105
Credit Cards Are Vulnerable To Brute Force Kind Attacks
(metin.nextc.org)
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 02 May 2026
105 points (97.3% liked)
Technology
84878 readers
6167 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
You don't need to stop them, you just need to make the effort not be worth it compared to using a different site. Things like making sure they have a valid session cookie before they hit the payment flow, and, ideally, require them to be logged in too. That way you can block attacking accounts, and they have to go through the effort of registering a new one, which is, hopefully, well gated against automated attacks.
Every single attempt registers a new user account, all with fake info. I have been trying all different things to block them but theres no unique data to identify them. I havent had a completed payment from them in a few weeks but I can still see the attempt being made.
At first, they used valid emails which led to me being banned from gmail because all the order notifications were being reported as spam.
Make so sign up requires proof of work. Will slow them down.
Become computationally expensive for them at scale
That would scare away real paying customers
You might want to try something like Anubis on both the signup and order pages. Real users will either not be stopped, or will only hit it once, and no user interaction is required to continue, but bot users will be slowed down enough to, hopefully, disuade them from returning.
Could just hide it behind a progress spinner? But it'll slow down the account creation.
Do you have basic security like 1 email is a unique account, and the email needs verification before an order can be placed? Because that simple step will be rate limiting for the attackers but normal and expected for real users.
Also could be worth considering using a dedicated payment processor to handle things. It adds overhead, but so does fraud.
I dont want to add barriers for real orders.
I use both Stripe and Paypal to process cards.
You don’t want barriers for scammers because they inconvenience real customers. So you choose to enable the scammers. That is exactly why this works.
Thanks for playing.
I agree. What do you suggest? Just shut it down?
I guess I could move to SantaFe and do something with turquoise.
People have already given you options and you repeatedly say “nah, that’s inconvenient”. The inconvenience is the point. You are inconveniencing customers who want to get a thing from you and have a reason to endure it to achieve that goal but you are also inconveniencing the scammers who have no goal at the end so…
Fuck it. Have fun in Santa Fe. Save me a seat and some tequila.
I feel like the card processors should bear this responsibility. I dont have the technical skill to apply most of the suggestions, and I fear damaging my income by doing it wrong.
They should, yes, but they don't. In fact, they'll ding you for having too many failed transactions and claim that it's your responsibility to do something about it.
You'd think the onus here should be on PayPal and Stripe.. Do they have anything to say?
They dont give a flying fuck.
Frustrating. Sorry you're in this position
Block Russian IP range. Do the logged ips of the malicious tries originate from the same region?
Entirely random as far as I can tell