Payment Horror Stories: The How and Why Behind the Most Vicious Attacks on Your Payment Stack With Jeremy Waxman

David Vogelpohl (00:04)
Hello everyone and welcome to Growth Stage by FastSpring, where we explore how digital product companies can increase the value of their businesses. I'm your host, David Vogelpohl. I support the digital product community as part of my role at FastSpring and I love to bring the best of the community to you here on Growth Stage. In today's episode, we're going to talk about payment horror stories.

the how and why behind the most vicious attacks on your payment stack. And joining us for that conversation is someone who knows quite a bit about vicious attacks on payment stacks. I'd to welcome to Growth stage, Mr. Jeremy Waxman. Jeremy, welcome.

Jeremy Waxman (00:50)
Thanks, thanks David for having me.

David Vogelpohl (00:52)
I'm really looking forward to hearing your tales from the world of payments and risk and fraud and what these common attacks are, why these bad actors choose these particular types of attacks and what you can do to make your payment stack more secure. And I know that you work for FastSpring and you'll tell us a little bit about what we do there in a second. ⁓

but I know that a lot of people will think about managing their own payment stacks, outsourcing or offloading to a partner like FastSpring. And so think it's good, even if they're not familiar with payment orchestration and risk and management, to understand a little bit about what that world is like. So really excited to have you here today and really excited to hear these horror stories. So.

Tell me a little bit about FastSpring for those unfamiliar and then what you do there

Jeremy Waxman (01:53)
Absolutely. So FastSpring is the leading merchant of record ⁓ in e-commerce. Basically, we can take your digital goods or digital commerce global ⁓ or cross-border outside of your existing country into ⁓ a new country. So it can expand your ⁓ target market, customer reach, ⁓ and overall revenue. ⁓

At FastSpring, I lead payments, ⁓ risk, compliance, operations, ⁓ and ⁓ ultimately, I am a customer advocate or a seller advocate, as we would call it internally, ⁓ where I work collaboratively with our, excuse me, sellers to help optimize, ⁓ improve their ⁓ growth potential.

and also understand where their next steps are and where they want to go next so that we can be ahead of the overall e-commerce curve and be ready for those growth markets.

David Vogelpohl (03:05)
And your teams are working with our upstream payment providers, local payment methods, our risk models, our engineering team to make sure that our payments and our payment systems are optimized, monitored and orchestrated in a way that results in the best outcome for FastSpring and our customers.

And so as I think about my interactions with you and your team and looking at all the things you do for FastSpring as a platform, but then also for very specific customers that are having very specific issues, it got me thinking that it'd be really interesting to talk to you about that here today. And I know you have kind of a background in this as well, but before we get into that, I want to ask you the question I ask everyone actually who joins the show. ⁓

What was the first thing you bought online?

Jeremy Waxman (04:02)
⁓ jeez. ⁓ You know, being in the payment space, I have a long history of purchases. ⁓ I would say it was probably a subscription. I'm going to really show my age here. it was using my parents' credit card. And it was probably a subscription to AOL ⁓ or NetSuite. It was probably AOL. Remember those old CDs you used to get in the mail?

and it was a free trial, well then I convinced my parents to let me sign up for the internet through AOL and actually paid for it. So that was probably my first purchase, which probably throws people for a loop because they immediately go to physical goods that they can use. I went to access to get to the internet.

David Vogelpohl (04:51)
because

the AOL CDs allowed your computer to get access to the internet. Then you use the card to sign up for the service over the internet. And that's, that's really interesting. First purchase. I hadn't thought you could buy access to the internet on the internet without access to the internet, but at the AOL CD thing I had never really thought of before.

Jeremy Waxman (05:17)
Yeah, they gave you a free trial, if I remember correctly, and it was free seven, 15, 30 days, whatever, and then they charge you. I guess I convinced my parents that the future was in the internet and they allowed me to pay or they allowed me to purchase. But the downside is that I didn't think to convince my parents to invest in any internet stock. So that's probably where I failed.

with internet purchasing, to be honest with you.

David Vogelpohl (05:49)
That's funny. You

just, you just gave them internet companies money. You didn't invest and get anything out of it.

Jeremy Waxman (05:53)
I supported

all investors in the internet companies.

