Hi,
Yes, bots, in live mode… for donations where users can specify the amount to donate. Here was the email from Stripe Support who noticed the card testing transactions. Stripe blocked them but prefers if they are blocked at the source:
Thanks for using Stripe!
There’s no cause for alarm, but we want to flag some recent unusual activity on your Stripe account and request that you take action immediately.
You’ll find that there are hundreds of recent charge attempts coming from cards with nonsense names and email addresses. This is what’s known as card testing. A third party is using the payment or donation form on your website to test stolen credit card numbers. Fortunately, the charge attempts have so far been unsuccessful. If you see any successful attempts, we recommend refunding them immediately, as they’re likely to be disputed.
To prevent this kind of activity on your site in the future, we recommend adding CAPTCHA (https://www.captcha.net/) to your payment page, as this will deter third parties from spamming your form with fraudulent payments. You might also consider temporarily rate-limiting the number of charges that can be made on your account in a short period of time.
We also recommend monitoring charges through Stripe Radar. Radar is a proprietary suite of tools, based on our machine learning algorithms, to help you maximize revenue by catching fraudulent charges and minimizing declined payments. You can learn more at https://stripe.com/radar or log directly into your dashboard: https://dashboard.stripe.com/fraud.
We do have a couple of options to help guard against card testing. In this case, we noticed that your integration isn’t currently using Stripe Elements. I’d like to make sure you’re able to process cards without any interruptions. I’ve included a link to the ‘Elements’ page here:
https://stripe.com/docs/elements
We’d like you to move to integrate with Elements in order to take advantage of Stripe’s fraud detection system, Radar. This is tremendously helpful on identifying, and preventing any payments that are fraudulent. If you’d like to take a peek at Radar, I’ve attached a link below:
https://stripe.com/radar
If you don’t have a developer, we have a list of pre-built third party integrations already utilizing Elements that can help you send information about charges through to our systems. On our Works With Stripe page, these integrations are separated by category so you can find the service that works best for you. I’ve provided a link to our ‘Works With’ page here:
https://stripe.com/works-with
Last but not least, an integration we’ve seen successful in the past is implementing Google’s reCaptcha as a way to block computerized attacks. reCaptcha works by preventing non-humans from interacting with your page, meaning that an attacker’s automated system will not be able to use your payment form. I went ahead and provided a link here:
https://www.google.com/recaptcha/intro/index.html
