WooCommerce Store Owners Combat Fraudulent Stripe Charges

For the past few weeks, members of the Advanced WordPress Facebook (AWP) group have been discussing methods of combatting Stripe Card Testing fraud. WordPress developer Jon Brown opened the topic after seeing fraudulent charges on five different websites, including four using WooCommerce and one using the Leaky Paywall platform.

“All five were on Cloudflare with bot fight mode on when it first happened,” Brown said. “I’ve added CAPTCHA to all 5, I’ve enabled CloudFlare’s ‘Under Attack’ mode on the cart/checkout page.”

The WooCommerce sites didn’t have a reoccurrence but the Leaky Paywall site did. Brown said the client didn’t notice it, as he had Stripe emails going to his spam folder.

“It went on for two weeks until the load spike took the site offline and I noticed it,” he said. “About 1,200 successful transactions for $2.99, with 100,000 blocked.”

Brown said he doesn’t understand why Stripe doesn’t recognize and block the fraudulent charges since they all follow a similar pattern using a randomized Gmail address. His client had to dispute approximately 100 of these transactions.

“Each dispute costs $15 to resolve,” Brown said. “Each non-disputed refund costs $0.40 since Stripe (like PayPal now) keeps the fee.

“So 100 * $15 + 1100 * $0.40 = $1940 in lost revenue to fees and that’s obviously AFTER also refunding the $2.99 per fraudulent transaction. That means $3,600 in fraud ($2.99 * 1200) just resulted in a net loss of $1940 – that’s insane.”

Many other developers in the conversation have been hit with similar attacks, some with honeypots in place that didn’t prevent anything. One recommended using the WooCommerce Fraud Prevention plugin. It allows store owners to block orders from specific IP addresses, emails, address, state, and zip codes. This might help once attacks have started but doesn’t fully prevent them. Some developers had success stopping attacks using reCaptcha for WooCommerce, a commercial plugin that implement’s Google’s reCaptcha V2 (checkbox) and reCaptcha V3 to stop things like unauthorized login attempts, fake registrations, fake guest orders, and other automated attacks.

“We ran into this about a year ago,” WordPress developer John Montgomery said. “It’s a way for hackers/thieves to check a list of card numbers for ones that are valid. Once they confirm the card works on a site, they can use to purchase products for real. In the end, a big annoyance but honestly not a huge deal for us in the end because we have digital products and they weren’t really interested in those.”

Montgomery installed a plugin called Limit Orders for WooCommerce, developed by Nexcess, that disallows orders after a certain threshold is met.

“I set it up to x orders per hour ( above any historical numbers)…so if we get say 100 orders in an hour it will shut off orders,” he said. “It’s a bit of a sledgehammer, but it did help us once already.”

Although many store owners are hesitant to add any friction to the checkout process, technology consultant Jordan Trask recommends requiring customers create accounts before continuing and verify emails. He wrote a guide on dealing with card testing attacks.

“The gist of the rules is blocking all countries except those you serve,” Trask said. “However, for WooCommerce, I would put in a JS Managed Challenge for the cart and checkout.

“There is rate limiting built into Cloudflare that might help, but it’s more request based versus per order which is what you need based on IP potentially. If the requests come from the same IP address, you can look at limiting orders per IP since the email differs each time.”

The Checkout Rate Limiter plugin, available on GitHub, offers checkout rate limiting on WooCommerce checkout based on IP address.

Trask’s guide also recommends checking payment processor logs when investigating fraudulent charges:

Always check your payment processor logs to verify where the charges are being created. A staging site may exist with production API keys, or your site was hacked, and the API keys were stolen. Most payment processors will have further details in their logs with additional information.

WordPress developer Rahul Nagare recommends checking out Stripe’s Radar fraud protection, which uses machine learning to provide advanced protection and identification of fraudsters.

“This will let you setup custom rules on Stripe to reject suspicious transactions,” Nagare said. “This used to be a free service with Stripe, but they changed it last year. I’d look into blocking all transactions with risk score higher than the average, and maybe the region of the card testers.”

WooCommerce’s documentation has a section on responding to card testing attacks, which has many of the same recommendations discussed in the recent AWP thread. A CAPTCHA plugin is the first line of defense. It also recommends avoiding pay-what-you-want or donation products with no minimum, as these products are often targeted for card tests with small transactions that cardholders might miss. Swiftly refunding any successful fraudulent orders will decrease the possibility of disputes.