David Vogelpohl (05:58)
Well,

I feel like you guys somebody out of it later, like later in your career, didn't you work for Comcast? Why don't you tell us a little bit about your background and payments to give folks a little bit of context more than just your role here. Like what were some of the other places you've worked before or the bankers like there?

Jeremy Waxman (06:16)
Absolutely. So, so, you know, I hate giving the number now, uh, you know, and I'd like to say that I had a lot of hair when I started in payments and software back in the day. Um, and, uh, you know, so 25. Ish years around a down, uh, in, the payments and software space, uh, primarily in payments, software product management.

financial services. ⁓ The role prior to ⁓ to Fastspring, ⁓ I worked for the company that either you love to hate or hate to love ⁓ Comcast, ⁓ where I ran payment operations for their largest division. ⁓ And prior to that, I worked at ⁓ different part ⁓ payment partners like Fiserv, ⁓ Verify.

I also ran a payment strategy for ⁓ the original merchant of record, Digital River, ⁓ which has now since ceased to exist, but it was a part of that, which is great. ⁓ And then all the way back to one of the first e-commerce companies ⁓ or dot-com companies called Princeton E-com, which was then since acquired two or three times over the years and is now a part of ACI.

David Vogelpohl (07:40)
Has managing payment stack attacks by bad actors been a part of these rules that entire time? Part of the time? Like how significant ⁓ role did that play in your career today?

Jeremy Waxman (07:55)
Well, I'm going to age myself a bit because back in the day, when I started in the space, really attacks didn't exist because e-commerce wasn't where it was. We're still in the dot com boom. And, ⁓ you know, would say fraudsters. Learn to transition from as they saw the growth in e-commerce from, you know, stealing from stores to virtually stealing. Right. ⁓ and that's something that

has evolved over the years. And I always like to say that the fraudsters will always be one step ahead of any fraud provider or partner or merchant that's out there. That's just the nature of the beast. ⁓ But ⁓ I would say they've always been there. Their attack strategy has changed over the years. ultimately, the one thing that has stayed common

for the entire time is they will find the weakest point and they will exploit it. And they will continue to exploit it until you close that weakest point or fix that weakest point. Then they'll move on to the other company that has that same weakest point. And they'll come around until they come around back again and then they find the new weakest point in your organization. So it's very cyclical. We saw that many companies I worked. ⁓

They look for the weakest link and exploit it and then you close it because fraudsters don't like to do work. They work a nine to five job just like the rest of us, believe it or not, ⁓ in the most cases. And they like to just make money where they can easily do it. They don't want to redo code. They don't want to redo their strategy. You use it, abuse it until you have to change it.

David Vogelpohl (09:44)
So before we get into the horror story side where you tell us about some of the unique and maybe terrifying attacks, ⁓ help me understand like what is the, what is it? What are the basic attacks on a payment stack look like? Like what are they doing and why are they doing it? Like what's the most common type of attacks basic?

Jeremy Waxman (10:07)
I would say the most common attack is, you know, carding attacks, right? Where they are at end account takeovers, right? So you have two forms of attacks. One, I'm going to test a whole lot of credit cards that I might have purchased off the dark web or stolen myself, not me personally, but if I'm the fraudster ⁓ and testing to see if those cards are valid. And if they're valid,

then they resell them or raise, go use them someplace else and buy a whole bunch of stuff. And, you know, it's, it's, it's lost cause. And then on the other side of it, there is account takeover, right? And we see that a little more prevalent in some of the spaces that we work in, where somebody steals it's, it's, you know, kind of identity fraud. I'm stealing your e-commerce identity with this particular customer.

your credentials, so to speak. And I am logging in as you and I am buying stuff as you with your stored credit card or maybe with some of the other credit cards that I've stolen from you and purchasing stuff. you know, that's why, you know, things like two factor authentication or setting up a notification that, hey, your password has changed is, is very relevant in everything you have.

David Vogelpohl (11:30)
Okay, so the most common type of attack is a carding attack where a bad actor is flooding your checkout with requests to test credit cards. When they find a credit card, is there a certain type of product that they favor when they do a carding attack, like in terms of the average order value or like product type, anything like that?

