Navigating the e-commerce landscape is challenging, especially when faced with the rising tide of online fraud. Recently, WooCommerce store owners, including us, have reported a significant increase in fraudulent payment attempts.
In these scenarios, fraudsters engage in ‘credit card testing’, a method where stolen credit card details are used to make small purchases on smaller online businesses. If successful, they then use these card details for larger fraudulent purchases on major platforms.
Had to refund and cancel 240 customers called Jake Smith from Philippines with $7,000 in card testing payments
— @levelsio (@levelsio) June 5, 2023
No idea why Stripe doesn’t catch these
They even passed my Cloudflare CAPTCHA?!
Had to block 🇵🇭 PH payments now sorry https://t.co/zK05Q1kvEP
https://twitter.com/levelsio/status/1665625055777398784
One striking characteristic of these attacks was the consistent use of the pseudonym “Jake Smith”. The fraudster disguised their location using VPNs, making it appear as if the transactions were being processed from different countries. The bulk of the fraudulent activities, however, were traced back to the Philippines.
A few entrepreneur friends seem to also be having this problem so I'm sharing this:
— rameerez (@rameerez) June 5, 2023
For the past few weeks, we've been targeted with a credit card testing fraud attack on Stripe.
Literally thousands of blocked charges, hundreds in fraudulent payments, ~$2M in blocked charges pic.twitter.com/7ns6RbmTZC
With this daunting reality in mind, we’ve outlined a series of strategies you can employ to safeguard your WooCommerce store.
1. Limit Failed Order Attempts:
An effective way to deter fraudsters is by restricting the number of failed orders a user can attempt within a specific period. For example, users with more than five failed orders in the past hour can be prevented from proceeding with the checkout. This can be achieved with the following code snippet:
/**
* Validate checkout to restrict users with more than 5 failed orders in the past hour.
*
* This function checks for the failed orders of the current user in the past hour. If
* there are more than 5 failed orders, it will display an error message and won't allow
* the user to proceed with the checkout.
*
* @param array $posted Checkout posted data.
*/
function check_failed_orders( $posted ) {
// Get the user ID from the current user.
$user_id = get_current_user_id();
// If the user isn't logged in, we can't check failed orders so we'll allow it.
if ( ! $user_id ) {
return;
}
// Set the time to one hour ago.
$one_hour_ago = date( 'Y-m-d H:i:s', strtotime( '-1 hour' ) );
// Arguments to get the failed orders in the past hour.
$args = array(
'status' => 'failed',
'date_query' => array(
array(
'after' => $one_hour_ago,
'inclusive' => true,
),
),
'return' => 'ids', // Only return the order IDs.
'customer_id' => $user_id, // Get orders from this user only.
);
// Get the orders.
$orders = wc_get_orders( $args );
// If the user has more than 5 failed orders in the past hour.
if ( count( $orders ) > 5 ) {
wc_add_notice( __( 'You have too many failed order attempts. Please contact the customer support or try again later.' ), 'error' );
}
}
add_action( 'woocommerce_after_checkout_validation', 'check_failed_orders' );
2. Implement Cloudflare Firewall:
A firewall, like Cloudflare, is a significant defense mechanism to secure your store against fraudulent attempts. By creating rules based on the traits of incoming traffic, you can block suspicious activity, such as numerous rapid checkout attempts from the same IP address or abnormally large order amounts.
3. Utilize Stripe Radar:
Stripe Radar is a machine learning-based tool that identifies and blocks potential fraudulent transactions. With its capacity to analyze hundreds of signals about each transaction, it can be a strong line of defense against fraudulent activity.
4. Activate 3D Secure:
3D Secure adds an extra layer of security to credit card transactions. This protocol requires additional authentication for each transaction, adding a hurdle for potential fraudsters. However, it’s important to note that manual 3D Secure validation might not always be triggered, especially for smaller transactions, allowing fraudsters to test credit card numbers undetected. As such, it’s crucial to maintain vigilance and monitor transaction activity closely, even for small purchases.
The fraudsters’ approach in these recent attacks is crafty, as they deliberately keep transactions small enough to fly under the radar of security measures like 3D Secure. Therefore, it’s critical to consider this when setting up security measures and rules for your online store.
At the end of the day, while platforms like Stripe continually work to counteract fraudulent activities, we, as business owners, must stay alert and take the necessary actions. By implementing these strategies, we can offer a safer, more secure shopping experience for our customers and protect our businesses from fraudulent activities.