It’s about time we start seriously thinking about how to escape Visa and Mastercard anyway.
not so fast, many people genuinely think wechat and alipay would be an improvement
Way back when AOL was on floppies there was software called AOHELL that would generate fake name, address, and fake CC just to sign up for AOL free 40 hours.
I’m sure credit cards were always a problem. I think the first 4 or 8 numbers of the card are the issuing bank and location. Something like that. So it’s super predictable.
Someone has been using my website for stolen card testing and I cant stop it.
You don’t need to stop them, you just need to make the effort not be worth it compared to using a different site. Things like making sure they have a valid session cookie before they hit the payment flow, and, ideally, require them to be logged in too. That way you can block attacking accounts, and they have to go through the effort of registering a new one, which is, hopefully, well gated against automated attacks.
Every single attempt registers a new user account, all with fake info. I have been trying all different things to block them but theres no unique data to identify them. I havent had a completed payment from them in a few weeks but I can still see the attempt being made.
At first, they used valid emails which led to me being banned from gmail because all the order notifications were being reported as spam.
Make so sign up requires proof of work. Will slow them down.
Become computationally expensive for them at scale
That would scare away real paying customers
You might want to try something like Anubis on both the signup and order pages. Real users will either not be stopped, or will only hit it once, and no user interaction is required to continue, but bot users will be slowed down enough to, hopefully, disuade them from returning.
Could just hide it behind a progress spinner? But it’ll slow down the account creation.
Do you have basic security like 1 email is a unique account, and the email needs verification before an order can be placed? Because that simple step will be rate limiting for the attackers but normal and expected for real users.
Also could be worth considering using a dedicated payment processor to handle things. It adds overhead, but so does fraud.
I dont want to add barriers for real orders.
I use both Stripe and Paypal to process cards.
You’d think the onus here should be on PayPal and Stripe… Do they have anything to say?
They dont give a flying fuck.
Frustrating. Sorry you’re in this position
You don’t want barriers for scammers because they inconvenience real customers. So you choose to enable the scammers. That is exactly why this works.
Thanks for playing.
I agree. What do you suggest? Just shut it down?
I guess I could move to SantaFe and do something with turquoise.
People have already given you options and you repeatedly say “nah, that’s inconvenient”. The inconvenience is the point. You are inconveniencing customers who want to get a thing from you and have a reason to endure it to achieve that goal but you are also inconveniencing the scammers who have no goal at the end so…
Fuck it. Have fun in Santa Fe. Save me a seat and some tequila.
