If you've noticed that your checkout is being used to test cards, possibly by automation (bots/scripts), it can be hard to stop or prevent this from occurring. The most simplistic attacks can be mitigated by the following methods:
- Enabling a reCaptcha solution (Magento 2.4 checkout captcha, or per payment method if supported).
- Utilizing an IP filter in your payment gateway and/or Web Application Firewall (WAF).
- Ensuring or adding session error checks to the payment method (all ParadoxLabs payment extensions do this by default).
These can work on some simple attacks, but it is possible for a more advanced attack to:
- Bypass reCaptcha checks (such as auto-solving solutions or abusing auto-validation).
- Change their IP address with every request.
- Using a new session with every attempt.
If these solutions can be bypassed, what solutions can be enacted to mitigate these carding attacks? The problem here stems from cost, as the best solutions may start around $1k/month. Below are two possible solutions you can investigate based on your specific situation.
Bot Protection Services
There are services made specifically to detect and deal with carding attacks. Two major brands are:
Both offer direct integration with CloudFlare, Fastly, and AWS services. CloudFlare and Fastly also have bot management or WAF solutions available for added cost.
Fraud Protection Suites
Fraud protection options will vary based on your payment method. Most payment gateways offer a slew of fraud filters or additional services, either included in the service or available at an additional cost (sometimes offered in different tiers). This may or may not protect you against carding attacks.
You should be able to reach out to your respective payment gateway for information and assistance with these features.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article