Medium and Stripe Response to Payment issue
Still not getting paid and no way to fix it at the moment
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Part of my series on Automating Cybersecurity Metrics. The Code.
🔒 Related Stories: Mortgage, Real Estate, Banking, and Legal Security
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Resolved: Summary of entire chain of events here:
Updated: 1/25/2023
So I wrote about how I am not getting Medium payments here:
Medium’s response is that they cannot pay me because they have no control over Stripe security. Huh? I work in cybersecurity and that response makes no sense.
But the bigger problem is I still don’t have an answer to the question:
What is the email or account you are using to send payments to Stripe?
Because no matter what email I try at Stripe it says that account does not exist.
Update: they did send the email in an image embedded in the text. The image was black with very fine print so I didn’t even see it. But they sent it, so my bad.
I asked Medium again for that information so I know which account to ask Stripe about. Otherwise, Stripe probably has no idea how to figure out which Stripe account is linked to my Medium account.
Update: Medium replied the next day, stating that the account was in the image (which wasn’t in the text the prior day or would have seen it). OK but that doesn’t solve my problem. Because as I already explained I tried every email associated with my account at Stripe an no Stripe account exists. So I have two questions out now:
- If I change the email on Stripe to what it says in the screen shot will it fix my problem?
- How can I change the email for my Stripe account on Medium?
But hey, I’ll try that email again…see the bottom of the post…something changed at Stripe.
How did my account get altered/deleted/used for fraudulent activity?
This is what I wrote about yesterday when I didn’t know the email associated with my account…more comments at bottom.
If someone maliciously swapped my Stripe account linkage on Medium, I’m not going to have any information about the malicious account to contact Stripe. Not saying that’s what happened, just that the Medium response is not helpful.
I could try to link a new Stripe account, but there seems to be no way to do that and support did not provide that option. That option could be risky to grant via email — as that would be ripe for phishing attacks.
Hoping Medium will provide a secure way to do that on their web site as soon as possible. And the ability to login with Yubikeys as a second factor.
How both sides of an integration can lead to a security problem
Here’s why blaming Stripe’s security for the problem doesn’t make sense.
A security problem on either side of an integration can lead to a data breach or security incident.
If you are integrating with another vendor and you misconfigure your side, or you have a security vulnerability on your side that lets attackers get in (or malicious insiders) who can leverage credentials, change, or steal data — your company would be the source of the security problem.
In that scenario, something on the Medium side could have changed my Stripe integration to an alternate account. I have no idea because I can’t seem to find any place where I can view that linkage to see if some rogue account is linked to Medium.
Also consider the following, related to the data breach that got me into security that I wrote about in my last post. What if an attacker had a way to alter systems such that I got an email and view saying I got $2, when in fact my payout was much higher and someone internally or attacking the system was redirecting a portion of my payments elsewhere?
I doubt that is happening, because an attacker would have to be showing me a fake medium payout page and send the corresponding fake email and get the matching account to show up in my Stripe account. Oh but wait. I’m not getting my payments now…how could someone be showing me fake pages? Well cache poisoning attacks for one thing. James Kettle has written and spoken about numerous ways to attack caches, and I’ve seen some behavior that appears to be caching on Medium.
I was just looking back on past payments and they were higher even though I’m getting a lot more hits recently. It all seems odd to me but I’m not going to worry about it because none of the amounts are worth my time. But to an attacker aggregating a bunch of small amounts from different Medium writers, it certainly could be.
Until I know that my original account that I signed up on Stripe with to use with Medium is still in tact, I don’t know if the problem is with Medium or not. So unless they can provide the Stripe account information so I can verify that, I’m not sure where the problem lies.
The same thing could have occurred at Stripe. Someone could have swapped my Stripe account linkage with Medium to a different Stripe account, given enough access. Or if Stripe had some kind of breach where they got into my account, perhaps they started sending payments to an alternate bank account. Perhaps Stripe figured out it was a malicious bank account and shut down my account.
Unfortunately I do not have enough information to determine what actually happened. I’m just presenting some threat modeling and explaining why blaming Stripe support doesn’t make sense.
