How to prevent Card Testing

[Maxwell83]

I have 2 websites both built on Wordpress, using gravity forms with Stripe payment integration.

I have noticed that both site will get hit by a wave of card testers at the same time every day, for about 30 minutes. They rarely even try and submit the payment - most attempts show in Stripe as "Incomplete - The customer has not entered their payment method.". The odd one is attempted and always fails.

This has been going on for months and they use random email addresses from domains I've never heard of, and fake names etc - nothing is used twice so I can't block them based on identifying data.

I spoke to Stripe and they advised implementing reCAPTCHA, so I have "V2 Invisible" now on one of the sites. Nothing on the other. This seems to make no difference as they attempt the same amount on both sites. I did have V3 for a while but that also made no difference.

I don't think they actually want what I am selling - its more of an advice service with digital documents that is specific to the info the customer provides, so it has no resale value to because its no use to anyone but the customer. They are simply testing the cards to see the result.

None of the attempted payments have gone through - but I would like to figure how to stop this without adding too much friction for genuine customers before one does go through and I don't realise.

 

[Maxwell83]

I've just noticed that 99% of these attempts are using the Stripe 'LINK' option - I've turned that off temporarily so will see how that goes.

 

[ctrlbrk]

I have 2 websites both built on Wordpress, using gravity forms with Stripe payment integration.

I have noticed that both site will get hit by a wave of card testers at the same time every day, for about 30 minutes. They rarely even try and submit the payment - most attempts show in Stripe as "Incomplete - The customer has not entered their payment method.". The odd one is attempted and always fails.

This has been going on for months and they use random email addresses from domains I've never heard of, and fake names etc - nothing is used twice so I can't block them based on identifying data.

I spoke to Stripe and they advised implementing reCAPTCHA, so I have "V2 Invisible" now on one of the sites. Nothing on the other. This seems to make no difference as they attempt the same amount on both sites. I did have V3 for a while but that also made no difference.

I don't think they actually want what I am selling - its more of an advice service with digital documents that is specific to the info the customer provides, so it has no resale value to because its no use to anyone but the customer. They are simply testing the cards to see the result.

None of the attempted payments have gone through - but I would like to figure how to stop this without adding too much friction for genuine customers before one does go through and I don't realise.

Yes, I think they're exploiting your website to validate whether the card details they have can be used (presumably elsewhere for fraudulent transactions) or not.

May I ask, how long have you had your site live for, and how long have you had this problem for?

 

[fisicx]

Get rid of the stripe link. You get exactly the same issues with PayPal.

You are far better off dropping gravity forms and replacing with the stripe plugin. Even better, use the API and you will never have a problem.

We did this on our car club site and not had an issue in 5 years of use.

These scammers have bots trawling sites for payment links. Once found they get sold on the dark web.

 

[Maxwell83]

Yes, I think they're exploiting your website to validate whether the card details they have can be used (presumably for fraudulent transactions) or not.

May I ask, how long have you had your site live for, and how long have you had this problem for?

The site has been runing for coming up on 8 years soon. Always with Gravity forms & Stripe. The issue started around 6 months ago - the same time I started accepting Stripe's Link payments! Having turned that off now, I will monitor and see if the issue persists.

 

[Maxwell83]

Get rid of the stripe link. You get exactly the same issues with PayPal.

You are far better off dropping gravity forms and replacing with the stripe plugin. Even better, use the API and you will never have a problem.

We did this on our car club site and not had an issue in 5 years of use.

These scammers have bots trawling sites for payment links. Once found they get sold on the dark web.

Thanks, I've turned off Link - hardly any of my customers have actually used it and I don't expect the lack of it will turn people away; they don't even know the feature is available until they're checking out so they've clearly decided to pay before knowing Link was an option. In other words, I don't think disabling it will hurt conversion rates.