Jump to content

Card testing fraud through Stripe - need to take some action

rllmukforum

By rllmukforum
in Technical Problems

 Share

Recommended Posts

rllmukforum Enthusiast

rllmukforum

Posted
Posted

We have just had a notification from Stripe that our account is being used for card testing - and indeed, we are getting a huge number of small donations into our Stripe account, the majority of which are failing.

I have now turned on the setting requiring people who are paying to set up an account, which should reduce this issue somewhat, but Stripe also recommend that we add other mitigations to our payment gateway, including some added friction. Their help page is at https://stripe.com/docs/disputes/prevention/card-testing

I can't see that we would be the only people to have suffered from this.  Does anyone have any advice - and can IPS add some parameters to the payment gateway to help overcome this?

 

 

Randy Calvert Grand Master

Randy Calvert

Posted
Posted

Their suggestions are:

  • Optimize your Stripe integration -- This is already done.
  • Add a CAPTCHA -- This is not possible today.  It would require 3rd party development.
  • Add rate limits  -- This is something that would have to be done by your host.
  • Require login or session validation -- This is possible and needs you to configure it
  • Use customer Radar rules. -- This is a product from Stripe and is for you to setup/manage outside of IPB. 
  • Detect and prevent unusual behavior 
    • Limit the number of cards that can be attached to a single customer -- This is already done
    • Limit the number of customers that can be created with a single IP address -- This is not possible today.  It would require 3rd party development
    • Filter out requests with certain user agents or other parameters -- This would be on you to do with your host / firewall.  

 

 

Randy Calvert Grand Master

Randy Calvert

Posted
Posted (edited)

Try adding 50 CC’s. 🙂

But to be honest you’re not going to find your fraud with that. Disable guest purchasing and you’ll stop 95 percent of your fraud fright there. 

Edited by Randy Calvert
Disruption Collaborator

Disruption

Posted
Posted
2 hours ago, Randy Calvert said:

Their suggestions are:

  • Optimize your Stripe integration -- This is already done.
  • Add a CAPTCHA -- This is not possible today.  It would require 3rd party development.
  • Add rate limits  -- This is something that would have to be done by your host.
  • Require login or session validation -- This is possible and needs you to configure it
  • Use customer Radar rules. -- This is a product from Stripe and is for you to setup/manage outside of IPB. 
  • Detect and prevent unusual behavior 
    • Limit the number of cards that can be attached to a single customer -- This is already done
    • Limit the number of customers that can be created with a single IP address -- This is not possible today.  It would require 3rd party development
    • Filter out requests with certain user agents or other parameters -- This would be on you to do with your host / firewall.  

 

 

That is substantial requirements to fix that problem. Sounds like something that should be easier for users...

rllmukforum Enthusiast

rllmukforum

Posted
  • Author
Posted

Thanks for the help Randy.  I'm trying to work out how to set it so that guests can't check out - is it a case of creating a fraud rule which refuses if the person is in the "guests" group?

Could contain: File, Webpage, Text, Document

 

Could contain: Text, File, Page

elonegenio Enthusiast

elonegenio

Posted
Posted

We got hit very hard on our donation page by this bot on 10-7-22. In the span of approximately 10 hrs we got hit with approximately 60,000 $1 guest transactions. We did not catch that activity which started at 10pm the night before until 8am in the morning. We immediately disabled the donation feature. Of those 60k transactions about 150 went thru. We immediately refunded those that did get thru and our account with stripe was put on test mode for a week. 

We do not get many donation as we are mainly a subscription site. To subscribe you must join the site and then pay to upgrade. We have yet to enable the donation feature again as we are undecided as to whether or not to run donations thru pages where you have to log in or just limit donations to subscribers. Needless to say, this was a very surprising vulnerability.

In the mean time our transaction feature in commerce shows 2000 pages of these failed fraud transactions. Is there a way to mass delete these 2000 pages ? Obviously, we are not going to click delete individually on each of the 60,000 failed transactions.

Could contain: Menu, Text, Word, Number, Symbol, Plot

jesuralem Rising Star

jesuralem

Posted
Posted
On 10/24/2022 at 10:05 PM, Randy Calvert said:

Add rate limits  -- This is something that would have to be done by your host.

I disagree, limiting the number of payments attempts from an IP or a device could/should be done at code level.

Marc Grand Master

Marc

Posted
Posted
10 minutes ago, jesuralem said:

I disagree, limiting the number of payments attempts from an IP or a device could/should be done at code level.

As mentioned above, these are something that would need adding. Therefore you would need to post up within the suggestions area if you would like to see changes in this area

rllmukforum Enthusiast

rllmukforum

Posted
  • Author
Posted
20 hours ago, Marc Stridgen said:

That would be correct, yes

This seems to work for subscriptions and other things in the store, but not for donations.  Any ideas?

5 hours ago, elonegenio said:

We got hit very hard on our donation page by this bot on 10-7-22. In the span of approximately 10 hrs we got hit with approximately 60,000 $1 guest transactions. We did not catch that activity which started at 10pm the night before until 8am in the morning. We immediately disabled the donation feature. Of those 60k transactions about 150 went thru. We immediately refunded those that did get thru and our account with stripe was put on test mode for a week. 

We do not get many donation as we are mainly a subscription site. To subscribe you must join the site and then pay to upgrade. We have yet to enable the donation feature again as we are undecided as to whether or not to run donations thru pages where you have to log in or just limit donations to subscribers. Needless to say, this was a very surprising vulnerability.

This is exactly what happened to us, but with a lower volume before Stripe stepped in and suspended our account.  We have had about £450 in donations over the last few years so I am loathe to turn that off, so it would be ideal if donations could be restricted to members in line with everything else.

Marc Grand Master

Marc

Posted
Posted
1 hour ago, rllmukforum said:

This seems to work for subscriptions and other things in the store, but not for donations.  Any ideas?

This would only be for purchases unfortunatly

Marc Grand Master

Marc

Posted
Posted
53 minutes ago, rllmukforum said:

No, we aren't on the latest release, that's on the to-do list.  Great, looks like things will be sorted very shortly then!

This will indeed be why you have the issues there. Guests cannot use donations in the latest releases

 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Invision Community © 2024 IPS, Inc.
×
×
  • Create New...