At least from my point of view, I don’t have enough information to come to that conclusion. And also, I still have no way to fix or get into my Stripe account that is linked to Medium because I don’t know what account it is.
Most likely…
I am guessing I just don’t remember the information about the Stripe account I linked up with Medium. But I have no way to know because I can’t see any information about my Stripe account in Medium.
It is very odd, though, that I haven’t touched any of it or even logged in and I simply stopped getting paid.
Hoping they can provide the Stripe account information.
In the meantime, going to scour my data for any information on what the Stripe account was I used to sign up with Medium. Pretty sure I have that written down somewhere…
Update: I couldn’t find information about my linkage between my Stripe and Medium account in my records. I now have that securely stored. I never expected to make a lot of money off Medium in the first place. It was an experiment and never really panned out as a viable revenue stream, but it helps my business in other ways.
Now that I know what the email was — it was a valid email I probably used. What I don’t understand at the moment, is how that particular account could be doing something fraudulent when the only thing I use it for (up to now) is Medium payments. I haven’t even logged in or looked at it in ages. Hmm.
AHA! Today Stripe says that account exists. HMM???? I tried to set the password on that account yesterday — a couple of times — and it definitely did not work. Maybe I randomly hit it at a point when the website had some kind of glitch. Let’s see if I can get this fixed.
…
I login to the account (which I definitely could not do before) and it says my account cannot receive payments because it does not meet Stripe’s “Terms of Service.”
Well, I moved, (in 2021) so perhaps I need to update my address. However, the only other thing I do with this account is get payments from Medium and as far as I know it is the only way to get payments from Medium. So how would I possibly be breaking terms of service?
Additionally it says my business is not eligible. My business has not changed it’s place of incorporation or the type of business I am doing. I am properly registered in all places where I do business. What?
Now I have to try to contact Stripe…this is all very strange. Also strange that I do not recall getting nor can I find any emails from Stripe on the matter, nor did I get any indication from Medium that they are unable to send my payments. They keep sending me emails showing how much I earned. If they couldn’t send the payment I would expect to be notified, no? Or to stop getting the emails? Ah…but read on…
…
Initially I thought my last payment was January of last year, but actually I’ve gotten payments from medium through this month — even though the email from Medium indicated they couldn’t pay be due to “fraudulent activity.” So wherever Medium got that message was incorrect. Keep reading…
Now I have to spend time contacting Stripe because it is not clear to me from the dashboard what I need to do to resolve this. So I go to Stripe support and they have some phone options but the only option I can use is email. Hopefully this will get resolved quickly.
…
Stripe promptly replied — Thank you. Apparently I need to add a credit card to my account — to get paid by Medium. They claim they sent this in …2019.
Turns out the link is for verification only and my card will not be charged. So I put in my business card about 5 minutes ago and the page is still just spinning and not working at all.
I emailed Stripe customer service to tell them I have submitted the card but it’s not working.
It’s still spinning…
….
Now the password I just set is not working. Hmm. It could be that my dog was distracting me but I thought he was only doing that when I set up my MFA hardware security key. So I try to reset it…and not getting any password reset emails from Stripe now…
….
Stripe says that the reason I have to put in a credit card is for KYC, which I am fully aware of since I used to work for a bank and dealt with these systems. However, why is Stripe the only one of many financial institutions that cannot verify my identity?
….
Waiting for a response on the password reset issue. Pretty sure I’m using the right password but when I reset it I was distracted so I’m likely at fault — but now I can’t reset it again. Waiting…
…
Update: 5:27 p.m.
After hours Stripe responded and the person that responded said “I see that you want to reset your email password. Contact your email provider.” Not in so many words. This is not giving me a lot of confidence in Stripe’s service at the moment.
I re-explained with many more words that I cannot reset my STRIPE password because it is not sending me the reset emails.
Good thing I’m not counting on this account for actual large amounts of money.
If you’re wondering why I am just now noticing, the amount I get paid by Medium in an entire year is a fraction of what I get paid for one hour of consulting. But I like that it is a simple platform for sharing information. I do need to have a better revenue stream for time spent, however. So not sure how log I can keep writing as much as I do here. It’s still a nice blogging platform though.
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2023
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab