• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Payments Plugin for Stripe

Stripe payment plugins for your WordPress site

  • Home
  • Documentation
  • Addons
  • Login
    • Sign In
    • Edit Profile
    • Terms & Conditions
    • My Downloads
    • License Key
  • Support
    • Support Forum
    • Forum Search
    • Forum Login
    • Forum Registration
    • Email Support for Customers
  • Contact Us
  • Show Search
Hide Search
You are here: Home / Topics / Spammers Posted hundreds ‘card testing’ transactions

[Resolved] Spammers Posted hundreds ‘card testing’ transactions

· ·

Home › Forums › Stripe Payments Plugin › Spammers Posted hundreds ‘card testing’ transactions

  • This topic has 4 replies, 2 voices, and was last updated 1 year, 6 months ago by Admin.
Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • September 10, 2021 at 4:28 am #4302
    Dennie
    Participant

    It appears some hackers used my Accept Stripe Payments installation to repeatedly run multiple (hundreds) credit card transactions. It’s a form of attack where the attackers attempt many small transactions using different credit cards in an attempt to identify cards that are valid. (Most transactions failed but some succeeded). I was still left with dozens of transactions that I had to refund, not to mention risking getting the stripe account into bad standing.

    I wonder if anyone has encountered this issue and whether there are any changes that the plugin authors can implement to prevent these kinds of attacks.

    Also, do you have any suggestions for what I can implement to prevent these kinds of attacks or at least slow them down.

    Here are some behaviors of the Stripe Payments plugin that the attackers were able to exploit:

    1. Being able to override the product amount.
    The product “purchased” by the attackers was £11.99.
    However the attackers were able to change the amount to various amounts ranging between £2 and £5

    The plugin should not allow an amount that is different from the product price.

    2. Being able to run multiple transaction per minute.
    Some kind of Captcha implementation, perhaps integration with Google Recaptcha can mitigate this.

    3. No way to quickly disable or hide the product.
    Once we discovered an attack was under way, there was no easy and quick way to disable or hide the product under attack.
    We made the product private but this did not make the product purchase url private.
    Our only options were either:
    Delete the product
    Disable the plugin entirely.
    We also added an .htaccess password on the “/asp-payment-box/” URL, but this may not have been sufficient by itself.

    4. Oddly, no orders were created for the few transactions that were successful.

    Thanks

    September 10, 2021 at 11:09 am #4303
    Admin
    Keymaster

    You need to enable the following captcha feature asap. That will stop those spam bots:

    Stripe Payments reCAPTCHA Feature

    It’s actually a recommended setup when you setup the plugin at first. However, some uses dismiss that message. So please enable that feature and let us know how it goes after that.

    September 10, 2021 at 8:02 pm #4304
    Dennie
    Participant

    Doh! I completely missed that setting. Thanks for pointing it out – have enabled it now.

    I have also enabled Zip code validation as an extra check.

    Do you have any insight into how they managed to change the product price for the transaction. Is there anything I can do to prevent it or is this something that needs a change to the plugin?

    (FYI “Security Token Check” is enabled – i.e. “disable” checkbox is unchecked)

    September 10, 2021 at 8:03 pm #4305
    Dennie
    Participant

    Also, do you have any comments on points 3 & 4?

    September 11, 2021 at 12:26 am #4306
    Admin
    Keymaster

    There are various different things the spammers try so I won’t be able to tell you exactly what happened in your scenario without looking at all the income server request data. The captcha will stop all of those anyway and solve the issue.

    There is an additional price verification that is done by our plugin after a successful API response. The post payment processing script will look at the webhook data sent by Stripe and match the price value with the data saved in the database for that product. If that validation fails, it won’t add to the orders menu (since it is not a valid transaction).

    There is a lot more technical stuff that happens underneath, if you are interested, use the contact form to email us and I will give you more info.

  • Author
    Posts
Viewing 5 posts - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.
Log In

Primary Sidebar

Featured Addons and Extensions

  • Subscription Payments Addon
  • Additional Custom Fields
  • Secure Downloads Addon
  • Apple Pay, Google Pay, Afterpay

Addon Bundle

Stripe Payments Addon Bundle

Support Links

  • Support Forum
  • Support Contact

Search

Copyright © 2023 | Stripe Plugins | A member of the Tips and Tricks HQ family.