Ask HN: How do I stop card testing attacks on my Stripe account?
For the past several months I have been getting hit with several card testing attacks. I sell a product with a subscription (which is processed via Stripe). The problem is that everytime this occurs I have to manually go into my account and determine if it is a card testing attack and then if it is then I have to refund and block the payment. Not a big deal if it happens once or twice but has been happening very frequently on my account. I've tried everything I can on my end but it's very limited what I can do since they don't even go through my website (I use Stripe Checkout, which they say is excellent protection against card attacks - which seems untrue to me). They simply get my public key (which I've rotated) and create their own checkout session. I've reached out to Stripe SEVERAL times and it is really annoying that they are unable to stop it.
What can I do, short of switching to PayPal or another provider?
Thanks!
45 comments
[ 2.3 ms ] story [ 101 ms ] threadAs little as I know about check outs, (I know nothing,) I'm unsure why a public key would be used to pipe the request to Stripe? Surely any request to a third party needs an additional security measure apart from being merely being logged into the site.
https://stripe.com/en-au/newsroom/news/card-testing-surge
https://stripe.com/docs/disputes/prevention/card-testing#pre...
There must be an option to allow stripe script only in specific domains and sub domains. All other domains should be blocked.
seems odd that this is your problem. seems like something stripe should be on the hook for.
Transaction succeeds? Cards valid.
Kind of doubtful that all you need to test cards is a public key scraped off any site that's implemented Stripe.
It's almost as is Stripe doesn't want to stop the attacks because they're making so much from fees
I always thought about automating this (or for lost delivery claims with shipping companies) but the numbers never worked out for it to be worth it because the success rate seemed like it would be so low.
1 Win
2 Partial Wins (basically a loss with how much you get back)
3 Losses
All these payments were fraudulent (a user doing credit card testing) and disputed by foreign banks (Thailand, Malaysia, Brazil). I think these cases are much harder to win, because the actual card holder is technically in the right to request the money back on their stolen card for a transaction they didn't do.
Much better than my previous results of just accepting each dispute though :)
One of the issues for us was that while the chargeback processing fee was ~£20, the order values were only ~£100-300, so even in the worst case of ~£320 lost, multiplied by roughly 1 in 10 non-fraud mistaken chargebacks, and 50% win rate, the value is only £16. At that amount it would take a lot to recoup the development costs. These are all very rough numbers, but illustrative I think.
Formal 1 page letter with company logo - "Dear Sir/Madam.. writing about $9.99 dispute for card XXXX on X date for user [NAME]" (all this is pulled from the Stripe API).
I then have 5 appendixes on separate pages:
Appendix 1: Users' receipt (just a pic of the Stripe receipt)
Appendix 2: User's order history (just printed, name of items, price, and timestamp)
Appendix 3: Screenshot of the user's purchases page clearly showing the item
Appendix 4: Email confirmations - I store copies of each HTML email sent, so just take a picture of this.
Appendix 5: Site activity with IP addresses and timestamps. This is all user actions on my site (viewing items, purchasing, etc.)
I created it because I had 20 disputes piling up, and I was dreading processing them all. Given that you're likely to lose the majority of disputes, it's super discouraging to put in the work, but this makes it a bit easier (I don't want to let fraudsters just get away with it!).
pass a nonce or something that you can check for before creating the redirect to make sure it's being generated from your own site.
You might be able to just block traffic from those regions if it does not impact your business and customer base.
Not the best or cleanest solution, but when Stripe fails to handle fraud for you, you've got to get creative and hit the problem from all angles.
If you could, shoot me an email and we can dig in? I'm at wmegson [at] stripe.com (will DM you as well).