Jeremy Waxman (11:52)
Absolutely. So digital goods and very low dollar amounts. ⁓ because, you know, as everyone knows, a credit or debit card has a balance. And if you try to buy something for a thousand dollars and they only have ten dollars on their account, it's going to get declined. Right. And industry standard is you don't tell a fraudster why it's declining.

So you don't know if it was an invalid card. You don't know if it's insufficient funds. You just know it didn't work. So you start with the very lowest dollar amount that you can do. And then you could build up from there because then you know, yes, it's valid. Yes, I got the information right. Then I can go buy more stuff.

David Vogelpohl (12:38)
I remember back in the day, seeing a charge from Starbucks that I didn't make and calling my credit card company, cause I got an alert pretty quickly and they caught the person. were going into the grocery store to buy like $200 worth of liquor and beer or something like that. And they had tested it at the Starbucks outside. basically a carding attack is doing that at scale. And when they buy the goods later is, that.

part of an account takeover or is that different? Because that feels like an attack too, right? You're coming in with a stolen card to buy something from me. How do we understand that piece of

Jeremy Waxman (13:18)
Absolutely. an ⁓ account takeover is essentially I'm taking over your account and using the things you have stored on your account, a card on file, so to speak. ⁓ But then a stolen card just using fraudulent payment method ⁓ is you're just ⁓ basically committing fraud just for that single transaction. ⁓

⁓ infiltrated somebody's username and password, you have created a whole new path using that new card or the stolen card.

David Vogelpohl (13:59)
Is there a common type of good that fraudsters will use with fraudulent cards? Like obviously they're trying to turn it into cash or crypto or something at some point. Again, is there like a commonality of like low AOV and digital is the best as a fraudster for a card attack when it's time to use the card? What are the best types of products from their perspective?

Jeremy Waxman (14:24)
Honestly, it's resellable, right? It has to have a market for it. ⁓ And it has to, you know, it has to be something that is commonly used, right? Typically not B2B software, right? Because a business doesn't necessarily want to buy something from a third party that isn't necessarily the, you know, selling entity. ⁓ But

you know, a customer may be looking for a discount and going to a fraudulent shop or finding a telegram channel that says, hey, buy this for a 20 % discount. And they're like, okay, well, I'll do it, right? Not knowing that those were stolen goods. They can make it very easily looking like, you know, the selling entity is a subsidiary or an affiliate of, you know, the company that they stole them from. ⁓

And from a goods perspective, if you go into holistic e-commerce, it's goods and services that you then can go resell out of the back of a truck, so to speak. But in the e-commerce digital goods market, it's things like gaming passes, even gift cards.

right? Which, know, gift card fraud is a whole different type of fraud, because it's, you know, basically stealing cash, and then turning it into ⁓ real cash.

David Vogelpohl (16:02)
Okay, so the bad actors are looking for something essentially with resale value on some way. And so that's part of the way that they target it. ⁓ as we think, as you start, I want you to give us some real juicy horror stories here in a minute, Jeremy, but I really, wanna, before we get to the horror part, I feel like we have to understand why this matters. Like, ⁓

It's interesting to hear about these attacks and their motivations and some of the things that drive them. But if you get it wrong, if you let the attackers win, what is the ramification for businesses?

Jeremy Waxman (16:43)
There are a lot of ramifications and they span from business to operational to partner risk, right? To even buyer risk. One, if you continue to get attacked, your reputation with buyers just goes down. that, you

If you get account takeover or carding attacks and you've had your card used at a site you've never bought before, you may never go to that site. So there's the buyer impact. Then you've got the seller impact, the merchant impact. It's brand reputation. is, you are...

with the brand, the networks and with your issuing banks and with your processors, you are not doing, you know, industry standard or best practices to protect the payments ecosystem. And, you know, the networks of Visa and MasterCards and the payment providers out there, they take a lot of pride in the protection of the network. And you can have, you know, negative risk.

⁓ or negative fines coming your way if you reach certain thresholds within Visa and MasterCard, you know, so there can be financial downside to your business. But then if you look downstream into your payment processing, if you continue to get hit with a whole bunch of transactions and there's a lot of declines in carding attacks, there's a lot more declines than successes. ⁓ You can damage your approval rates with your issuing bank.

