coldpunk | Stripe Developers | Page 1

steel tulipBOT Apr 27, 2023, 9:42 PM

#

hollow trellis Apr 27, 2023, 9:43 PM

#

Hi, are you the developer? If so, yes, happy to answer any integration related questions here

sonic vine Apr 27, 2023, 9:45 PM

#

Hi yes I am the developer

hollow trellis Apr 27, 2023, 9:46 PM

#

Great, let me know what questions you have

sonic vine Apr 27, 2023, 9:46 PM

#

So i use Stripe-hosted checkout, and i have radar enabled too. the concern i have is the high Radar Stripe fees i've been charged recently. it is much higher than usual. typically it is less than $1 a day, now it is $15+ a day, and it does not match the number of orders I am receiving through the store.

#

So after speaking with Stripe support who is still trying to help my case, i've been notified that it is likely card testing. so i have some questions around Stripe-hosted checkout

#

Firstly, my publishable key is publicly available via JS. which i understand is OK. this JS is used to redirect to Stripe-hosted checkout

#

my** secret key is privately stored**, so this is should not be possible for card testers to retrieve

hollow trellis Apr 27, 2023, 9:49 PM

#

With Radar and card testing questions, our support team will be able to assist you better than I can: https://support.stripe.com/contact

sonic vine Apr 27, 2023, 9:49 PM

#

one thing stripe support mentioned was the following:

**It looks like the card testers are obtaining client secrets for Payment Intents, then confirming the Intent with stolen card information. This confirms whether the card is valid, even without a payment. You can confirm this on your Dashboard by looking at the request logs in Developer > Logs for excessive 402 errors related to Setup and Payment Intents confirmed with a publishable key.

In order to combat the card testing, we recommend you make it more difficult for card testers to obtain client secrets for Setup and Payment Intents. **

#

thanks, but i do have a developer related question

#

i'm just providing context

hollow trellis Apr 27, 2023, 9:50 PM

#

I see, I'll wait

sonic vine Apr 27, 2023, 9:51 PM

#

are you able to confirm the above statement is true? can a hacker use the client_secret and publishable key to repeatedly check if multiple cards are valid?

#

i'm trying to figure out how a card tester can start a checkout session, but then do repeat credit card checks (every few seconds) using the Stripe-hosted checkout.

#

so i did some diagnosing on the stripe-hosted checkout, and i found it is possible to retrieve the client_secret and publishable key. is this a concern? i can provide screenshots too

hollow trellis Apr 27, 2023, 10:08 PM

#

Still looking

sonic vine Apr 27, 2023, 10:09 PM

#

ok no problem

hollow trellis Apr 27, 2023, 10:32 PM

#

I confirmed this with a teammate and you'd want to write in to support with that question as well, https://support.stripe.com/contact.

sonic vine Apr 27, 2023, 10:32 PM

#

oh ok. i would have thought this is considered a potential security breach which a developer needs to fix

#

a stripe developer, because its the Stripe-hosted payment page

hollow trellis Apr 27, 2023, 10:34 PM

#

I just do not know the answer readily and I do not want to share misinformation. For this reason, I think support is the next best step.

#coldpunk