Card payment provider Stripe has lots of fraud prevention measures in place. However, a recent “card testing” event showed that Cameo should also include some counter-measures itself.

Background

Why would someone spam your donations form with hundreds or thousands of attempted small payments? Fraudsters target donations forms as a way to find a card that the cardholder has not already blocked. They usually have a long list of stolen cards to try. Using a small payment with no goods involved is less likely to attract notice.

Fraud counter-measures

Cameo now places limits on payment frequency:

  • only 3 payments per minute permitted from any IP address. It would be highly unusual for a real person to manually fill in a payment form repeatedly in such a short time.
  • only 10 failed payments per minute allowed. This allows someone to try again, possibly with a different card, if the bank declines their first attempt. (For example, they mis-enter the expiry date). But it catches high-volume payment attempts with different, usually blocked, cards.
  • only 30 payments per minute of any kind permitted.

These numbers are configurable on request. A really busy site might potentially need to take more than 30 payments per minute. However, it is extremely unlikely you will exceed these limits in normal use.

If your site exceeds any of these thresholds, the form asks the respondent to wait 60 seconds before proceeding. This means that Cameo blocks robots attempting multiple payments in rapid succession. The block applies whether the attack is from a single IP address or from a bot-net.

If this happens, Cameo also posts a notification to that effect (tagged #PaymentsRateLimited).