There are also fines associated with enumeration and carding attacks, ⁓ as well as you are just processing payments with never going to have the level of success that you'd want. So you're just throwing money away by allowing those to happen because you get charged a certain amount every time that payment transaction goes through to the issuing bank, whether it's declined or accepted, you get charged a fee.

those fees end up adding up over time if you don't protect yourself on the front.

David Vogelpohl (18:56)
And so if I'm, if I have my own payment service providers, PSPs and my own relationships, perhaps with local payment methods, I'm doing my own self orchestration. ⁓ then the ramifications of getting it wrong are potentially fines. you, said negative fines and you mean like really big, massive fines, right? These, these are no joke fines that you risk here. and, ⁓

So if I, if I'm doing all of this, have these risks. If I'm outsourcing or offloading that to a merchant record like FastSpring or others in this space, I'm kind of relying on them to make sure that's taken care of for me. And so I probably doing some good diligence there to make sure that solid, but getting it wrong in general, ⁓ effectively can affect your approval rates, your access to payment methods, and then result in effectively millions of dollars in fines. Basically, is that accurate?

Jeremy Waxman (19:56)
Absolutely. it can be, ⁓ it all adds up. You ⁓ don't necessarily get fines for the, or massive fines for the declines or the actual process of ⁓ carding attacks.

But what you will is you'll get a whole bunch of chargebacks because like you experienced with Starbucks, you'll have a thousand people that experienced that problem with Starbucks because they tested a, you know, and got through on a thousand cards. Now you have a thousand disputes, a thousand chargebacks, which that comes with larger fees associated with it from your payment processor, from Visa, from MasterCard, but also that comes with fines when your ratios.

start to get out of whack. And that's when, ⁓ the networks and your acquirers start really putting eyes on you. And, with the new programs that are coming out, which are putting more emphasis on the acquirer or your payment partner to manage the seller or the merchant, so to speak underneath, them, there could be a better chance that there's a less, less, much less of a threshold before they say, Hey,

We don't want you on our platform anymore. And then that puts the merchant in a very tough situation.

David Vogelpohl (21:17)
Yeah. So big, big stakes on the table here. ⁓ you also touched a little bit on the operational impact and it's funny, ⁓ had, ⁓ someone I know refer, ⁓ the CEO of a company who is being overwhelmed with chargebacks and fraud. And it wasn't so much the fines that was the problem for them.

It was the operational impact. Like half their support team was like spending like a good chunk of their time just, you know, processing these over and over and over again. think they were like yielding on them or whatever they were doing. So they were just being, I don't know. It was just like taking over their business. Is that common? Is that pretty rare? Like tell me about that.

Jeremy Waxman (22:03)
Well, yeah, absolutely. I mean, and you can either decide to fight or represent a chargeback or just accept it, right? And when typically when a merchant gets an increase in chargebacks, you're going to do whatever you can do to mitigate them from impacting your business. So you'll start representing a whole bunch of them, which is a lot of work.

to be able to do for a merchant on their own. There are services that are out there that, know, they, if they represent and you win, they keep a portion of it, but it's very expensive. It's not a small percentage that they keep. So either it's internal resources or you're spending money to do it, it's expensive, you know. And then on the other side of it, even if you're accepting them and you're not, let's say fully integrated into your system,

or you have a dispute resolution tool like a Verify or an Ethica you're using that is manual. Well, now you're using multiple systems to try and limit your exposure. And it just starts to snowball and it just gets bigger and bigger and bigger. And that makes it tough for organizations to handle from an operational perspective. And unfortunately, my career, I've seen it and it's not fun.

but you take it, you put your stuff in place to mitigate it, and then you ensure the next company you're at isn't in that situation again.

David Vogelpohl (23:31)
Well, I'm very grateful to have you here to take care of all this stuff. So I don't have to get to this level at this complexity on this. This is a really interesting to hear. Now in my Starbucks example, I explained how they had, you know, tested it at Starbucks and then went into the grocery store in the same parking lot. And when I, when I called, I saw the charge almost immediately and I called and

⁓ it was talking to the rep on the phone and she was like, yeah, I can reverse the charge for the Starbucks and the grocery store charge hadn't taken place yet. It took place when we were on the call and she was able to stop it at the register. And I just imagined the scammer, ⁓ with this cart load of groceries that they had gone shopping for and like hitting like.

