MasterGates | Stripe Developers | Page 1

spare elkBOT Oct 14, 2022, 2:06 PM

#

thick arch Oct 14, 2022, 2:10 PM

#

and a tangential question: since there were hundreds of failed requests coming from this spammer because they weren't using a valid private key, does that hurt/affect our api rate limit or do these non-auth requests not count against us

reef wraith Oct 14, 2022, 2:10 PM

#

Hello, yes it is definitely possible to create tokens with just a public key, that is actually one of the intended uses of public keys. We have this doc on preventing client side card testing though I am unsure how much it can help here because it mostly focuses on client secrets
https://stripe.com/docs/disputes/prevention/card-testing

#

These calls don't count against your rate limit. Public keys have a different rate limit and I believe it is per IP address so these won't affect your ability to make backend calls or collect card details for other users

#

I will need to look in to this further to see if we have advice here

thick arch Oct 14, 2022, 2:13 PM

#

ok thank you, that would be very appreciated. I figured this was probably a script-kiddie just grabbing our public key and trying to test stolen card numbers using this 3rd party site, but wanted to double-check that it's nothing I should be worried about or can control on my end.

reef wraith Oct 14, 2022, 2:14 PM

#

I forget if just creating tokens is actually useful for card testing, I don't think it actually meaningfully checks the card details until the attempt to attach to a customer which sounds like it isn't happening here because there is no customer, PaymentIntent, or SetupIntent here.

#

Yeah that is very likely what is happening here. Something we definitely want to prevent though my personal knowledge of this isn't the best. I will look in to this further and get back to you

reef wraith Oct 14, 2022, 2:39 PM

#

I'm not immediately finding anything worrisome based on these token requests but I still want to consult colleagues who are much more knowledgable on this. Can you write in to Stripe support and DM me your email? I can grab the ticket quickly and get back to you with what we can find when taking a deeper look.
https://support.stripe.com/?contact=true

Stripe: Help & Support

Find help and support for Stripe. Our support center provides answers on all types of situations, including account information, charges and refunds, and subscriptions information. Get your questions answered and find international support for Stripe.

thick arch Oct 14, 2022, 2:53 PM

#

Ok I started a chat with stripe support and DM'd you my email associated with my stripe account

reef wraith Oct 14, 2022, 2:56 PM

#

Thank you! Will grab that email now

#

Grabbed it, I will consult my colleagues and get back to you with anything we notice or any advice we have going forward

#MasterGates