Card Testing

Hi All,

We've just gone through a major issue with Card Testing. This is where hackers use scripts to verify stolen or generated Credit Card numbers through a donation link. We've had more than 10K of these types of charge attempts.

Generally, these donations are at the $1 mark because it flys below most people's radar.

Since there are no docs yet about this by Foundant, I will suggest that you set your minimum donation amount to $10. This will at least stop most of the $1 card testing scripts.

Foundant has some security features in place, but at times they appear not to be working. They are supposed to stop a certain number of charges to the same IP address. I think they said after 5 attempts.

They are also using Google ReCAPTCHA on the donation pages. Though, that did not appear to stop these $1 charges. Hackers are always one step ahead of security.

If you are using Stripe as your payment processor, their radar system does catch most of these charges and cancels them.

These charges can be damaging to your Foundations and should be taken seriously. Foundant seems to be taking card testing seriously, but they currently do not have any documentation about it. I've asked that they add documentation to the site about this.

Keep an eye on your Stripe account.

https://www.cybersource.com/en-us/blog/2020/what-you-need-to-know-about-card-testing-fraud.html

Comments

  • BettieStammerjohn
    BettieStammerjohn Posts: 98 ✭✭✭
    Voter Scholarship Lifecycle Manager (SLM) 100 Likes 10 Comments

    @hankdrew Thanks for the heads up. I'll be more diligent about checking stripe.

    Bettie

    Bettie Stammerjohn

    Executive Director

    Community Foundation of Greene County, Pennsylvania

  • GrantElliott
    GrantElliott Posts: 5
    Music Fan Second Compass Anniversary First Answer First Comment

    Hi Hank,

    Thanks for the email and conversations around what you're seeing with Stripe. Below are the security protocols we have in place today on the donation portal. These are in direct alignment with recommendations from Stripe as well, see documentation from Stripe here https://stripe.com/docs/card-testing#mitigations.

    1. We have the Google's Version 3 reCaptcha in place that Stripe recommends. Information: Most people have seen/used a Captcha tool as you've purchased something online. This tool is often implemented by picking pictures or retyping words to prove you are a human, this is version 2 from Google. Google has taken this a step further with a tool called reCaptcha, Version 3. This is an automated tool built to help streamline the end users experience, and detect the activity as a human or a bot.
    2. We have a Web Application Firewall (WAF) in place. WAF's are a security measure that will limit the number of times the same IP address can take an action on a site. For this scenario, we have limited a specific IP address to 100 attempts within 5 minutes, then we block that IP address.
    3. Require Login - Our fund advisor portal requires an end user to login to an account, which is a big help with bots. With the public online donation portal, we do not currently require the end user (donors) to login to an account. Though the public donation portal does not require the user to login, they are required to go through the other security measures outlined here.
    4. A User's data during their shopping cart session is encrypted when sent to/from the browser (internet explorer, google chrome, firefox...etc.). This prevents nefarious users from manipulating this data in order to trick the system.
    5. Our Stripe integration follows their security bests practices and verifies every incoming Stripe interaction. This ensures incoming requests are from Stripe and not from another outside malicious source.

    Online tools that accept credit cards deal with bot activity constantly. Bots are built to do a few different things depending on why they were created. This can range from testing a list of stolen credit card numbers, to a competitive analysis firm using bots to test competitors functionality.

    If there are additional questions, please let me know! (grant.elliott@foundant.com)

  • hankdrew
    hankdrew Posts: 112 ✭✭✭
    Foundant Fan 100 Comments 100 Likes Third Compass Anniversary
    edited January 2021

    Thanks @GrantElliott. It's been nice working with you on this.