Dealing with Card Testing or Carding Attacks on your WooCommerce Store (Fraudulent Charges)

What’s card testing or carding?

Card Testing or sometimes referred to as Carding is the act of testing stolen credit card information against a payment processor to verify the stolen information is valid. The targets of card testing or carding are usually online stores that allow for small purchases and have low security.

Preventing Card Testing in WooCommerce

I’ve compiled a list of options for preventing card testing or carding in WooCommerce. The options provided are suggestions, and any referenced plugin and service is simply a match and not a general endorsement. Do your own research!

1. Enable 3D Secure

If your payment gateway or payment processor supports 3D Secure, then you should enable this feature. You will need to ensure that the WordPress WooCommerce plugin you’re using supports 3D Secure.

2. Add a Captcha

This might be counterintuitive as the checkout experience is supposed to be quick and easy. This will help if you require customers to create an account and they have an option to save their billing details. Anything that makes it easier for the customer will make it easier for the attackers. You can add a captcha to the WooCommerce login, registration, and forgot your password pages. There is also an option to add a captcha on the checkout, however, it’s an effective method.

Here are some WordPress captcha-based plugins in no official order.

3. Block Countries with a WordPress Plugin

If your store only services a handful of countries, then you can block all countries that it doesn’t service from checking out. This can be done easily with a plugin and typically an IP to country database like Maxmind. This type of database maps internet IP addresses to countries and is fairly accurate. You can download their database or use their API. They have a free and paid plan.

Here are some WordPress plugins that allow you to block specific countries in no official order.

4. Block Countries with your Web Server

Nginx

You can block countries using Nginx’s GeoIP module and some configurations. Here’s an example guide

LiteSpeed

You can block countries using Litespeed’s GeoLocation support which allows you to use Maxmind or IP2Location databases. You can read more on their website

5. Cloudflare

There isn’t a specific feature of Cloudflare that tackles card testing directly. There is however some important settings you should consider enabling or configuring. One of them is Bot fight mode which can help if your site is being card tested by bots versus humans.

6. Throttling

Throttling WooCommerce orders is another option that will not stop card testing completely but will definitely make it harder for automated attacks to occur.

There is a plugin by Nexcess that limits WooCommerce orders overall and not by a specific customer or other variables such as IP Address. You can learn more about the plugin on the WordPress plugin directory

Another plugin by YITH called YITH WooCommerce Anti Fraud does have a setting “Attempt count check” which will only allow a certain amount of orders to occur within a certain time period based on IP Address. This is very useful, but some attackers will use different IP addresses. You can read more about the the plugin on the YITH website.

7. Email or SMS Verification

Requiring users to verify their emails before ordering is another means to slow down automated card testing attacks. However, this presents a delay in a customer checking out. Especially if the verification email or SMS doesn’t arrive in time or is marked as spam.

8. Fraud Detection Plugins

There are a couple of Fraud Detection or Anti Fraud plugins available. Some are simply there to let you know that an order is likely to be fraudulent, some will block orders.

Here’s a list of Fraud Detection and Anti Fraud Plugins in no specific order.

Conclusion

There are multiple methods and solutions to block card testing or carding. However, each store is different and some will be able to get by with simple and free solutions, while others might need more protection. Make sure you do your own research on the above linked plugins.

Other Options

There are a number of other options that I haven’t detailed in this article, please let me know if I’ve missed anything and I will update this article.

Updates

  • 07/08/2021 – Added FAQ about Cloudflare Bot Fight Mode.
0 Shares:
You May Also Like