Jeremy Waxman (24:05)
So

David Vogelpohl (24:23)
fail right at the moment of truth. And I just thought that was so funny that they had wasted all that time. Maybe they just changed to a different card and the old deal. But that was maybe

my weird horror story or interesting story from the world of payments and scammers. So let's let's get into yours. ⁓ What is you can leave out the names of the companies, obviously, and the people involved. But tell me a horror story. Tell me something like really weird or crazy that happened.

Jeremy Waxman (24:51)
Well, you know, I've been in a lot of organizations and a lot of organizations we've sold different divisions, different products, you know, and I'll stick to the merchant type. ⁓

area. And I won't tell you if I was at this merchant or I was a partner of this merchant, right? Because we don't want to give any of our secrets away, right? ⁓ But I will tell you that carding attacks have grown over the years, right? Because of automation, software, the ease of software to create, right? And heck, even I'm sure chat GPT and AI

has a large part in automating some of this stuff, right. In one way or another. but what you see is they'll target a certain thing, right. And if you're not the biggest horror story that I have was the organization was not aware or not tracking. The clients, they were looking at approval rates at a high level, right.

But they weren't looking at it at specifically down to what's called the bin level. And fraudsters who typically are carding attack fraudsters typically buy stolen cards in a bin. And a bin for those out there that don't know is the first six to eight digits of a credit card, right? ⁓ You know, an Amex starts with a three, Visa starts with a four, a MasterCard starts with a five, right, of that. And the bin represents the issuing

institution, right? So, you know, Chase Payment Tech or Chase City Bank, they all have bins associated with them, even your local credit union does. And if you look at it at a high level, and you're looking at your payments approval rate globally, you know, you could see, well, heck, my approval rate goes up or down, you know, a couple of bips.

couple percentage points, right? It's the ebbs and flows of normal activity, et cetera. But what we weren't doing, or this organization wasn't doing, was looking at it down to the level of a bin, and therefore weren't able to identify the exact area of them getting attacked by carding. So by having millions and millions of transactions that flow through their system,

There was no way to see that you just got hit with 10,000 carding attacks on a bin in, you know, we'll say Mongolia, right? I'm throwing out a country that I like to use as an example, because it typically never comes up in conversation. ⁓ So, you know, ⁓ so think about it, you've got this carding attack happening in this small little area, which therefore, on the whole scheme of things didn't change the dynamic at all. So what

you know, we partner the way this organization mitigated it. They started looking at anomalies in specific bin volume, right? Because you typically, if you have a small credit union in the middle of Nebraska that, um, you know, does 10 transactions, 12 transactions a month, maybe peaks to 50 during some sale and all of a sudden does a thousand. That's a red flag. Now granted,

They could be doing some massive sale or they launched a new product. So it's not always fraud, but those are the types of alerts that you want to start monitoring and researching. And that is the value that payment operations brings to either a merchant or payment operations of your partner ⁓ or even a merchant of record. That's what they bring to the table so that the actual sellers, right? The actual people who are building the products, ⁓ you know,

making your organization, providing solutions to make your organization grow from a revenue perspective. They don't have to worry about that. But that was a horror story that when you came in the door, they never looked at it. Then you started looking at it and all you had to do was apply the decline fees to the attempts for these, what we'll call low performing bins. And it quickly made people realize the value.

of protecting yourself from carding attacks.

David Vogelpohl (29:18)
So their fees were basically they weren't catching them and they kept happening and they weren't filtering them out and that resulted in fees or fines that were exorbitant basically.

Jeremy Waxman (29:29)
Well, actually, this organization, they were either bad cards or bad fraudsters, but there was not a very high approval rate of those cards. So what they experienced was these massive amounts of increases in decline fees. But because the fees of declines are very small comparatively to interchange rates, et cetera, and if you never look at it,

broken down into that level, you never actually realized that it's impacting your business. And there was hundreds of thousands of dollars just waiting. Because remember, scale, it's huge, right? ⁓ You know, and, ⁓ you know, the bin level stuff is what really brings it down. Because, you know, that let's just use that credit card and credit union in central Nebraska, right? ⁓ Let's say they do 50 transactions a month. Well,

If you keep that credit, credit union keeps getting hit by carding attacks, that approval rates going to go down because the issuing bank is going to see who you are at the issuing credit union. And they're going to say, this is a lot of bad activity. I'm going to lower the threshold of what I'm comfortable in improving. So it's not just impact in the moment. It's got a long tail impact that ⁓ can be affect the organization and that.

is what makes me lose my hair or made me lose my hair.

