#Genazvale

By garbage, you mean none of those are legitimate customers?

sure, right.

Got it. We provide guidance on preventing card testing here: https://stripe.com/docs/disputes/prevention/card-testing

yeah, it was the first thing I checked, thanks.

Actually, I'm fighting with it for a week now and nothing works. Captcha doesn't help as well.

Have you verified that the attackers aren't using your secret key?

ie. made sure the requests are coming from your server

yes, and I revoked them all just in case.

Can you paste one of those event id's in here?

Just so I can take a look at the request

evt_1MhESNKFgWVc4PH5pg06X40M

evt_1MhEc1KFgWVc4PH5EOeS0f47

This is a pair - customer and added card.

Got it thanks

And your webserver is php?

yes.

Ok so they likely don't have your secret key then. Those requests are from your server, so the attackers is targeting endpoint(s) that create a customer, payment method, and attach it. Are you sure those specific operations are behind a captcha? Or is just submitting the payment behind a captcha?

What I know is that captcha is enabled, and was enabled and they are still coming.

So captcha isn't protecting the above operations. If it were then they wouldn't be able to automatically target those operations

Are you the developer?

no. Owner.

Ah ok. We unfortunately can only assist the developers in here. Are you able to bring your developer in Discord so I can find out how they implemented captcha?

I don't have any, I handle everything. 🙂

Oh I thought you said you weren't the developer

The payments go through a cart service, if that's what you mean. That's where I enabled captcha.

Who developed your service?

Myself.

Ok so you are the developer. At what point in your checkout flow do you create the customer, card, and attach it? Likely that's able to be accessed without completing a captcha

If you can share code snippets that would help too

The payments go through a cart service, if that's what you mean. That's where I enabled captcha.
Thrivecart.

But your server is php right? That's where the customer and payment method are being created

Yes, it is.

I just thought, maybe it is created on their server? Could it be?

because I don't see any peak activity on my server.

the only place I can see them is in the Events. And a lot of people are calling regarding changes, although I don't have any charges on my account.

Gotcha. Let me take a look at those events again

Have you reached out to ThriveCart about this?

So those customers, etc. are being created by ThriveCart

Where exactly did you put the captcha?

Yes, sure.

I enabled it on Thrivecart account. That's what they recommended me to do as well.

Oh

Yeah since all this is being done on Thrivecart's side you need to reach out again to them

Either captcha isn't working

Or not working as expected and the card testers are able to get around it

So, this can be resolved on their side only?

Not in my Stripe account (settings, Radar, else)?

Mostly needs to be handled on their side since this is a hosted cart service