Hello there! Our website has fallen into a card testing attack during the past few days and Stripe has recommended us to apply certain security layers to mitigate the issue. Some of the suggestions was to add recaptcha to the checkout payments as well as rate limits like the amount per cards used by the same IP, the amount of users created by the same IP and some others. However, I see that your current plugin lacks support for these security suggestions. Is there anything you guys could do about it? or could you help me to keep using the plugin and apply these security layers? Thank you in advance.
The page I need help with: [log in to see the link]
I see that your current plugin lacks support for these security suggestions.
reCAPTCHA is functionality that you can add to your WooCommerce store using a 3rd party plugin. There are several good options available if you perform a search. It doesn’t make sense for us to cram a bunch of functionality into our plugin that can be added using trusted plugins that already exist.
Our plugin implements Payment Elements already, which Stripe has rated as excellent in terms of preventing carding attacks.
You can also enable settings like requiring a customer account instead of guest checkout.
Thank you for your kind words and the huge clarification towars my ignorancy. My question goes that there are some similar plugins for Stripe that seem to have the feature/compatibility added. I’m looking for customers to have the recaptcha challenge when choosing Credit or debit card method, would you be so kind to point me in the right direction?
https://s-plugins.com – Available on WordPress “Add New” section by the author “Tips and Tricks”. It works a bit differently as your plugin, but the feature is somehow added.
Also, I’d like to point out that the main reason of my request is because a Stripe agent literally asked us for that. We approached to them askin why Stripe Radar was letting these card testing attacks succeeding and after chatting with them, they replied us with the following email:
There are also free options if you use the ww.wp.xz.cn plugin search.
The reason we don’t include an reCAPTCHA integration within the plugin is as follows:
If our Stripe plugin provides reCAPTCHA for it’s payment methods, then if a customer is using something like PayPal or Square which we didn’t develop, they will have to install another reCAPTCHA solution. Now you have two plugins doing the same thing. It’s better to use a universal reCAPTCHA solution like the one we linked to. That way all payment methods benefit from having it enabled.
Hello again @mrclayton – I’ve come with some recent updates. I’ve been in constant dialogue with Stripe Support working on mitigating the card testing attacks we have received so far. Apparently, they’re still concerning that there may be something you guys should do about it too (not me, I trust the plugin), but since Stripe says it, I guess it’s worth taking a look to it?
This is the e-mail I received a few moments ago:
Apart from this, one of the things we’re experiencing right now is that there are some fraudulent payments still going through with “0” risk according to Stripe Radar and not sure why that may be. Hope you can help us out!
Apart from this, one of the things we’re experiencing right now is that there are some fraudulent payments still going through with “0” risk according to Stripe Radar and not sure why that may be. Hope you can help us out!
I’d recommend checking if these payments are being processed using a saved payment method or a new payment method via a guest checkout. Make sure you also have the reCAPTCHA enabled on your Add Payment Method page to prevent an attacker from adding a payment method that way then using it.
It’s very possible that these attackers are in possession of legitimate credit cards including their identifying info like address and CVC. If that’s the case, the attacker processing a payment is no different than a legitimate card holder processing the payment. The purpose of the Stripe plugin is to keep customer data secure and to communicate the payment info to Stripe so Stripe can make a determination on the legitimacy of a payment attempt. If Stripe’s says “The payment is OK” then the plugin is going to process it.
Kind Regards,
Viewing 10 replies - 1 through 10 (of 10 total)
The topic ‘Card Testing Security Breach’ is closed to new replies.
