42 comments

[ 3.1 ms ] story [ 94.7 ms ] thread
At Fetch[0] we built UpUP as an internal tool to help us authenticate high-risk transactions. As we scaled we started experiencing a high volume of fraud from multiple vectors: meth rings, carders, identity thieves, etc. We started to manually verify multiple forms of identification to approve an order. This led to quite a bit of customer friction and put a large burden on our customer service team.

We developed UpUp as a payment verification tool to quickly let customers demonstrate ownership of a payment method and get their transactions approved. In the 4 months we've been using UpUp, we've had a 100% success rate in legitimate customers verifying their accounts and completing purchases. We've also been able to approve more transactions, as we no longer have to wait for customers to provide multiple documents before approving their transactions.

We're launching UpUp as its own stand-alone tool for helping any business verify transactions and combat fraud. We're launching with a Stripe integration today, making it seamless for any Stripe user to add UpUp's fraud verification service.

[0] https://www.fetchtruck.com

Great idea!

Do you have plans to support other processors and/or integrate natively with ecommerce platforms like Shopify, BigCommerce and 3dCart?

A button to click in the Ecommerce Platform Admin page for an order that triggers this extra verification would be game changing for many ecommerce companies.

Thanks for the question! I'm also on the team that worked on UpUp. Yes, we built the product with the idea of integrating with multiple platforms and processors. We also plan to launch an API soon to enable verifications to be triggered by other services.

Is there a specific platform you are using that you'd like to see us add next?

Not in particular, but the biggest processors are obviously Stripe (which you already have), Square, PayPal Payments Pro or Payflow Pro, Cybersource/Authorize.net. For ecommerce platforms, Shopify, Bigcommerce and 3dCart are the heavyweights.

Great looking product, and a great idea! Love it!

Thank you :-) That's helpful feedback, and we genuinely appreciate your support. Feel free to reach out to us contact @ upupapp.io if you'd like to chat more. Would be great to hear more about your experience in this area.
One your verification methods is to record a small random charge.

Note that this is also done by 'carders' and so it can trigger bank's own fraud detection.

I've had this happen to me; a legitimate entity in the USA checked my card with a small fee (with my agreement) and my card was cancelled. Took me a week to get it back.

That most likely had to do with your purchase history pattern. Good banks will notice abnormal patterns and freeze your card/account until you approve the charges. Overseas charges are a pretty large red flag, particularly if you simultaneously have charges in your home area. It also depends how the card was run by this company for this second verification... Virtual Terminal vs. a normal checkout flow can sometimes be treated as a "Card Not Present" charge, which can appear more risky to your bank/card company.

Not foolproof, but is a help. Also... another reason to use a credit card for all online purchases... it's not your money, and almost always will be refunded in full if disputed (at least in the US). Bank cards/debit cards are your money, and you might have a fight on your hands with your bank if it's a large enough charge.

Cool tool!

A couple of questions: -can you set this to automatically trigger for high risk transactions? -how do you flag the user as "ok" for charges in stripe? -do you need to disclose random charges to the customer? -are these actual charges that are refunded or just authorizations?

can you set this to automatically trigger for high risk transactions? -how do you flag the user as "ok" for charges in stripe? -do you need to disclose random charges to the customer?

Triggering a verification automatically based on a stripe radar score is definitely on the roadmap. Right now we do not add any metadata to the stripe customer record but that is a great idea!

Are these actual charges that are refunded or just authorizations?

These are just authorizations that will be released as soon as the verification fails, expires, or succeeds.

(comment deleted)
Someone who has been in this field for far too long here:

I like the initiative and I think this is a step for deterring credit card fraud. However, if someone wants your product bad enough, it's trivial — at an incremental cost — to buy a credit card with login.

Yes, while these issuers have security to prevent logging in/logging in from an unknown device/ip/user agent/hwid, we can all attest that for every secured account, there are plenty that aren't. Even with alerts, OPT, device recognition and notifications, that doesn't deter someone from going to a shop, searching by BIN, by brand, by zip, by email, by password, etc. to narrow down what they want to buy.

