Weird activity on Stripe

I’m seeing very similar customers, all from brazil, being added to Stripe constantly. I’m not clear if it’s malicious. They don’t have any charges.

And this goes on. May 13 alone 100s were created.

One customer was successfully created and charged on May 13 from brazil, but the charge was block as being from a high risk country. Thank you Stripe.

There’s a lot of customers without charges. I don’t think the current donate code allows for that, they are created when they first donate so a charge would be created simultaneously.

What I see as the pattern is the customer is created, then another request tries to find the payment source aka the card token, but fails. It wasn’t created since they never completed a charge.

in April, it’s alot of European domains, some Russian.

@SuperQ is there any logging on donate so I can see the requests? Getting a dump of the database would also be good. I don’t think it’s an issue with our servers pe ser, but there might be some permission issue with our API and worth speaking to stripe.

The activity appears starts in March '19.

Eh, spoke too soon.

There’s a lot of activity from the front end.

inspecting these requests, they are coming from brazil.

They’ve grabbed the public key and are spamming to find valid tokens. It’s easy to grab, it’s on the front page source.
image

I feel like this should be tied to our domain/ip somehow, but this is a but past me. I know we can roll the key but that doesn’t solve the fundamental problem. I am in favor of rolling it, however.

1 Like

I poked around in stripe, I can’t find any permission stuff for the keys or for the account in general that’s ip based. Not really clear about hiding the key either, it’s necessary in the stripe javascript

Suggest someone contacts stripe.

I sent them an email and it will be sent to the account.

3 Likes

update, raised and issue on Infra to pull db and/or webserver logs to check if activity is generated on our side.

it’s feasible with the public key to generate the requests with, for example, curl, so anyone could do it. server side private key is necessary for charges so I don’t think there is any financial risk.

1 Like

Copypasta:

|### Stripe Support <support@stripe.com>|4:56 PM (1 hour ago)||![]

| — | — | — |
|to Treasurer@noisebridge.net

Hi Patrick,

Thanks for using Stripe!

We want to flag some recent fraudulent activity on your Stripe account and request that you take action immediately.

We believe that card testing is occurring on your account, specifically on $0 or $1 card authorizations through either a token or customer endpoint. Card testing is where a bad actor tests hundreds or even thousands of stolen credit card numbers using the payment or donation flows on your website. You’ll find that there are hundreds of recent validation attempts coming from cards with nonsense information such as gibberish names and email addresses. Given the fraudulent nature of card testing, if you see any successful charge attempts stemming from this activity, please refund them immediately to avoid disputes.

To prevent this kind of activity on your site in the future, we ask that you please add Google’s reCAPTCHA (https://www.google.com/recaptcha) or another CAPTCHA service to your payment page, as this will deter third parties from spamming your form with fraudulent payments. Since the card testing is occurring upon card validation, adding a visible or invisible captcha in front of that API call would be the most effective mitigation. You might also consider temporarily rate-limiting the number of charges that can be made on your account in a short period of time.

We take the safety of your Stripe account very seriously. If we do not hear back from you within 7 days, we may need to temporarily pause transfers to your bank account or significantly block charge attempts that are coming through your account. Most of all, we hope this is helpful. Please let us know if you have any questions!

Best,
Matilda

1 Like

ah, ok there we go. I was going to complain they didn’t involve the primary account, glad they did. Thank you.

The current donate is in ruby which I can read but i have no programming experience.

I’m sure the documentation for adding reCAPTCHA (what is hidden reCAPTCHA?) is simple. this sucks though, CAPTCHA is annoying.

1 Like

Calling /r/totallynotrobots

1 Like

I’ve heard you can outsource them to porn sites since they have so many ppl logging on. Cannot confirm.

I think we should at least roll the key. It will stop an automated attack until they get the new one. I’ll have to find out where the key is in the donate code before we do that to replace it with the new key.

We should probably give stripe a 10-4 Rodger, “We’re on it” response

1 Like

Sorry, I no longer have the time to help. Perhaps down the road.

Okay, would you mind passing this on to someone that would be able to implement reCAPTCHA? It appears we have a short timeline before our Stripe account gets temporarily disabled.

Highlighting @themanmaran as a heads-up.

1 Like

Sorry, I dont know how to do it, that’s what I was saying above. I dont know ruby and I have only conjectured implementing should be easy.

I probably know Ruby less than anyone here, but happy to help on this. Can you forward me the email from the Stripe account and I would be happy to chat with them and let them know we are on it.

Stripe must have some plug and play captcha service. I imagine this would be a problem with plenty of stripe users who are not quite as tech-savvy as NB. Once I get the contact info, I can call and chat with the Stripe guy.

Alternatively here’s a ruby captcha package: https://github.com/ambethia/recaptcha

The only relevant email is the one Nicole posted above. I only have emails that say “forwarding you to someone who can help”. will fwd to you regardless, but basically once they found the issue the (correctly) emailed the primary account.

I’ve responded to Stripe to let them know we’re aware and intend to add reCAPTCHA. They also suggested temporarily rate limiting the number of charges that can be made to our account.

I’ve created a PR that resolves this issue here:

2 Likes

@jay Awesome. CI is failing, can you take a look? somehow it’s the scss. We could probably ignore it but want your opinion.

Thank you for that PR to resolve our reCAPTCHA issue, @jay. Looks like we’re in the clear on Stripe’s end, but it is concerning that CI is failing.

@ruthgrace @_ar would either of you mind taking a look at CI?

2 Likes