Registro de fraude y controles

Vector

Buyer purchases dossier, downloads PDF, then disputes the charge as 'service not received' — claiming the receipt never arrived.

Mitigación

Every dossier render and PDF download is logged with timestamp + IP + user-agent. Stripe webhook listens for chargeback events; we auto-submit the delivery log + IP-geo + signed-in user as compelling evidence (Reason Code 13.1 — credit not processed / friendly fraud).

Vector

One €99/mo subscription used by a whole buyer-broker office or 20-person agency, undermining unit economics.

Mitigación

Soft rate-limit dossier generation per account/IP (Upstash). Hard-cap implemented post-launch via concurrent-session detection in Supabase auth + fingerprint hashing. Agency pricing tier announced if abuse detected.

Vector

Bot probes /upgrade with stolen card numbers in a $1-€49 sweep to find live cards.

Mitigación

Rate-limit /api/checkout (5/min/IP, hard 20/hr). Stripe Radar default rules cover BIN-velocity + CVC-mismatch + repeated-decline. Add reCAPTCHA Enterprise on checkout when bot ratio exceeds 5%.

Vector

Fake solicitor profile lists properties they don't represent, harvests buyer-intro leads, then disappears.

Mitigación

Manual editorial review of every listing (24h SLA) during MVP. Post-launch: solicitor must complete bar-number verification + recent practising certificate upload + counter-signature from existing verified peer. Listing-to-close conversion ratio tracked; listings <10% are flagged for review.

Vector

Attacker registers using a real solicitor firm's bar number from public register.

Mitigación

Sign-up requires a verification email sent to the firm's domain (DNS MX-validated, no Gmail/Hotmail). Bar-number is cross-referenced against the country bar association's public register (England Bar Council, Ordem dos Advogados, Colegio de Abogados, Conseil National des Barreaux, Türkiye Barolar Birliği).

Vector

Attacker submits an internal-network URL (http://169.254.169.254, http://localhost) to extract metadata from cloud services.

Mitigación

lib/geocode.ts PORTAL_ALLOWLIST hard-codes hostnames (rightmove.co.uk, idealista.com, seloger.com, imovirtual.com, sahibinden.com, …). Any URL not on the allowlist returns 422 before any fetch is initiated.

Vector

Malicious og:title or og:description on a listing page contains 'Ignore previous instructions and …' attempting to alter the Gemini prompt.

Mitigación

Scraped strings are escaped, length-capped (1000 char), and wrapped in delimited [USER_INPUT] blocks in the prompt. System prompt explicitly instructs Gemini to treat the input as untrusted data, not instructions.

Vector

Buyer pays €699 deposit with card A, requests refund to card B — using us as a money-laundering mixer.

Mitigación

Hard rule via Stripe Refunds API: refund must return to original payment method. No alternative-payee refunds. AML check (proof of funds) on deposits >€10k. Concierge customer must complete identity verification (Stripe Identity) before deposit is accepted.