9 responses to “WooCommerce Store Owners Combat Fraudulent Stripe Charges”

  1. Sorry for any misinformed comment but I’m completely new in ecommerce.
    I’m thinking on starting some stores and this article took my attention.
    So, if I understood correctly, the store owner wasn’t affected, but the clients did. The problem was that the card number of the client was stolen? I guess the shop owner has no responsibility..?
    I don’t really understand where, objectively, the problem starts? Client’s machine, WordPress, Woocommerce, Stripe?
    I can’t believe there isn’t a safe method yet.
    Can’t the client receive a double check code in the email, or any other unique transactional token to confirm the transaction? This seems so simple to do.
    This is very scary and “bad reputation” – I know there are millions of “good”examples but we know how this “bad news thing” works.
    I think – even more now that having an online store is getting easier and a priority for all – it should be on WP Core (or Woo Core?) something to prevent it.
    Reputation is at stake.

    • No, the cardholder and the merchant are both effected.

      And while the cardholder will easily be able to get the charge reversed and ultimately most likely won’t be responsible for anything… the merchant is left having to pay the associated credit card transaction fees regardless.

      If you read the example that Jon Brown explains in one of the quotes exactly what it ended up costing this merchant. 1200 fraudulent charges cost the merchant $1940 in non-refundable payment transaction related fees. Money the merchant will not get back.

  2. I’ve seen a flood of spam orders on WooCommerce sites that I manage. This has become a serious issue. Even with reCAPTCHA enabled via Wordfence, the issue hasn’t gone away.

    Stripe absolutely needs to step up and take action. And WooCommerce should be bundling features to help prevent these orders. We shouldn’t have to rely on a commercial product to do this.

    If WooSpam™ becomes as common as comment spam, then the platform is going to suffer.

  3. We had this happen with our donation plugin we used for my non-profit. We had at least a thousand attempts and 60 succeeded. Stripe was not helpful at all. We had to pay for RADAR just to make a rule blocking cards whose country of origin didn’t match the IP of the user – which stopped the attempts. This was obvious fraud and the RADAR per transaction cost total was more than what we took in legitimate charges. They charge $.02 per attempt.

    The plugin was Donation Form Block for Stripe By GiveWP https://wordpress.org/plugins/donation-block-for-stripe-by-givewp/

    Stripe investigated and said it was the GiveWP integration and that we should use a Recaptcha on the form. There is no free way of doing that and the one plugin that said it worked with Givewp – Zero Spam doesn’t work with the “Donation Form Block for Stripe” it only seems to work with the full GiveWP plugin.

    We removed the plugin and went with the full GiveWP plugin and have not had any testing since then and we canceled the RADAR service.

    Like I said blocking cards where the IP doesn’t match the user location or even allowing per country blocking should be part of the basic service but Stripe just wants to milk the fees

  4. I’ve seen this too. As other commenters have noted, Stripe’s solution is basically to seek to sell you better tools than their default ones, that have a per-interaction cost to them – which, when you’re dealing with 10,000 incoming carding attempts, soon adds up.
    i.e. The more fraud not blocked by their default tools and which you require something more for, the more profit to Stripe. Stripe need to rethink this. The “per transaction” model was understandable, but the perverse incentives it creates are now obvious and should be addressed.

    • 100% agree. Stripe has a lot going for it in terms of how easy it is to set up. They run the risk of seeing a mass exodus of merchants if they allow this to continue.

  5. Stripe’s Radar service or tool is very powerful. They have been building and fine-tuning it for years, powered by machine learning and input from tens of thousands of users I can say that these days it’s one of the best fraud prevention solutions if you accept payments via Stripe. I don’t say it’s perfect and works 100% of the time, you can still get some fraud payments going through the system but it’s able to catch and prevent most of them. Writing blocking rules tailored to your own needs and preferences is huge and a simple process, you can get familiar with the system very quickly. I wrote a detailed guide on Radar based on my own experience covering some of the most common attempts and how you can block them. You can take a look here https://kinsta.com/blog/credit-card-fraud-stripe/

    • The problem is, if you’re going to be charged $0.05 per screened transaction, and if you’re getting 100,000 fraudulent transaction attempts, then this is only a feasible solution for a minority of WooCommerce shop owners.

      • That amount is waived for accounts with standard pricing so you are not getting charged. I think 100k attempts is not normal for the majority of companies, there must be going on something extraordinary that you and Stripe don’t notice it in time, so I think even if you have to pay a few cents it is worth the price. But I get what you mean and for small shops, every piece of money counts.


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: