adamthehutt-radar-setup-intents | Stripe Developers | Page 1

jagged apex Sep 9, 2022, 10:52 PM

#

Where are you trying to provide ip address and such? What are you using it for?

half spade Sep 9, 2022, 10:55 PM

#

One of our Connect-ed accounts is being hit with a bunch of card-testing attacks. They are apparently using the Setup Intent client secret from the page's javascript to test their stolen cards. I'm wondering if there's a way that I can provide client-related information in the create Setup Intent API call so that Stripe will block it if it's a known bad IP, etc.

#

We're using Stripe Elements to process the actual charge, but this attack apparently doesn't rely on that.

#

So I need to engage the fraud detection engine before creating a setup intent and sending the client secret to the browser

jagged apex Sep 9, 2022, 10:58 PM

#

Okay so you are wanting to dynamically add IP addresses to Radar then? Or is it sufficient to have just the IP address that is performing the card testing right now?

half spade Sep 9, 2022, 10:59 PM

#

I'm not an expert at Radar, but I think it's probably sufficient to just provide the current IP address.

#

Meaning the one that is performing the card testing

jagged apex Sep 9, 2022, 10:59 PM

#

You should be able to get that from the request logs in the Dashboard then

half spade Sep 9, 2022, 11:00 PM

#

no, sorry, I was confused

#

I do need to provide it dynamically

#

there are hundreds of different IP addresses involved

#

multiple different ones per second

jagged apex Sep 9, 2022, 11:00 PM

#

What's the account ID for your account?

half spade Sep 9, 2022, 11:00 PM

#

For my account or the connected account that is being hit?

jagged apex Sep 9, 2022, 11:00 PM

#

The connected account that's being hit

half spade Sep 9, 2022, 11:01 PM

#

acct_1KmHFQAj5Elerg5q

jagged apex Sep 9, 2022, 11:08 PM

#

Okay, so I don't think it's possible to get the IP address via the API so in order to do this dynamically you would have to get the IP address on your own, then use Radar for Fraud Teams (a paid Stripe product) to generate a list that Radar can use to block IP addresses.

That being said, there are a number of other mitigations that you should consider first: https://stripe.com/docs/disputes/prevention/card-testing#prevent-card-testing

Protect yourself from card testing

Learn about this fraudulent activity and how to protect yourself against it.

#

Those are going to be much easier to implement and likely more effective

half spade Sep 9, 2022, 11:08 PM

#

sorry, I don't think my question was clear

#

I am not asking Stripe to tell me the IP address

#

I know the IP address because it's happening on my site

#

I want to provide the IP address (and user agent, etc.) to Stripe so that Radar has that information and can block the Setup Intent if necessary

#

I am already doing almost all of the steps recommended on that page.

#

The real problem is that the card tester isn't actually trying to process charges. They're using a setup intent secret and the account's public key to verify the cards. There is no way to avoid sending those two pieces of information to the browser, correct?

jagged apex Sep 9, 2022, 11:10 PM

#

Correct.

half spade Sep 9, 2022, 11:11 PM

#

So then I need a real-time solution that detects the fraudster before I send them to the browser

#

which I thought Radar might be

jagged apex Sep 9, 2022, 11:13 PM

#

Ahhh okay, I see the confusion now. Unfortunately Radar is geared specifically toward stopping the step where a charge is attempted. It can't really do much before that point is reached

half spade Sep 9, 2022, 11:14 PM

#

I see.

#

Well is there anything I can do then? Stripe shut off the client's ability to collect payments so this is an emergency

#

The email we received from Stripe just said to "make it harder for the testers to get setup intent secrets", which is not super useful.

jagged apex Sep 9, 2022, 11:17 PM

#

I see. There's not a lot more that I can reasonably recommend for this aside from deny-listing the IP from accessing your website via another security protocol on your server.

For getting the account back up and running, our support folks will have to help you with that. We can't do much for you on this Discord server as we don't have visibility into that process.

#

Wish I had a better answer for you

half spade Sep 9, 2022, 11:18 PM

#

Yeah, ok, thanks. Unfortunately it appears to be a botnet with hundreds of IPs, so blocking is difficult

#

We've implemented some IP-based rate limiting but that won't be very effective, I fear

jagged apex Sep 9, 2022, 11:27 PM

#

It's interesting that bots are taking action at the browser level. That's pretty uncommon. How many attempts are being made in aggregate? Are they across multiple different Connect accounts?

half spade Sep 9, 2022, 11:28 PM

#

As far as I know it's just the one Connect account. I'm assuming they're taking action at the browser level because that's the only way they'd be able to get the client secret for the server-generated setup intent.

#

It looks like in the aggregate it was a few per second, around the clock.

#

For days on end

#

Actually, there might be one other Connect account that's being hit, but I don't know if it's the same botnet or a different one.

jagged apex Sep 9, 2022, 11:32 PM

#

Interesting. Yeah, I would just continue caching IP addresses and either block traffic on your server or add them to a list to use with Stripe RFFT

half spade Sep 9, 2022, 11:32 PM

#

ok, thanks. yeah, that's pretty much what we're doing. Hopefully it's enough to get the account reactivated!

#adamthehutt-radar-setup-intents