Hackers Card-testing. How to mitigate?
-
Hi. I have been hit several times in the last few months with hackers card-testing on my site. They attempt to make a small purchase on various credit cards under various names and addresses, sometimes hundreds of times in an hour.
Stripe’s docs suggest rate-limiting in the payment plugin, so that after a certain number of failed attempts the user is locked out of checkout. I don’t see that as an option in the plugin.
I’ve already updated my firewall’s settings to block them after the fact, but there is no way to stop them during the process without involving the plugin running checkout.Is there something you recommend to stop these card-testing attempts?
Thanks!
-
is there anything within the payments plugin that I can adjust to block them?
No because a card tester can easily bypass most of the checks that could be put in place using IP spoofing. Card testing can occur client side, before the request to your server is made. The way Stripe and other payment provides work is the card information is exchanged for a payment method ID that is then used to process the payment.
The payment method ID creation occurs as part of a client side request to Stripe’s payment method API. That’s why reCAPTCHA is a good first line of defence since it must be passed before the request to the payment method API occurs.
You can also tailor your Stripe radar rules to help mitigate card testing.
It’s worth mentioning that we are working internally with Stripe to add some additional features that merchants can turn on in the event of a card testing attack. We’re not in the phase where we can publish that information publicly yet.
Kind Regards
- You must be logged in to reply to this topic.
