Card Testing via Stripe

[earthgirlllc]

I have thousands of carding attempts in Stripe this week that are originating from the WHMCS webhook, similar to those shown above. While I've been able to mitigate with Stripe fraud protect rules, each attempt still creates a new customer in Stripe, and it's only a matter of time before they find a way around those rules. I'm on WHMCS v8.4.1 .

Anyone else find a fix?

[WHMCS John]

Hi @earthgirlllc,

Due to WHMCS implementing Stripe's Element's integration method, if Stripe declines a payment very early in the workflow, the submission is stopped before an order is logged in WHMCS.

To help mitigate such situations, a combination of WHMCS and Stripe features can be used in conjunction with server-side mitigation:

- Invisible reCAPTCHA to prevent automated submission.
 - This is enabled on the order form under Configuration > System Settings > General Settings > Security tab.
- Use a fraud module in WHMCS to cancel block and cancel payment intents automatically: https://docs.whmcs.com/Fraud_Protection
- Use Radar rules to help rate-limit submissions from a single source: https://stripe.com/docs/card-testing#radar
- Web Application Firewalls (such as Cloudflare) to block detect multiple submissions and more broadly help mitigate similar rate-based attacks against your website.

The final other option would be to switch to a different payment gateway type, away from this hybrid tokanisation model, to either increase control over the checkout process (merchant) or delegate responsibility away entirely (third-party): https://docs.whmcs.com/Payment_Gateways#Merchant_Gateways

[sitesme]

This is happening to us. Our Stripe account just got suspended because we had hundreds of card test transactions.

I had Invisible reCaptcha enabled in all sections, except on Checkout pages.

I am not sure how this happens, but surely this shouldn't be possible and it is happening. These card tests are not from any client that we have. There are no clients or invoices attached to these card tests. So, it seems they are injecting the code somehow into Stripe's code.

I hope there is a better solution to avoid Fraud protections or Radar rules. 

 

[nabil]

On 10/19/2022 at 9:13 PM, sitesme said:

This is happening to us. Our Stripe account just got suspended because we had hundreds of card test transactions.

I had Invisible reCaptcha enabled in all sections, except on Checkout pages.

I am not sure how this happens, but surely this shouldn't be possible and it is happening. These card tests are not from any client that we have. There are no clients or invoices attached to these card tests. So, it seems they are injecting the code somehow into Stripe's code.

I hope there is a better solution to avoid Fraud protections or Radar rules. 

 

Seeing the same thing.  Absolutley nothing in whmcs to show this injection is working.  It's to test whether cards are valid. Needs an urgent solution.