Sept. 29, 2024
In a previous post, I talked about going through a card testing attack. But how much money did I actually lose?
And how much money do I think I'm saving now?
I wanted to dive into concrete numbers because just talking about an attack is too abstract.
And even though I may be biased because I'm the creator of this product, this is something you can invest a few weeks of time yourself to implement from scratch to protect your site.
Further, I use SMS checking on all my sites nowadays because the numbers are so frightening. And not using SMS checking is strictly "negative EV."
First, let's talk about what a good job Stripe's done. They blocked around $213K in fraudulent transactions.
The MRR for my product is low that you could say it's basically $0. If you take the naive calculation:
242,200 * (1-.6283) = $90K
That would be wild, as I'd be responsible for around $4050 in refund fees.
Luckily, running through each of my refunds, only $475 of fraudulent transactions went through. Stripe collected refund fees of around 4.5%, so I coughed up only around $21.38.
Most of the $242K was blocked due to Stripe's Radar AI rules.
And we know how inaccurate AI can be sometimes.
Imagine if you used a different payment provider that has less sophisticated blocking rules.
Or imagine if Stripe updated their algorithm to be less accurate somehow due to a bug.
How wise is it to leave your business vulnerable to a large card testing attack, and only hope that a 3rd party vendor's magic algorithm will protect you?
For me, not wise at all.
Checking phone numbers is straightforward and there's no machine learning involved.
The number is either registered as a VOIP number or with a carrier.
Your max downside should you check your users' phone numbers is a little less than what you'd pay for My SMS Check (not the full amount because you'll still need to pay API fees to do SMS checking if you built it from scratch).
Your max downside if you leave yourself unprotected is...unlimited. I lost only $20 because I got lucky. But the refund fees could have easily spiraled out of control and have been $4050. Or more, if the attackers had a lot more cards to test.
It's my belief that every unsecured site will be attacked at one point or another. So I am saving at least $20+ per site I'm protecting.
You break even with our basic plan if you launch even just 3 SaaS products.
But realistically, I got lucky with my $20 loss.
Imagine you used lemon squeezy and it let $90K of fraudulent transactions through. You probably would save around $3.9K on a nastier attack on one site alone.
And these cost savings isn't even taking into account the slippage you get from free trial abuse, etc.
SMS Check