HackerNoon.com
Published in

HackerNoon.com

Your Bank Tried to Kill My Company

There are about 39 billion ways for your startup or side project to die including bad founders, bad timing, failure to fundraise, poor messaging, “not enough time,” ego, bad hires, failure to find product-market fit, and, oh yeah, bad ideas.

Last year, I learned of another big one. One that no one talks about in your incubator or accelerator program. One for which there is no Quora thread to reference or Sam Altman blog post to dissect.

A silent killer. Banks.

The story begins this past fall while we were putting the finishing touches on a great year at Benja, the e-commerce company I started with Tommy Goode in 2014.

All of our charts were up and to the right: our mobile app had 10x’d its user-base, our e-mail list had maintained a 25% open-rate through its growth to 15,000 subscribers (beating the industry average by 9%), and we successfully launched our second product, an interactive online display ad unit, that was practically printing cash.

I started preparing the annual wrap-up for our investors where I would lay out the plan to grow from a revenue run-rate of $1 million to $5 million. The 2016 wrap essentially looked like this:

But with eight weeks left in the year, there was room to get a head start on our ambitious growth plan. I wanted to crank it to 11.

A core component of our 2017 growth plan was the move from offering personalized shopping to experiences where you could shop for another person.

Game-changing, I know.

We added gift mode to our shopping app and worked up other ways that we could encourage our users to spread the love. With the holiday season upon us, we thought to offer benjamin gift cards — we would offer 1,000 gift cards for 10% off, which would boost our cash position before the end of the year.

Plus, those who purchased gift cards would gift them or have to complete a future transaction with us — all good things. The campaign went live in our app and we scheduled an e-mail to promote the offer.

We sold out quickly: more than $50,000 in gift cards went out in just a few days.

$50,000 in benjamin gift card sales? Mission accomplished.

Three weeks went by. Gift card redemption was slow but that was to be expected — we thought that most of these units would be holiday gifts and we expected to see purchases in early January.

Things were humming along. I planned to take Thanksgiving week off to go to a friend’s wedding and tour India. This would be my first week off since starting the company two and a half years prior.

Departure day came.

I rolled out of bed and walked to the kitchen. I opened my phone.

637 e-mails.

I opened Inbox and saw that all of them were from our payment processor, notifying us of 637 chargebacks. My heart dropped.

For the uninitiated, a chargeback is what happens when a customer calls their bank and says they don’t recognize or didn’t authorize a charge.

The bank usually offers the customer a conditional credit — a temporary credit for the amount in dispute — while they investigate the matter. The bank opens an investigation and decides, within 90 days, whether the customer dispute is legitimate or not.

The bank contacts the merchant payment processor and says “hey, our customer says they didn’t do this. What’s up?”

The payment processor contacts the merchant and says “hey, the customer says they didn’t do this. Can you prove it?” The payment processor pulls the dollar amount in dispute from the merchant bank account.

The payment processor, to us.

The merchant has a few days to pull information about the transaction and send it to the bank (via a form provided by the payment processor). From there, the bank takes a look and decides whether the customer or the merchant is right.

The loser is on the hook for the transaction.

The bank is the judge, jury, and executioner.

I walked to my kitchen table and opened my laptop. I tapped the keyboard and waited for Chrome to load the dashboard at our payment processor.

At the top of the screen, our payment processor balance read -$59,555.

The e-mails were definitely real.

I clicked into the Disputes tab. There they were: 637 transactions, most tagged “fraudulent” by the bank.

I scrolled through. There were red flags everywhere.

Most disputed transactions came from first-time users of the benjamin app who exhibited strange buying behaviors we hadn’t seen before, like one customer who bought twenty $100 gift cards before the bank card was declined.

I’m a big fan of benjamin and even I think that 20 $100 gift cards is too many gift cards for one person to own.

There was another strange trend: almost all of the new customers had e-mail addresses ending in 163.com and their IP addresses came from Salt Lake City, Utah.

I had to see what 163.com was all about.

We’re not in Kansas anymore.

163.com has nothing to do with Salt Lake City, Utah. It’s a Chinese web portal that appears to be similar to Yahoo or AOL — a site that offers news, search, and free e-mail addresses.

These e-mail addresses, it turns out, that are popular with scammers on Alibaba and eBay.

None of the disputed transactions made sense. Since our payment processor doesn’t have a contact phone number, I could only e-mail and wait. While I waited, I turned the internet upside down searching for an answer. That’s when I learned a term I’ll never forget: carding.

