You don’t need to stop them, you just need to make the effort not be worth it compared to using a different site. Things like making sure they have a valid session cookie before they hit the payment flow, and, ideally, require them to be logged in too. That way you can block attacking accounts, and they have to go through the effort of registering a new one, which is, hopefully, well gated against automated attacks.
Every single attempt registers a new user account, all with fake info. I have been trying all different things to block them but theres no unique data to identify them. I havent had a completed payment from them in a few weeks but I can still see the attempt being made.
At first, they used valid emails which led to me being banned from gmail because all the order notifications were being reported as spam.
You might want to try something like Anubis on both the signup and order pages. Real users will either not be stopped, or will only hit it once, and no user interaction is required to continue, but bot users will be slowed down enough to, hopefully, disuade them from returning.
Do you have basic security like 1 email is a unique account, and the email needs verification before an order can be placed? Because that simple step will be rate limiting for the attackers but normal and expected for real users.
Also could be worth considering using a dedicated payment processor to handle things. It adds overhead, but so does fraud.
People have already given you options and you repeatedly say “nah, that’s inconvenient”. The inconvenience is the point. You are inconveniencing customers who want to get a thing from you and have a reason to endure it to achieve that goal but you are also inconveniencing the scammers who have no goal at the end so…
Fuck it. Have fun in Santa Fe. Save me a seat and some tequila.
I feel like the card processors should bear this responsibility. I dont have the technical skill to apply most of the suggestions, and I fear damaging my income by doing it wrong.
They should, yes, but they don’t. In fact, they’ll ding you for having too many failed transactions and claim that it’s your responsibility to do something about it.
You don’t need to stop them, you just need to make the effort not be worth it compared to using a different site. Things like making sure they have a valid session cookie before they hit the payment flow, and, ideally, require them to be logged in too. That way you can block attacking accounts, and they have to go through the effort of registering a new one, which is, hopefully, well gated against automated attacks.
Every single attempt registers a new user account, all with fake info. I have been trying all different things to block them but theres no unique data to identify them. I havent had a completed payment from them in a few weeks but I can still see the attempt being made.
At first, they used valid emails which led to me being banned from gmail because all the order notifications were being reported as spam.
Block Russian IP range. Do the logged ips of the malicious tries originate from the same region?
Entirely random as far as I can tell
Make so sign up requires proof of work. Will slow them down.
Become computationally expensive for them at scale
That would scare away real paying customers
You might want to try something like Anubis on both the signup and order pages. Real users will either not be stopped, or will only hit it once, and no user interaction is required to continue, but bot users will be slowed down enough to, hopefully, disuade them from returning.
deleted by creator
Could just hide it behind a progress spinner? But it’ll slow down the account creation.
Do you have basic security like 1 email is a unique account, and the email needs verification before an order can be placed? Because that simple step will be rate limiting for the attackers but normal and expected for real users.
Also could be worth considering using a dedicated payment processor to handle things. It adds overhead, but so does fraud.
I dont want to add barriers for real orders.
I use both Stripe and Paypal to process cards.
You don’t want barriers for scammers because they inconvenience real customers. So you choose to enable the scammers. That is exactly why this works.
Thanks for playing.
I agree. What do you suggest? Just shut it down?
I guess I could move to SantaFe and do something with turquoise.
People have already given you options and you repeatedly say “nah, that’s inconvenient”. The inconvenience is the point. You are inconveniencing customers who want to get a thing from you and have a reason to endure it to achieve that goal but you are also inconveniencing the scammers who have no goal at the end so…
Fuck it. Have fun in Santa Fe. Save me a seat and some tequila.
I feel like the card processors should bear this responsibility. I dont have the technical skill to apply most of the suggestions, and I fear damaging my income by doing it wrong.
They should, yes, but they don’t. In fact, they’ll ding you for having too many failed transactions and claim that it’s your responsibility to do something about it.
You’d think the onus here should be on PayPal and Stripe… Do they have anything to say?
They dont give a flying fuck.
Frustrating. Sorry you’re in this position