How to Optimize Your Checkout’s UX While Protecting Against Credit Card Testing Fraud — Freemius

  1. Factors that tilt the balance in favor of UX or security (often to the detriment of the other).
  2. Attackers, their motivations, and why their existence warrants putting obstacles in place that can ruin the user experience.
  1. UX and Security Factors That Reduce Checkout Fraud Protection
  2. 2. Turn Your Checkout into a Security Powerhouse That Squashes Credit Card Testing Fraud
  3. 3. Four Security Layers That Filter Out Credit Card Testing Attacks

1. UX and Security Factors That Reduce Checkout Fraud Protection

Target Market and Niche Disconnect

Saying No to Strangers…

… until you’ve introduced yourself!

Over-Reliance on Credit Cards As Security Measures

Are Credit Card CVCs Secure and Should You Collect Them?

If It’s Easy for Companies, It’s Easier for Attackers

Pictured: Not me
  1. Card information is easy to find if they know where to look
  2. Numbers can be randomized with simple scripts until something sticks
  3. There are a multitude of plugin checkouts in WordPress, many lacking backup security layers to make the transaction quicker.
  4. Plugin prices are relatively low in the WordPress space, so there’s tons of profit to be-

Why Do Cyber Criminals Attack WordPress Plugin Checkouts?

Hint: Not for this

Testing, Testing … Any Valid Card Numbers out There?

  1. They’re trying random sets of numbers to see if anything goes through. Once the non-existent numbers are filtered out, they can sell the list of existing numbers online.
  2. They’ve purchased a list of existing cards and are using checkouts to filter out canceled/expired ones. They can then identify functional cards through micro-transactions.
  1. Sell the credit card number(s) at a higher price.
  2. Find checkouts that aren’t SCA/3DS-integrated to verify online payments. These lack multi-factor authentication and thus make it easier for credit card testers to charge illegitimate purchases and maximize their working cards.
  3. Make purchases below the SCA threshold so that secure authentications aren’t triggered. For example, transactions below £30 in the UK.

What Are the Penalties for Not Protecting Against Credit Card Testing?

Governments and Mandatory Regulations

Zip Codes: Should You Collect Them at Checkout?

Zip Codes Add More UX Friction Than Security Value

2. Turn Your Checkout Into a Security Powerhouse That Squashes Credit Card Testing Fraud

Choose a Payment Solution With a Network in Place

Checkout dialogue example from Freemius partner Unlimited Elements

reCAPTCHA

An inoffensive reCAPTCHA appears at the Freemius checkout

3. Four Security Layers That Filter Out Credit Card Testing Attacks

Layer One: Unearthing Email Fakery

  1. If it’s fake, the attacker will be booted from the checkout.
  2. If it’s suspicious, a reCAPTCHA can be dynamically introduced to clarify whether it’s an algorithm or a flesh-and-blood human.
  3. If it’s valid, the customer and their address have passed the first layer.

Layer Two: Unmasking Geo-Spoofing

Scenario I

Scenario II

Layer Three: Revealing Domain and Subdomain Subterfuge

Layer 3.1

Layer 3.2

Layer 3.3

Layer Four: Unlocking Transactions With Payment Gateways

Checking Out…

--

--

Monetization & Insights platform for #WordPress #plugin #developers.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Freemius

Freemius

Monetization & Insights platform for #WordPress #plugin #developers.