请问HN:我们的初创公司频繁收到PayPal争议,应该怎么办?
长期用户出于谨慎原因使用新账户发帖。<p>我创办了一家电子商务市场初创公司。我们使用PayPal的多方API(PayPal商务平台)进行结账。在过去的10天里,有人不断对我们进行购买,随后又提出争议。这个行为有一个一致的模式:<p>* 他们使用的电子邮件地址在网上没有任何痕迹,始终来自同两个域名
* 他们使用未验证的PayPal账户付款
* 他们支付的金额较低,虽然不总是相同,但在一个狭窄的范围内购买数字商品
* 所有的费用在几小时内都被争议<p>他们并不是通过我们的API进行操作。购买过程需要浏览器,因为我们的支付表单配置方式所致。每次购买的金额都有一定的变化,这表明他们在自动化浏览器。日志显示他们每次都在更换IP。事件是成批出现的,似乎是为了避免自动检测。<p>我们对我们的网络架构和代码进行了典型的防范措施,但仍有一些漏网之鱼。日志显示有大量的机器人流量。<p>PayPal似乎没有能力应对这种情况。他们的支持总是非常缓慢,依赖于模板回复,并且到目前为止对他们自己的多方API的工作原理理解非常有限。他们的电话支持人员不愿与我交谈,他们没有看到我的PayPal账户与这些购买有任何关联。他们希望我们的每位卖家独立联系他们,而我们知道这会导致不同的案例,无法讲述完整的故事或提供任何帮助。<p>有没有人遇到过类似的情况?我们正在努力寻找攻击者的动机或意图。我们是一家小公司,受众较为小众,从未与任何人发生过严重到我们会预期他们像这样来攻击我们的冲突。<p>任何想法和建议都将不胜感激。我们感觉在这方面孤立无援,不知道该如何处理。
查看原文
Longtime user posting from a new account out of an abundance of caution.<p>I founded an e-commerce marketplace startup. We use PayPal's Multiparty APIs (PayPal Commerce Platform) for checkout. For the 10 days, someone has been bombarding us with purchases that they later dispute. There's consistent pattern to it:<p>* They use an email address that has no footprint online, always from the same two domains
* They use an unverified PayPal account to pay
* They pay a low amount, not always the same, in a narrow range for a digital item
* All of the charges were disputed within a few hours<p>They're not doing this through our API. The purchase process requires a browser because of the way our payment form is configured. There's an amount of variation to each purchase that tells us they're automating a browser. Logs indicate that they're changing IP each time. The events come in bursts and seem to be spaced to avoid automated detection.<p>We added the typical mitigations to our network stack and code. A few are still slipping through. Logs indicate a high amount of bot traffic.<p>PayPal does not seem equipped to deal with this. Their support is always extremely slow, relies on canned responses, and to date has a very limited understanding of how their own Multiparty APIs work. Their phone support people will not talk with me, they see no indication that my PayPal account is affiliated with these purchases in any way. They want each of our sellers to contact them independently, which we know will result in disparate cases that don't tell the complete story or offer any assistance.<p>Has anyone encountered anything like this before? We're struggling to find the motive or intended outcome by the attacker(s). We're a small company with a niche audience, we've never had a conflict with anyone that got serious enough that we'd expect them to come after us like this.<p>Any thoughts and recommendations would be greatly appreciated. We feel like we are on our own here and are unsure of how to handle it.