You have noticed an increase in payments, either failed or successful over a short period of time, and upon investigation, realize that your site is being used for card testing – what do you do now?
Use Stripe Checkout
First of all, if you are using Stripe Elements, go into MemberPress->Settings->Payments and change to Stripe Checkout. We have noticed issues with the Stripe Elements process and are working with the Stripe team to release a more secure integration – which will be available at the end of May 2023.
Turn on Card Testing Protection
Go to MemberPress->Settings->General and ensure that “Enable Card Testing Protection” is checked.
It is enabled by default, but it is good to check. If it is enabled, you can change the method of getting the user's IP Address.
If your site uses a Front-End Proxy:
- Enable Use the X-Forwarded-For HTTP header OR Use the X-Real-IP HTTP header
If your site uses CloudFlare:
- Enable Use the CF-Connecting-IP HTTP header
If your site DOES NOT use CloudFlare or a Front-End Proxy:
- Enable Use PHP's built-in REMOTE_ADDR
Enable Radar Settings in Stripe
Stripe has settings that can help detect and block fraudulent activity. Learn more about these settings on Stripe's Risk Settings page.
Refresh Your API Keys
Refer to Stripe's API Keys documentation to learn how to Revoke an API key's access and Create a new API Key.
Then go to [yourdomain]/wp-admin/admin.php?page=memberpress-options&display-keys#mepr-integration and enter the new API keys in the boxes provided.
Install and Activate MemberPress Math Captcha
Go to MemberPress->Add-Ons and install and activate our Math Captcha add-on. This will add a simple math captcha to the registration and login page to help prevent spam sign-ups.
You can also use another captcha plugin if you would prefer or Simple Cloudflare Turnstile – CAPTCHA Alternative.
You can use one of them and math Captcha at the same time as well.
Refund and Cancel any Fraudulent Payments
If any payments were successfully created during the card testing, refund and cancel these subscriptions. You can do this either from MemberPress on your site – or through Stripe. If you do it through Stripe, you can mark the refund reason as “Fraud.”
There is no way to do a bulk cancel and refund in MemberPress. So, these will need to be done one at a time.
We also recommend recording the email addresses and any other information about the charge and card that were used so that if customers email in complaining, you can assure them that you have already refunded the fraudulent charge. And if you have the ability to – contact the customer directly to let them know what has happened.
Why Did This Happen?
Hackers can sometimes get a hold of the API secret and use it to spoof calls to Stripe for card testing purposes.
Will It Be Fixed?
Stripe and MemberPress are both aware of this vulnerability and are working together to release a new, more secure solution.