If you're the only provider with XyzGood, and someone wants XyzGood bad enough, this won't stop them.

Ecommerce fraud is overwhelmingly "Carding", where someone is testing stolen cards to see if they are valid, and have large available balances.

The other most common type of fraud is buying goods with stolen cards, intending to resale the goods on Craigslist or similar.

For both of those cases, this idea would be an immense help. You perform your own "High Risk" criteria checking on all orders, and those flagged as being potentially High Risk, would then receive this extra verification step.

It's pretty rare for someone to steal or buy stolen cards to order products they actually want to keep.

We see UpUp as a piece of our overall fraud strategy. We lend $35,000 vehicles to renters without meeting them in person. Often we are up against very determined bad actors. What we have found is that if you make a fraudsters job a little bit harder they will move onto the easier target.
Overwhelmingly true.

Even something as simple as sending an email or a phone call to "verify the shipping address" is enough to smoke out actual fraud vs. a real customer.

But... that takes time and resources from customer service, and isn't as fool-proof as having access to the actual bank/card account.

The saying we had when I worked on this was that we weren't trying to stop fraud, we were just trying to be a slightly harder target than eBay.
If someone wants to break into car bad enough glass windows won't stop them.

If someone wants to break into a bank bad enough a safe won't stop them.

If someone wants to break into a house bad enough locks won't stop them.

etc

This is an unreasonable argument for trying to secure something. Every step that makes something harder to steal is an improvement in security and increases the cost of theft.

Why is this needed if you implement SCA 3D secure?
It's not, and SCA 3D Secure is a better solution.
Especially when the card providers move the risk, and therefore part of the cost of the transaction onto the bank. It's up to the bank to make 3D Secure, secure by authenticating the user in it's own way.
Thanks for your comment/question. 3D secure is helpful and would be redundant. We found that 3D secure support is a bit nebulous across platforms and also dependent upon the implementation. (Javascript vs API vs your ecommerce platform.)

UpUp also lets ecommerce teams verify customers without requiring their engineering teams to immediately implement 3D secure.

We do expect we'll end up using 3D secure as part of our flow in the future.

As a business owner dealing with credit card fraud, yes this is a real problem that the processors currently don't solve and existing solutions are hit or miss.

That said, I don't see you addressing the key issue, what is the drop-off rate of legitimate purchasers from having to jump through this hoop to get verified? If it negatively affects conversion rate too strongly then the loss outweighs the benefit. It may make more sense in high-value transactions such as with Fetch than in general ecommerce?

Not that it's interesting for americans, but I have stopped buying anything handled by Digital River because of their great fraud detection. As in, the card that is good enough for Amazon, Apple, Blizzard etc is not good enough for them.

Careful that you don't end up in the same bucket.

> Show HN: UPUP Simple Credit Card Verification to Reduce Fraud

Not to mention their horrible management of physical goods as well. A lot of vendors like HTC have had serious issues with with product sales, returns etc.

If it's Digital River, I look for alternatives or don't buy. Glad to seem i'm not alone.

Hey there, I am another team member at UpUp. Thanks for your comment and questions! Negatively affecting conversion was a major concern for us. Our experience thus far is that there has been no drop off for legitimate customers. We’ve found that customers understand that fraud is a genuine concern for all businesses, and that verification is also for consumer protection. Additionally, we are sending the verification after the customer has checked out (typically when the order is held due to a fraud flag).

It is true that the higher the value of the transaction the more important it is. We tried to be thoughtful about balancing security vs friction.

as an aside, i get a little weary of "corporate support voice" as you exhibit here, when representing a company, including the initial "thanks!" and "restating the problem" multiple times so the customer feels (accurately) heard. you could have just said,

"We haven't seen drop offs in conversion so far, mainly because we verify after checkout, not before.", which answers the question more directly and succinctly.

no offense to you of course. it's better to get an overly verbose, but still informative, response than none. and the product looks genuinely useful to online businesses.

Fair point. We genuinely appreciate the comments and find a lot of value in the feedback.
no worries, programmed customer support is a little niggle of mine†, so i'm a little sensitive to it. =)

it can trigger defensiveness, disdain, or even mischievous inquest rather than the desired complicity. being straightforward is a simpler and safer strategy.