David Vogelpohl (30:59)
So I'm imagining like the highway bank robbers of the 20s, like the Bonnie and Clyde's melting into the fabric of the world and like taking advantage of these like chinks in the armor on a local level and kind of hiding amongst, ⁓ you know, the chaos. And so that's how it might.

Jeremy Waxman (31:08)
Hahaha!

David Vogelpohl (31:21)
play out for bank robbers robbing in smaller towns and geographies and thinking about your central Nebraska or Mongolia example where, ⁓ you know, there's these kind of standout data points and thinking about that observability and catching that. can, I can see why this would be a horror story. ⁓ finding these bad actors like lurking in the shadows of these smaller, Ben's. So, ⁓

What else? Tell me another one. What was something else that made you lose sleep? ⁓ What else you got, Jeremy?

Jeremy Waxman (31:52)

Well, you know, there's another organization ⁓ that ⁓ believed that there was a, well, twofold. One believed in a silver bullet from a risk and fraud prevention perspective, right? Where it's, hey, this one thing is going to protect me against everything.

Right. And there are providers out there that say they're, they, you know, they're all encompassing. Right. but, know, in reality, if you're using one single point solution, ⁓ it's very tough to protect yourself. Right. ⁓ and then on the other side of it, this organization, ⁓ actually didn't care about fraud. ⁓ the, what they cared about was customer satisfaction.

⁓ and, you know, overall count of customers, right. And there's many reasons that people could care about customers versus, you know, net revenue. It could be, you know, stock price. could be valuation. could be, you know, growth, you know, growth potential, right. ⁓ you know, active daily users, et cetera, right. There's all these different factors in play, but what was interesting is the horror story was you combine these two together.

And it's very hard to convince an organization to help protect yourself on the front end, right? Because it's not necessarily their primary directive, right? ⁓ And are willing to write off the losses, right? So it was a very ⁓ scary thing, but over several years, the business case was able to be made to say, look,

Here's, you know, if you think about, here's where we would have been if we did X, Y or Z. And, you know, we're able to prove out that, you know, by stopping, you know, you always want a ratio on the front end. So by stopping a small percentage of what I'll say, false positives or good customers, we were then going to stop 40 % of the fraud. And I'm making numbers up, but that getting to that point and the reason this is a horror story.

was getting it to that point took so long to convince the organization that it was benefit for them. It was just scary about how much money we were just, and customer experience, we were just kind of throwing away.

David Vogelpohl (34:32)
because they were so concerned about the effect of approval rates that they were willing to accept the loss from the fraud basically. And you're saying that it wasn't worth it at all ⁓ to lose just a tiny little bit of new customer accounts.

Jeremy Waxman (34:50)
There are some industries that, you know, there's a greater threshold of what I would say, you know, flips the needle from good to bad. But in this industry, was tremendously out of whack. you know, it was, they were really worried about the one, two, three, four, five, whatever good customers that couldn't pay. So it was, or couldn't.

couldn't purchase or enroll. ⁓ But where the switch came was proving out that your customers, in certain places, you don't have options. If I want to buy Nike sneakers, I can buy Nike sneakers from 50 different places on the internet. There are certain things and certain industries where you only have a couple of options.

And if you really want to buy and you can't buy, you're going to pick up the phone. And that that's where, you know, it sort of shifted the dynamic of the thought process of, look, we can show you if we start to close the door a little bit or close the dam and let a little less water through. ⁓ You're still going to get the good customers coming through because they want to buy. So.

David Vogelpohl (36:16)
That motivation will help hopefully push them over the edge. But to your point, there's a tipping point where it's not worth it anymore. Obviously, if you're getting millions of dollars of fines and acquiring a ⁓ thousand customers, that doesn't really pay for itself, depending on the kind of customers they are, guess. But obviously, those kind of payoffs aren't good. So I could see that being a horror story.

