TL;DR
Fraudsters discovered our checkout page lacked proper protections and used it to test thousands of stolen credit cards. We got hit with hundreds of chargebacks, Stripe suspended our account, and we spent weeks cleaning up the mess. Adding CAPTCHA, rate limiting, and Stripe Radar would have prevented the entire incident.
I thought we'd hit the jackpot when I saw hundreds of new transactions coming through overnight. A viral moment? Product Hunt feature? Nope. It was fraudsters using our site as their personal credit card testing facility.
What is Credit Card Testing?
Credit card testing is when criminals use stolen card numbers to make small purchases on real websites. They're checking which cards are still valid before selling them or making larger purchases elsewhere. They target sites with weak security because they need to test hundreds or thousands of cards quickly.
The Discovery
"I remember calling my co-founder at 6 AM, excited about our 'viral growth.' He was skeptical immediately. 'Check the amounts,' he said. That's when I noticed they were all exactly $1.00."
The Cascade of Problems
We realize we've been hit by card testers. Refund all suspicious transactions.
Even though we refunded, cardholders still filed chargebacks. Each one costs us $15 in fees.
Our chargeback rate exceeds 1%. Stripe sends us a warning about potential account suspension.
Stripe suspends our account. We can't process any payments.
After implementing security measures and a remediation plan, Stripe reinstates our account.
Our Security Gaps
- No CAPTCHA or bot detection on checkout
- No rate limiting on payment attempts
- Stripe Radar was disabled to "reduce friction"
- No velocity checks (multiple cards from same IP)
- No minimum purchase amount
The Fix: Multiple Layers of Defense
// Stripe Radar rules we implemented
Block if :card_country: != :ip_country:
Block if :risk_level: = 'highest'
Block if :card_bin_count: > 3 // Same BIN used 3+ times
Block if :ip_address_count: > 5 // Same IP 5+ times
We added invisible reCAPTCHA, velocity limiting, and set a $5 minimum purchase amount. These simple changes made our site much less attractive for card testing.
- Never disable fraud protection to "improve conversion rates"
- Implement rate limiting on all payment endpoints
- Use CAPTCHA or bot detection at checkout
- Monitor for unusual patterns (same IP, unusual hours, round amounts)
- Enable all available fraud tools from your payment processor
How do I know if I'm being targeted for card testing?
Watch for multiple small transactions (especially round amounts like $1), high decline rates, transactions from the same IP, and unusual activity during off-hours.
::
Will I still get chargebacks if I refund fraudulent transactions?
Yes, unfortunately. Cardholders often file chargebacks regardless of refunds. The refund might reduce the number but you'll still face fees for those that come through.
At what chargeback rate will Stripe suspend my account?
Stripe typically flags accounts when the chargeback rate exceeds 1%. At higher rates (often 2%+), they may suspend or terminate your account.
::
Scan your vibe coded projects for payment security issues and missing fraud protections.
Check Your Vibe Now