Sept. 14, 2024
I was vacationing in Morocco, obsessively checking my Stripe account.
At restaurants. In the tour van. While riding my camel.
On the toilet...
I saw a surge of sales come in. I was excited.
Having worked on my AI SEO tool for almost a year, I was finally getting a ton of sales.
But where from?
Was it a post that went viral? Or was it some popular influencer / blog that referred traffic to me?
I looked a bit closer at my Stripe dashboard while on the toilet and saw something that made my heart drop.
$1000s of blocked transactions from similar email accounts.
jake0001 at gmail.com
jake0002
jake0003
...
and so on.
And $100s came flooding in, also from similar accounts:
jake0056
jake0057
...
That's when I realized nothing good's happened at all! I struggled to figure out what's going on, so I googled around for it and it turns out I was under what's called a card testing attack.
This is when black market actors are testing out stolen credit cards to still if they still work.
And if they do, they can make bigger purchases with the cards later on. Or resell working cards in the black market.
You might think, "well, just keep the money!"
But eventually all the charges will be reverted / marked as fraudulent and you'll be faced with tons of chargebacks.
And a chargeback of >1% means you'll get banned from Stripe.
Meaning you'll go out of business since you won't be able to easily collect payments anymore.
Not only that, even if you do cancel the fraudulent charges, Stripe charges you a fee. For me, it worked out to about 5% of the total charges that went through.
So if an attacker was able to "successfully" test $50K worth of transactions, you're on the hook for $2,500.
Except there's no limit to how many cards they can test, and how many cards Stripe fails to block.
MEANING THERE'S NO LIMIT TO HOW MUCH MONEY YOU CAN LOSE IN A CARD TESTING ATTACK!
Stripe has some useless documentation on preventing card testing attacks. They suggest you:
I even added email verification.
I thought it worked, because the attacks stopped a few days. Yay!
Just in time to go ride camels into a Sahara desert camp.
That's when I got some more Stripe notifications for fraudulent transactions.
None of the mitigations I implemented worked!
Bots can just generate an infinite amount of real gmail accounts, and a human / bot with proxies can automate solving captchas and get around rate limits.
The internet was so terrible in the middle of the Sahara that it took 3 hours to add / push a single line of code to heroku:
ACCOUNT_ADAPTER = "apps.users.adapter.NoNewUsersAccountAdapter"
This prevents any new signups (and therefore any new accounts that can test credit cards).
Effectively shutting my business down, the card testing attacks stopped.
Eventually, when I got back stateside, I thought about a new solution:
What happens if I just do a 1-time SMS verification, but make sure that the phone number they use is a real number?
After spending a weekend creating that solution, there were no more card testing attacks.
And ever since then, I've used this 1-time SMS verification trick on all my websites to protect myself from these attacks.
I figure the slight, one-time friction for customers is worth it, if it means protecting myself from unlimited downside.
Besides, if a customer won't spend 5 seconds doing an SMS verification, they aren't customers that'd pay you to begin with anyway.
So you consume less server resources by having filtering out people "that just want to look around" -- not to mention you can prevent things like a cheap user signing up for 100s of accounts just to keep using the free trial and never pay.
As this solution works well for all my websites, it isn't trivial to implement every single time on a new website.
I wanted to leverage a centralized server that'll handle my SMS verification so any new SaaS I launch will just take ~2 minutes to protect instead of the few hours of copy/pasting/debugging with a new project.
Further, the paperwork for Twilio can take weeks to get a response back, and I wanted to provide this tool so other SaaS developers can protect themselves quickly and easily.
This website reflects that effort.
Card testing attacks is one of those things that is kind of rare, but when it happens can be extremely devastating.
And you don't need a lot of traffic for attackers to find you.
My site had almost no visitors and it got attacked.
Concluding thought:
If you're a SaaS developer, I sincerely hope you protect yourself against these malicious financial attacks (whether you decide to use our services or not).