DEV Community

Cover image for How I discovered 16.7% of my Stripe revenue was bypassing fraud checks (and built a fix)
fitz kk
fitz kk

Posted on

How I discovered 16.7% of my Stripe revenue was bypassing fraud checks (and built a fix)

#stripe #security #saas #webdev

Last week, a friend's SaaS account ($50k ARR) was suddenly banned by Stripe due to card testing attacks.
We were confused because he had Stripe Radar enabled. We thought he was safe.

So, being a developer, I dug into his transaction logs. I discovered a default configuration "blind spot" that I believe affects 30%+ of Indie Hackers.

The Technical Root Cause

I analyzed the JSON payloads of the fraudulent transactions. They all shared one specific pattern:

{
  "billing_details": {
    "address": {
      "city": null,
      "country": null,
      "line1": null
    }
  },
  "payment_method_details": {
    "card": {
       "checks": {
         "address_line1_check": null,
         "address_postal_code_check": null
       }
    }
  }
}
Enter fullscreen mode Exit fullscreen mode

The issue: If you use Stripe's default Checkout (especially with Apple Pay or Link), it often defaults to not collecting the billing address to maximize conversion rates.

The Consequence:

No Address = No AVS: Stripe cannot perform an AVS (Address Verification Service) check.

Radar Blindness: Most default Radar rules rely on location mismatches (e.g., "IP Address doesn't match Billing Address"). If there is no Billing Address, these rules are skipped.

I call these "Ghost Transactions". They are invisible to your primary defense layer.

Auditing My Own Account

Terrified, I scripted a quick audit of my own Stripe history. The result? 16.7% of my transactions were "Ghost Transactions".

I was essentially "flying blind" on a quarter of my revenue. If a card tester targeted me, Radar wouldn't stop them until the disputes started rolling in.

The Fix (Manual vs Automated)

Option 1: Manual Check Go to your Stripe Dashboard -> Payments. Hover over the card details. If you see "No address provided" and AVS checks show "Unavailable" or "Unchecked", you are exposed.

Option 2: Automated Audit Tool Since I didn't want to check this manually every week, I built a "Terminal-style" tool to scan for this specific vulnerability automatically.

It's called GhostAudit.

Audit: Scans your last 100 transactions via a Restricted Read-Only Key.

Visualize: Shows your exact "Ghost Rate" (risk exposure).

Fix: Generates the custom Radar rules to plug the hole.

👉 Check your risk exposure here: ghostaudit.io

(First 100 scans are free. Don't wait for the ban hammer to verify your settings.)

Top comments (0)