[FEATURE] Require MFA, passkey, or other auth on gifit purchases to curb fraud
Preflight Checklist
- [x] I have searched existing requests and this feature hasn't been requested yet
- [x] This is a single feature request (not multiple features)
Problem Statement
There's a common exploit (probably session hijacking) that bad actors are using to gift themselves subscriptions from compromised accounts. See:
- https://www.reddit.com/r/ClaudeCode/comments/1qgd4td/5250_in_fraudulent_gift_purchases_on_my_claude/
- https://www.reddit.com/r/claude/comments/1rwsduw/unauthorised_gift_purchases_made_from_my_account/
- https://www.reddit.com/r/claude/comments/1sbrh6x/claude_randomly_charging_my_card_for/
I believe these are sold on gray market sites like the below:
https://www.g2g.com/categories/claude-ai-activation-links
Proposed Solution
If this is a session hijack, it could be mitigated by requiring MFA or a passkey to purchase. This would be a low-friction way to greatly improve security during checkout.
It seems that Anthropic support is overwhelmed at the moment. This would likely stem a good amount of volume from individual customers.
Alternative Solutions
- A link could be sent to the user's email that would confirm a gift purchase
- Common sense rate limits on gifting (see the first Reddit link) could prevent some of the worst offenses on its own
There are many tried-and-tested ways to ensure identity at the point of purchase; I just ask that one of them be implemented.
Priority
High - Significant impact on productivity
Feature Category
Other
Use Case Example
- Someone gains access to my session cookie, but not my phone
- They attempt to gift themselves 1 month of Max
- Anthropic sends a 6-digit confirmation code to my phone
- Instead of being charged and having to deal with bank fraud, I log out of all my sessions and go on with my day
Additional Context
_No response_
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