Carding is a form of credit card fraud in which a stolen credit card is used to purchase items that are easy to liquidate for cash — like pre-paid gift cards or gift cards to popular services. The carder acquires these items and uses them or unloads them on a secondary market for cash.

When everything settles out, the carder walks away with whatever he/she is able to liquidate the goods for, the consumer who had their credit card stolen files a chargeback and gets their money back, and the merchant or bank is left holding the bag.

It was pretty clear that we were the victims of a carding attack.

The good:

  1. We had limited the quantity of benjamin gift cards from the beginning so there was a defined scope of exposure.
  2. A very small number of the benjamin gift cards had been successfully redeemed for product, meaning we still had the cash the consumer card was charged. If we needed to refund gift card orders, we could do so without losing much (in most cases).
    I think this means that the carders couldn’t move our gift cards on the secondary market. Good in this case but kind of sad overall.

The bad:

  1. How do we figure out which gift cards we need to deactivate and which ones we don’t?
  2. Each time there’s a chargeback filed, our payment processor takes the transaction amount plus a $15 fee for each chargeback, regardless of the outcome of the dispute. That means that we were on the hook for $9,555 in fees no matter what. Ouch.
  3. How do we respond to 637 disputed transactions? It seems obvious that we challenge the few that had redeemed for physical product — even though the form doesn’t allow for incidents like this — but do we try to explain what happened on the others?
    We don’t want to be on the hook for nearly $10k in fees — shouldn’t our payment processor demonstrate some amount of empathy for what happened if we agree to refund those transactions in full with no contest?
  4. Responding to 637 disputes includes pulling time stamps, IP addresses, e-mail addresses, server logs, and more. That’s a lot of paperwork.
  5. I’m 8 hours away from 17 hours in the air from San Francisco to New Delhi, and I can’t get in touch with anyone from our payment processor. It isn’t clear what I should or can do, and there’s no one on the other end of the phone. I’m on a raft in the middle of the ocean by myself and there’s a hurricane coming fast.

The financial implication— whether it’s $9,555, nearly $60,000, or something in-between— was set to be a serious kick in the teeth for a company of our size. The hit represented at least a few weeks of runway, perhaps a month or two.

It turns out that this was the least of my concerns. After a week or two of receiving no assistance as we slogged through the pile of chargebacks, they dropped the bomb: Benja had to find a new payment processor within five days.

Finding a new payment processor within five days is impossible.

Even if our application with a new payment processor were approved instantly (which was impossible) and our developer were able to implement a new processor overnight (which was unlikely), there were other constraints like the time it takes for Apple to approve an update to an iOS app. (And what happens when someone doesn’t update their app immediately?)

The payment processor didn’t care. Their stance was clear: Benja’s chargeback rate exceeded what is acceptable and the banks were (allegedly) saying that they had to stop doing business with us. The answer was final.

Here’s the point: why didn’t the bank do their job protecting the customer and why did the merchant have to clean up the mess?

I’ve had my card declined for $9 at the neighborhood grocery store because Capital One was looking out for my safety. It isn’t uncommon for normal everyday purchases at normal everyday locations to set off some kind of fraud alert. This just happens and I appreciate it.

Somehow, someone used a card for an identical transaction twenty times in a row. They had never used our app or service before. There was another instance of the same thing happening fourteen times over. And another twelve times over. (We since implemented a software-side restriction on the number of identical transactions within 24 hours.) Although I do not know which banks allowed the activity, I know that it happened across Visa, MasterCard, and AmEx.

Why didn’t the bank flag these transactions as suspicious after — I don’t know — two or three?

For that matter, how did our payment processor fail to step in? It stands to reason that they have an interest in preventing chargebacks. Maybe they should consider software-side solutions to prevent fraud and chargebacks, especially when they actively market themselves as experts in the field. Just a thought.

When you’re a startup founder, you’ve got a lot on your plate. When you hire another company and trust them to do a job like I had done with a payment processor who promised to prevent fraud, you expect them to, well, do their job.

Instead, your big bank and one of the largest payment processors in the business left Benja with a $20,000 bill.

We paid up, switched processors, and built a fraud prevention solution of our own. I had a great time in India.

My name is Andrew Chapin — I’m the Founder & CEO of Benja, the merchandise ad network. I write for Observer and I’m blogging every step as we build a new consumer electronics company, Tiny Cables. I’m a Red Sox fan.

Hacker Noon is how hackers start their afternoons. We’re a part of the @AMI family. We are now accepting submissions and happy to discuss advertising & sponsorship opportunities.

If you enjoyed this story, we recommend reading our latest tech stories and trending tech stories. Until next time, don’t take the realities of the world for granted!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store