Brute force credit card testing on our merchant processing platform

Aloha everyone - We’re a non-profit affiliated with the University of Hawaii. Last week we were recently attacked by a bad actor, testing credit cards at a high rate (~1500 per hour) on our donation page. Although we’ve instituted various measures over the years (front-end velocity limits, captcha, iFrame tokenization), the attacks have gotten more sophisticated. Many bots are likely deployed simultaneously, creating new sessions and ip addresses, to test stolen cards. We eventually got disabled by the merchant processor. The processor has been very little help other than to re-enable after tweaking our controls. I heard that Cloudflare can recognize bot activity and filter these types of frequent attempts and was wondering if anyone has experienced something similar like us, and Cloudflare drastically reduced or eliminated auto-filling activity. Any feedback would be appreciated! BTW, the attacks came at a bad time for us as we were campaigning for donations for students and faculty affected by the Maui fires.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.