .

If you believe that weā€™ve misunderstood or miscategorized your business and would like us to conduct another review of your account , please complete the form on your Stripe Dashboard to provide more information about your business.

Request further review

If you have any questions, you can contact us any time from our support site.ā€

I remember thinkingā€¦ yeah, this is probably some phishing scamā€¦

So I check out the ā€œFromā€ address, and actually click into it to see the actual address and itā€™s saying itā€™s FROM [email protected]ā€¦

And I log into my Stripe account from a separate browser, you know, just in caseā€¦ and after using my Authenticator app because I have 2-factor authentication set up on my account, I see the request at the top of my account asking me to provide proof that I am the owner of my business.

I look at my recent authorized transactions and nothing is out of the ordinaryā€¦ all of the successful payment listed are from students inside my Web Designer Academy who have been making their monthly membership payments like clockwork.

And I think, ā€œThis must just be a mistake. Iā€™ve been a customer of Stripe for 8 years now. Iā€™ll submit all the documentation Stripe requested and Iā€™m sure that will take care of it.ā€

So I grab my laptop, submit all the documentation right away, and get back to snuggling and scrolling.

Then I log into my back account and see a withdrawal from my business checking account from Stripe for over $600. And another pending transaction for a withdrawal over $2000. And no credits for the payments that were made by students over the weekend.

And Iā€™m feeling very confused thinking, ā€œWhat is happening?ā€

Iā€™m starting to feel the anxiety bubbling up, but I tell myself to be patient. Once they review all the documents I submitted to prove that I am who I say I am, this will all get resolved.

A few hours later, I receive another email:

ā€œSubject: Additional review completed for Stripe Shopā€

Whew, I think. Iā€™m glad they took care of this so quickly.

I click into the email, and my heart starting pounding in my chest as I read it:

ā€œThank you for providing additional information about your business.

After reviewing your account again, weā€™ve confirmed that your business represents a higher risk than we can currently support.

We are unable to accept payments for [your company] moving forward.

Payouts to your bank account have been paused, and we will issue refunds on any card payments by May 10, 2023, although they may take longer to appear on the cardholderā€™s statement.

If there are insufficient funds on your account to cover any refunds, these refunds will not be processed and any outstanding funds will remain on your account.

Please refer to your Dashboard for a list of the charges to be refunded.

If youā€™d like to further appeal our decision, please contact us.ā€

I can feel the panic rising in my body. I tap on the Stripe app on my phone and I see that thereā€™s a negative payout balanceā€¦ but all the transactions listed in the app are legit.

I logged back into my Stripe account via my computer trying to figure out what in the world they are talking about, what are all these charges that they are saying are fraudulent? Iā€™m looking for a phone number I can call to talk to someone.

I start clicking through every link in my Stripe dashboard, and when I get to the ā€œConnectā€ menu item, thatā€™s when I see it.

Two accounts with the business name of ā€œNetflix.comā€ under the name ā€œAlbert Dawkinsā€ which between the two accounts had racked up over $70,000 in credit card charges in the 3 days over the Easter holiday weekend.

Looking more closely, the ill-gotten gains were paid out instantly to a pre-paid debit card via Stripeā€™s Instant Payouts feature the moment the transactions were successful.

I realized my Stripe account was hacked. ā€¦

  • maltfield@monero.townOP
    link
    fedilink
    English
    arrow-up
    0
    arrow-down
    1
    Ā·
    edit-2
    1 year ago

    Iā€™m curious if any security engineers have covered this incident.

    Stripe does support generating Restricted API Keys. With ā€œRestricted API Keysā€ youā€™re able to mint a key that can live on your e-commerce website that has permission to accept payments but does not have permission to modify your merchant accountā€™s payout methods (eg adding a new ā€œInstant Paymentsā€ debit card to the merchant account as this attacker did).

    Unfortunately, Iā€™ve asked WooCommerce to support Restricted API Keys 1 year ago, but they marked it as ā€œlow priorityā€

    ā€¦I would appreciate if more people would jump-in on ^ that ticket and scold WooCommerce so that they add support for Restricted API Keys ;)