† such programming is indicative of coercive business processes, which typically extends to communication with customers to avoid liability due to that coerciveness

This looks interesting! While I may not be the in target market it somehow validates something I've been mulling over.

Where I come from we have mobile money solutions but they aren't yet integrated to allow you to pay for something online. It's a different problem but the shared element of manual verification for payments has encouraged me it's something worth looking into much more seriously now.

All the best and thanks for the 'motivation'.

Hey! Thanks for the comment and support. Glad to provide any motivation. Building is part of the fun :-) Best of luck with your project, and reach out if we can be of any help.
Okay, I'm sold, where's the API page and how do I get started with the docs?
We're working on the API, but decided to launch before it was ready for public consumption. Would be great to learn about your use case and give you access. Could you reach out contact @ upupapp.io?
I use MaxMind to get back a risk score and use that to determine the possibility of fraud. It's been extremely effective, very cheap, and completely transparent to users (unless they trigger a high risk score). How does this service compete with that?
I don't believe we necessarily complete with MaxMind. MaxMind helps determine transactions that may be fraudulent. I've used the product in the past and found it helpful. Sift is another good option.

UpUp provides you with method to provide your customers that lets them prove they are not fraudulent. In turns, this lets you feel correct about denying a transaction or sleep better at night when you have approved a transaction that is questionable.

Seems like a lot of friction introduced into the purchase process, and $1 is extremely expensive. Stripe's chargeback protection is likely to be significantly cheaper for many transactions and they are guaranteeing no chargebacks! https://stripe.com/radar/chargeback-protection
Thanks for sharing your thoughts. Chargeback protection is nice in that you can somewhat set it and forget it. But, there are a few drawbacks including having a tax on every purchase. (0.4% - 1.0% of gross revenue adds up!) Chargeback protection also acts as insurance, and the insurance issuer can decline to offer chargeback protection for suspicious transactions, which leaves you on the hook for the risk with that transaction if you accept it.

Where UpUp slots in is for those transactions in the gray zone. Declining a customer's purchase "because our payment processor said you are risky" isn't the best look.

Also, in many cases, such as rental, the value of the transaction is much smaller than the amount of the risk from the transaction.

Hope that helps provides some context on the different use cases as we see them.

Very neat, reminds me of how like PayPal makes 2 small deposits to verify your bank account. Only downside I'd think to this is fees for the site owner(but might offset chargebacks if their site had a bunch in the past so maybe worth it) and then secondly not everyone uses online banking...

Like I know someone who's a family member who still does online shopping like on Amazon but still gets their credit card and bank statements mailed to them - unless you can maybe check your card balance and recent transactions by phone... They say they don't trust online banking, yet it's literally probably the same database and servers other than a flag in the database like "hasOnlineAccess" with a username/password combo stored... Probably more at risk of getting their info stolen by installing crap on their own computer than the bank itself being hacked though.

Thanks for the feedback and story!

Our recommendation is that most businesses should be prepared to offer a few options for payment or identity verification. In your case, your family member may have been better suited doing something like a drivers license verification or a knowledge-based identification.

You're welcome. I been toying around with doing a virtual world, but still far away from doing the economy related stuff. One of my concerns is some teenager might steal their parents credit card and rack up charges, maybe multiple ones. and from my understanding chargebacks are about 30 bucks each. Then I think offering game tokens or gift cards, criminals buy a bunch of gift cards to resell with stolen cards. Then worried about trolls, I was thinking of the idea of charging people to signup but some friends thought that'd hinder growth... Tricky stuff to think about, but can't monetize it yet without the other stuff working yet anyways. Even heard of criminals using charities donation forms to try and verify cards too, pretty shameful since in a way they are stealing from the children or people with cancer the charity is trying to help out since other funds would have to help cover the chargebacks.
The fact that this is even necessary shows how broken MasterCard and Visa are. Why not sign the transaction with a public key?
It would be hard to provide a seamless UX for it, so it would reduce purchases.