How to Prevent Card Testing and Fraudulent Sign-Ups with Stripe

You have noticed an increase in payments, either failed or successful over a short period of time, and upon investigation, realize that your site is being used for card testing – what do you do now?

Switching to Stripe Checkout

First, if you use Stripe Elements, you could try switching to Stripe Checkout:

1. Navigate to Dashboard > MemberPress > Settings > Payments tab.
2. Find the Stripe payment gateway.
3. Here, click the checkbox next to the Stripe Checkout option.

Switching to Stripe Checkout won't prevent card testing by itself. The purpose of this switch is to try interrupting card testers attacking your website. Switching to Stripe Checkout will shut down the endpoints testers might be using to run attacks through Stripe Elements. Once you applied all other security updates mentioned in this document and the attack is over, you can re-enable Stripe Elements.

Turn on Card Testing Protection

Go to Dashboard > MemberPress > Settings > General and ensure that Enable Card Testing Protection is checked.

It is enabled by default, but it is good to check. If it is enabled, you can change the method of getting the user's IP Address.

If your site uses a Front-End Proxy:

• Enable Use the X-Forwarded-For HTTP header OR Use the X-Real-IP HTTP header

If your site uses CloudFlare:

• Enable Use the CF-Connecting-IP HTTP header

If your site DOES NOT use CloudFlare or a Front-End Proxy:

• Enable Use PHP's built-in REMOTE_ADDR

Enable Radar Settings in Stripe

Stripe has the Stripe Radar feature to help detect and block fraudulent activity. Learn more about these settings on Stripe's Risk Settings page.

Stripe Radar offers several card verification checks:

• Card verification code check (CVC): this check will prevent any charges that fail the CVC verification check. The CVC is the verification code printed directly on a user's card. Users need to add the correct CVC code to the MemberPress registration form, for Stripe to process the payment.
• Address verification (AVS): this check will prevent charges if the postal address check fails. When registering, users need to add the postal code and the street address to the MemberPress registration form. If this data doesn't match the billing address on file with the card issuer (e.g. bank), the payment will fail.

Refresh Your API Keys

Please follow these steps to refresh the credentials:

1. Log in to your website as an administrator. After logging in, the URL in your browser's address bar should be like this: https://yourdomain.com/wp-admin/.
2. Add the following to the end of your current URL: admin.php?page=memberpress-options&display-keys (e.g. https://yourdomain.com/wp-admin/admin.php?page=memberpress-options&display-keys). While still in the address bar, press the enter key on your keyboard.
3. This will take you to the MemberPress Settings page (Dashboard > MemberPress > Settings). Click the Payments tab.
4. Under the Stripe payment gateway settings, you should see a new Refresh Stripe Credentials button. Click this button to refresh your Stripe credentials.

Install and Activate MemberPress Math Captcha Add-On

Go to Dashboard > MemberPress > Add-Ons and install and activate our Math Captcha add-on. This will add a simple math captcha to the registration and login page to help prevent spam sign-ups.

You can also use another captcha plugin if you would prefer, or Simple Cloudflare Turnstile – CAPTCHA Alternative. You can use one of them and math Captcha at the same time as well.

Simple Cloudflare Turnstile Add-On

As mentioned, you should use the Simple Cloudflare Turnstile – CAPTCHA Alternative plugin to add the Cloudflare Turnstile on your site. The built-in MemberPress integration allows you to enable Cloudflare Turnstile on MemberPress login and registration forms.

To set up the plugin, navigate to Dashboard > Settings > Cloudflare Turnstile and follow the plugin guide.

Note: When Turnstile is enabled for WordPress Login, the Only enable on default wp-login.php page sub-option will become available. Please be sure to uncheck this sub-option to apply Turnstile on the MemberPress login and keep it secure.

In addition, you can add MemberPress membership IDs to the dedicated field to apply Turnstile only on specific registration forms.

Refund and Cancel any Fraudulent Payments

If any payments were successfully created during the card testing, refund and cancel these subscriptions. You can do this either from MemberPress on your site – or through Stripe. If you do it through Stripe, you can mark the refund reason as “Fraud.”

There is no way to cancel and refund in bulk in MemberPress. So, these will need to be done one at a time.

We also recommend recording the email addresses and any other information about the charge and card that were used so that if customers email in complaining, you can assure them that you have already refunded the fraudulent charge. If you have the ability to contact the customer directly, let them know what has happened.

Why Did This Happen?

Hackers can sometimes get a hold of the API secret and use it to spoof calls to Stripe for card testing purposes.

Will It Be Fixed?

Stripe and MemberPress are both aware of this vulnerability and are working together to release a new, more secure solution.