[hyperpallium]

Would a simple delay in confirmation be enough to dissuade them? e.g. 10 mins? an hour? There's probably some critical threshold where it's not worth it for the criminal/s.

Since the candy can't be dispatched instantly anyway, you could arrange it to not affect delivery times.

Though of course, delayed confirmation would also put off genuine customers. So you could faux-confirm it instantly, and follow-up later if there's a problem. i.e. same as parent, but fully automated.

[jmadsen]

I discussed this with Bemmu & wrote up the idea (in the context of Laravel coding, but the idea is the same) here: http://codebyjeff.com/blog/2015/10/cut-credit-card-thief-cha...

He was doing things a little differently than my idea, so not sure what success he had in blocking them.

[level3]

That doesn't seem like a big enough hurdle. Card testing is already automated with bots, and this method can be easily defeated with a simple tweak (e.g. use a catch-all address and then automate the link clicking).

I know you wrote that it's just "out-running you, not the bear," but you probably won't be outrunning others for very long.

Edit: I have no problem with measures that could help protect against fraud even just a little, but this one also introduces friction for legitimate customers, so it needs to be sufficiently effective to be worth it.