Stripe is Dangerous: How to Make It Safer for Your Side Hustle

I woke up on Tuesday pleasantly surprised. My eSIM store Lotsotravel, had just had its best day EVER. A single customer had purchased $400 worth of eSIMs – a record-breaking sale that felt like a huge win. I imagined the customer happily installing their new data plans, and I was already mentally celebrating.

Unfortunately, as I reviewed the orders on Stripe more closely, a cold dread began to set in. The payment details looked suspicious: multiple purchases, all from the same person for the same country, from a Czech IP address paying with an Indonesian credit card. My record-breaking day was starting to look like a fraudster's playground.

The Hidden Costs of Online Fraud

My first thought was, "Well, someone paid with the credit card, and Stripe should protect me from fraud!" Be cautious - this is a dangerous mindset. I quickly dove into the dreaded world of chargebacks.

If you're running an online business – even a tiny side project – you need to understand this: chargebacks are expensive and painful.

You pay a $15USD fee per chargeback, despite the sale amount or whether you win the dispute. If you want to dispute, you need to pay another $15USD fee for Stripe to process it.

In my case, if I hadn't intervened, I wouldn't just be out $400 worth of eSIMs. I could also be staring down several dispute fees, turning a record day into a negative margin spiral. That would be devastating because Lotsotravel was built as a low margin business from day one.

Luckily, this fraudster has not activated any eSIMs yet, so I only stood to lose the Stripe transaction fees.

Blocking Fraud with Blacklist

When I identified the suspicious orders, my first action was to immediately blocklist the customer's email in Stripe. For some reason - that does not propagate immediately, so I also had to manually refund and cancel the orders.

The next day, I kept getting the order from different emails, but the same pattern. Immediately after receiving those orders, I blocklisted the new email addresses as well, and promptly refunded the payments before any eSIMs could be activated.

This is not a long term fix. The fraudster could keep generating new email addresses and placing orders. I needed a more systematic way to block this behavior. I could look into buying another Stripe product, the Radar for Fraud Teams, but that is overkill for a small side project as it just adds to my costs.

Stripe's Defaults: Not Always Your Friend

This experience sent me scrambling through my Stripe Dashboard, and what I found was surprising: several foundational fraud protections aren't enforced by default.

If you're using Stripe for your side project, take 3 minutes and verify these are active (Dashboard → Radar → Rules):

• •Enforce CVC Verification: The card verification code (CVC/CVV) is a basic physical possession check. Make sure failed CVC checks are blocked, not just allowed with review.
• •Enforce Postal Code Verification: Address Verification System (AVS) compares billing postal code against bank records. Mismatches on high-value digital goods should be blocked or at least flagged + manual review.

I have a few friends that work at Stripe, and after this, I'm certainly going to ask them why these sensible defaults aren't enabled out of the box.

Fix this once and for all with 3DS

Enabling CVC check and a postal code check are first good steps - but to fully prevent chargeback costs, I encourage you to enable the 3D Secure (3DS) protocol.

If you enable this, everytime the customer checks out with a credit card, they will be prompted to complete an additional verification step with their bank (usually a one-time password or biometric). This extra step shifts liability away from you as the merchant to the issuing bank, significantly reducing your risk of chargebacks from fraudulent transactions.

You can learn more about this here: https://docs.stripe.com/payments/3d-secure/authentication-flow

With this setting enabled - I can finally sleep easy knowing the fraudster is blocked from making further purchases. They finally gave up after 2 more days of attacking my store.