rllmukforum Posted October 24, 2022 Posted October 24, 2022 We have just had a notification from Stripe that our account is being used for card testing - and indeed, we are getting a huge number of small donations into our Stripe account, the majority of which are failing. I have now turned on the setting requiring people who are paying to set up an account, which should reduce this issue somewhat, but Stripe also recommend that we add other mitigations to our payment gateway, including some added friction. Their help page is at https://stripe.com/docs/disputes/prevention/card-testing I can't see that we would be the only people to have suffered from this. Does anyone have any advice - and can IPS add some parameters to the payment gateway to help overcome this?
Randy Calvert Posted October 24, 2022 Posted October 24, 2022 Their suggestions are: Optimize your Stripe integration -- This is already done. Add a CAPTCHA -- This is not possible today. It would require 3rd party development. Add rate limits -- This is something that would have to be done by your host. Require login or session validation -- This is possible and needs you to configure it Use customer Radar rules. -- This is a product from Stripe and is for you to setup/manage outside of IPB. Detect and prevent unusual behavior Limit the number of cards that can be attached to a single customer -- This is already done Limit the number of customers that can be created with a single IP address -- This is not possible today. It would require 3rd party development Filter out requests with certain user agents or other parameters -- This would be on you to do with your host / firewall. rllmukforum 1
David.. Posted October 24, 2022 Posted October 24, 2022 1 hour ago, Randy Calvert said: Limit the number of cards that can be attached to a single customer -- This is already done How is this done?
Randy Calvert Posted October 24, 2022 Posted October 24, 2022 (edited) Try adding 50 CC’s. 🙂 But to be honest you’re not going to find your fraud with that. Disable guest purchasing and you’ll stop 95 percent of your fraud fright there. Edited October 24, 2022 by Randy Calvert
Disruption Posted October 24, 2022 Posted October 24, 2022 2 hours ago, Randy Calvert said: Their suggestions are: Optimize your Stripe integration -- This is already done. Add a CAPTCHA -- This is not possible today. It would require 3rd party development. Add rate limits -- This is something that would have to be done by your host. Require login or session validation -- This is possible and needs you to configure it Use customer Radar rules. -- This is a product from Stripe and is for you to setup/manage outside of IPB. Detect and prevent unusual behavior Limit the number of cards that can be attached to a single customer -- This is already done Limit the number of customers that can be created with a single IP address -- This is not possible today. It would require 3rd party development Filter out requests with certain user agents or other parameters -- This would be on you to do with your host / firewall. That is substantial requirements to fix that problem. Sounds like something that should be easier for users...
Randy Calvert Posted October 25, 2022 Posted October 25, 2022 Those would be software enhancements. The best place to make that ask is in the features and feedback forum. 🙂
rllmukforum Posted October 25, 2022 Author Posted October 25, 2022 Thanks for the help Randy. I'm trying to work out how to set it so that guests can't check out - is it a case of creating a fraud rule which refuses if the person is in the "guests" group?
elonegenio Posted October 26, 2022 Posted October 26, 2022 We got hit very hard on our donation page by this bot on 10-7-22. In the span of approximately 10 hrs we got hit with approximately 60,000 $1 guest transactions. We did not catch that activity which started at 10pm the night before until 8am in the morning. We immediately disabled the donation feature. Of those 60k transactions about 150 went thru. We immediately refunded those that did get thru and our account with stripe was put on test mode for a week. We do not get many donation as we are mainly a subscription site. To subscribe you must join the site and then pay to upgrade. We have yet to enable the donation feature again as we are undecided as to whether or not to run donations thru pages where you have to log in or just limit donations to subscribers. Needless to say, this was a very surprising vulnerability. In the mean time our transaction feature in commerce shows 2000 pages of these failed fraud transactions. Is there a way to mass delete these 2000 pages ? Obviously, we are not going to click delete individually on each of the 60,000 failed transactions.
jesuralem Posted October 26, 2022 Posted October 26, 2022 On 10/24/2022 at 10:05 PM, Randy Calvert said: Add rate limits -- This is something that would have to be done by your host. I disagree, limiting the number of payments attempts from an IP or a device could/should be done at code level.
Marc Posted October 26, 2022 Posted October 26, 2022 10 minutes ago, jesuralem said: I disagree, limiting the number of payments attempts from an IP or a device could/should be done at code level. As mentioned above, these are something that would need adding. Therefore you would need to post up within the suggestions area if you would like to see changes in this area
rllmukforum Posted October 26, 2022 Author Posted October 26, 2022 20 hours ago, Marc Stridgen said: That would be correct, yes This seems to work for subscriptions and other things in the store, but not for donations. Any ideas? 5 hours ago, elonegenio said: We got hit very hard on our donation page by this bot on 10-7-22. In the span of approximately 10 hrs we got hit with approximately 60,000 $1 guest transactions. We did not catch that activity which started at 10pm the night before until 8am in the morning. We immediately disabled the donation feature. Of those 60k transactions about 150 went thru. We immediately refunded those that did get thru and our account with stripe was put on test mode for a week. We do not get many donation as we are mainly a subscription site. To subscribe you must join the site and then pay to upgrade. We have yet to enable the donation feature again as we are undecided as to whether or not to run donations thru pages where you have to log in or just limit donations to subscribers. Needless to say, this was a very surprising vulnerability. This is exactly what happened to us, but with a lower volume before Stripe stepped in and suspended our account. We have had about £450 in donations over the last few years so I am loathe to turn that off, so it would be ideal if donations could be restricted to members in line with everything else.
Marc Posted October 26, 2022 Posted October 26, 2022 1 hour ago, rllmukforum said: This seems to work for subscriptions and other things in the store, but not for donations. Any ideas? This would only be for purchases unfortunatly
opentype Posted October 26, 2022 Posted October 26, 2022 1 hour ago, rllmukforum said: o it would be ideal if donations could be restricted to members in line with everything else. Aren’t they? https://invisioncommunity.com/release-notes/4721-r113/ SeNioR- and rllmukforum 2
Marc Posted October 26, 2022 Posted October 26, 2022 Please could you confirm you are using the latest release, and that those transactions were while on the latest release? As mentioned above, this should now be members only SeNioR- 1
rllmukforum Posted October 26, 2022 Author Posted October 26, 2022 No, we aren't on the latest release, that's on the to-do list. Great, looks like things will be sorted very shortly then!
Marc Posted October 26, 2022 Posted October 26, 2022 53 minutes ago, rllmukforum said: No, we aren't on the latest release, that's on the to-do list. Great, looks like things will be sorted very shortly then! This will indeed be why you have the issues there. Guests cannot use donations in the latest releases
Recommended Posts