It’s about time we start seriously thinking about how to escape Visa and Mastercard anyway.
not so fast, many people genuinely think wechat and alipay would be an improvement
Someone has been using my website for stolen card testing and I cant stop it.
You don’t need to stop them, you just need to make the effort not be worth it compared to using a different site. Things like making sure they have a valid session cookie before they hit the payment flow, and, ideally, require them to be logged in too. That way you can block attacking accounts, and they have to go through the effort of registering a new one, which is, hopefully, well gated against automated attacks.
Every single attempt registers a new user account, all with fake info. I have been trying all different things to block them but theres no unique data to identify them. I havent had a completed payment from them in a few weeks but I can still see the attempt being made.
At first, they used valid emails which led to me being banned from gmail because all the order notifications were being reported as spam.
Block Russian IP range. Do the logged ips of the malicious tries originate from the same region?
Entirely random as far as I can tell
Make so sign up requires proof of work. Will slow them down.
Become computationally expensive for them at scale
That would scare away real paying customers
You might want to try something like Anubis on both the signup and order pages. Real users will either not be stopped, or will only hit it once, and no user interaction is required to continue, but bot users will be slowed down enough to, hopefully, disuade them from returning.
deleted by creator
Could just hide it behind a progress spinner? But it’ll slow down the account creation.
Do you have basic security like 1 email is a unique account, and the email needs verification before an order can be placed? Because that simple step will be rate limiting for the attackers but normal and expected for real users.
Also could be worth considering using a dedicated payment processor to handle things. It adds overhead, but so does fraud.
I dont want to add barriers for real orders.
I use both Stripe and Paypal to process cards.
You don’t want barriers for scammers because they inconvenience real customers. So you choose to enable the scammers. That is exactly why this works.
Thanks for playing.
I agree. What do you suggest? Just shut it down?
I guess I could move to SantaFe and do something with turquoise.
People have already given you options and you repeatedly say “nah, that’s inconvenient”. The inconvenience is the point. You are inconveniencing customers who want to get a thing from you and have a reason to endure it to achieve that goal but you are also inconveniencing the scammers who have no goal at the end so…
Fuck it. Have fun in Santa Fe. Save me a seat and some tequila.
You’d think the onus here should be on PayPal and Stripe… Do they have anything to say?
They dont give a flying fuck.
Frustrating. Sorry you’re in this position
Way back when AOL was on floppies there was software called AOHELL that would generate fake name, address, and fake CC just to sign up for AOL free 40 hours.
I’m sure credit cards were always a problem. I think the first 4 or 8 numbers of the card are the issuing bank and location. Something like that. So it’s super predictable.
AOHELL
Oh man, you just unlocked a core memory… Remember “punterz”? Lol good times.
I learned from a friend how to dial in with some terminal to create an account like that manually. There were some magic numbers/strings involved, but I can’t remember details. I just remember the com port had to be set to 7n1, not 8n1 like for all other stuff I did