Any funny examples like anything stand out to you like did Mickey Mouse buy like a million dollar weird judge somewhere so

Jeremy Waxman (36:48)
I mean, in general, on a daily basis, we see tremendously funny names coming through our fraud and risk platform from Mickey Mouse to ⁓ AABB. And obviously, our organization does the best it can to protect our sellers from it. And you'll always see those come through. ⁓

There are some creative names, ⁓ know, Super, Super, Super Space Man, ⁓ Batman. There's a lot of superheroes, a lot of

David Vogelpohl (37:25)
Is it common

to filter risk rules and fraud rules on names? does that have too many false positives? Like there are a lot of real Mickey Mouse's out there that you're really just blocking out for buying things.

Jeremy Waxman (37:37)
Yeah.

Well, a lot of the partners and providers out there have what they call gibberish rules, ⁓ which are very good when you're in English. When you start getting into different characters, ⁓ in language characters, right? ⁓ It starts to get a little out of whack. ⁓ So the really good providers out there have, you know, multiple language.

gibberish rules that allow you to react differently based on what's there. ⁓ You know, and it doesn't necessarily try and translate everything back to English, right? Because that's where it can be kind of messy. And the lower end gibberish rules, they look at things like, three consonants in a row, four consonants in a row, right? But then if you're looking at it that way, then there can be names with three to four to five consonants in a row, right? ⁓

you as you go into different geographies, you know, and how you'd spell things into English can change drastically as well. yeah, so there's a lot of funny things that go on. know, there's always the presidents that are signing up and, you know, world leaders and yeah, stuff like that.

David Vogelpohl (38:54)
Yeah.

Well, you've thoroughly terrified me, that's for sure. And I've had my own share of hair loss, although it's back here now and gray hairs though, from dealing with fraudsters and making sure sites are secure and funnels are humming nicely. So I hope you terrified those ⁓ watching and listening.

Is there anything you would like people to remember though as they think about, you know, keeping their customers and themselves safe and secure from vicious attacks on their payment stack? Like some like sage advice to leave people with.

Jeremy Waxman (39:35)
Yeah, there's two areas, right? ⁓ From a personal perspective, ⁓ using the word password, using the same password across multiple places, that's just going to allow people to...

attack one account and then just go find your other accounts, right? So, you know, there's password tools out there that are very valuable. I'm not going to recommend one or the other. Everybody has their favorite. ⁓ But that's good. You know, and it's funny because people joke how they used to have a list of passwords in their drawer of their desk, right? And, you know, they kept them written there and then it became very insecure.

home to do that, which, which, you know, no company does, you don't do that at companies, but now people are starting to do it again because they have so many different passwords. You can't keep track of it. And that's where I encourage people to move those passwords to a password tool. that's out there. ⁓ and then from a, business perspective, there's a couple of things I'd like to say, and this is not about me. It's about we, right? It's.

you need to have payments expertise somewhere in your ecosystem, whether that be within the four walls of your organization, whether that be through your merchant of record or that be through your payments orchestration platform. I would say you do not want to be dependent on your payments expertise through your payment partners, right? ⁓ Because you're going to have multiple payment partners and you're not getting that consolidated

⁓ translated feedback back into your organization. you know, I'm not touting payments experts out there, but I'm touting payments experts out there because it's not look, it's not rocket science, but it's also not, you know, second grade math, right? So, and those are the two extremes, obviously. ⁓ You know, and the other thing is, is even though you think the smallest little thing

is so simplistic to put in to help put a speed bump on your, from fraudsters It really is a speed bump. And if you don't have the one little thing that everybody else has, they're going to find you and exploit you for that one little thing. Even if you think it wouldn't stop the more complex fraudsters.

you're not even stopping the simple fraudster.

David Vogelpohl (42:11)
That was really spooky. Thanks, Jeremy. I really enjoyed having you here today. Thank you so much for joining.

Jeremy Waxman (42:12)
Hahaha!

Thanks for having me, David. This was great.

David Vogelpohl (42:23)
Awesome. If you'd like to learn more about what Jeremy is up to, you can visit fastspring.com. Thanks for everyone for watching or listening. I've been your host, David Vogelpohl. I love to support the digital product community as part of my role at Fastspring. And thank you very much and enjoy the rest of your day.

Payment Horror Stories: The How and Why Behind the Most Vicious Attacks on Your Payment Stack With Jeremy Waxman
Broadcast by