Fake accounts & Credit Card testing.

[bhtoys]

I've had enough. In 24 hours I've had 29 fake customer accounts created strictly for the use of CreditCard testing. 
It doesn't matter what I do, these are constantly attacking my site and hammering it to the point that my merchant account has been cancelled TWICE in the last year due to it happening so much. Over 20,000 worth of transactions have been attempted in the last 24 hours, and of that, 18 credit cards have been verified and I've had to refund them. 

There must be SOME way to stop these fake accounts from being approved. I'm using the bad bot module - but it's just warning me of the behavior after the fact. 

Is there any type of mod, or such that will help. 

I have the google RECAPTCHA installed - that's clearly doing shit. 
I've honestly never had this issue with any other cart I've used until this one - which means nothing, but I've clearly been put on a list of verified sites to use to test cards on. 

And let me say, that while some people my be saying "big deal", just refund the ones that get through. 
It's the massive amount of fake emails that get bounced back to me that's also pissing me off. I just want this insanity to just end. 

They're generally always using a VPN - hidemyass seems to be their fav choice.

[datakick]

This is fight against windmills.

Whatever security measure you implement will be overcome.

Card testers are using your store for one and only reason: you support on-site credit card payment.

The fix is simple -- STOP THIS NONSENSE, and use off-site payment processor. Stripe, paypal, or any other payment gateway available). If you redirect your customers to external payment gateway, it will be responsibility of the payment gateway to prevent attacks. And they can do that, they have resources, smart developers that are constantly enhancing security measures, auto-fraud detection, shared and updated IP blacklists, and whatnot. Since attackers are not able to break their defense, they are targeting small sites like yours. 

Also, having on-site credit card payment form is very dangerous. Your checkout page is sending plain card details to your server php script:

So, obviously, your store have to be PCI compliant, which is a huge burden.

But it also makes your store primary target for hackers -- if they take control of your store, they can steal credit card data. And you would be responsible for any damages.

I would be scared out of my mind if I had credit card form on my site.

Please, pretty please, use third party payment processor. It's 2022, nobody is expecting credit card form to be part of the checkout form. In fact, this is a huge red flag for a lot of people -- I personally would never complete transaction on your site because of this. I don't trust your store with my card information

 

[bhtoys]

I used to use an offsite payment option with my merchant account. There was too many errors happening with ThirtyBees. Payment processing but not returning back to the site - so I had no clue someone placed an order.

You can’t tell me there’s not an option at signup for ThirtyBees that can verify a user. If a bot is signing up for my site, then attempting 100 CCs within 60 seconds, it’s clearly a bot or a program. 
 

Would the possibility of them entering the correct email twice not be a deterrent?

 

Paypal is a no go. They act like they’re a regulated bank, and they’re not. They hold funds for no reason, side with customers with the most minor of disputes. 

Edited June 21, 2022 by bhtoys

[datakick]

6 minutes ago, bhtoys said:

I used to use an offsite payment option with my merchant account. There was too many errors happening with ThirtyBees. Payment processing but not returning back to the site - so I had no clue someone placed an order.

Maybe it would be a good idea to investigate / fix those integration issues first

6 minutes ago, bhtoys said:

You can’t tell me there’s not an option at signup for ThirtyBees that can verify a user. If a bot is signing up for my site, then attempting 100 CCs within 60 seconds, it’s clearly a bot or a program. 
 

Would the possibility of them entering the correct email twice not be a deterrent?

Of course. But whatever security measure you implement they can, and will, overcome.

Merchant: Lets implement request rate limiting per IP address

Hacker: nice try. We can use TOR network to send every request from different IP address

Merchant: Let's implement request limiting per customer id

Hacker: bummer. Never mind, let's create new account for every credit card test. It will only take two seconds more per test 

Merchant: Let's add another input into form, for example email the second time. Normal customers will be confused, but it will surely stop those bots

Hacker: Hey, Jose, they changed the form again. How long will it take to re-record the script? Nah, it's just another email address... Two minutes? Great, whenever you have time

Merchant: Captcha, Captcha, Captcha, ReCaptcha and TriCaptcha

Hacker: Image recognition, machine learning, AI,... or simply outsource to India for $5/day -- human can solve 1000's of captchas per day

Merchant: I don't know...

Hacker: muhehe

Off-site payment processors for the rescue. Let smart guys from stripe bring the heavy guns into this fight. 

6 minutes ago, bhtoys said:

Paypal is a no go. They act like they’re a regulated bank, and they’re not. They hold funds for no reason, side with customers with the most minor of disputes. 

There are lot of payment gateways. I agree that paypal is not the best out there.

[haylau]

5 hours ago, bhtoys said:

but I've clearly been put on a list of verified sites to use to test cards on. 

That is likely, and also means using the same domain name / IP address with a different cart software will probably not help.

I agree with datakick, use offsite payment systems. We used stripe and paypal and never had this issue once in 10 year. Also, PCI compliance is a nightmare

[the.rampage.rado]

On 10/5/2022 at 4:42 PM, salvinofeelings said:

Hello! If you want to get rid of these credit card testers by yourself, you will need to spend a lot of money, and I believe you will need to have your security department ban people with mac addresses.

How would you ban by mac address from your shop? 😄