[wwweston]

> It turned out that people were using Readlang for card testing fraud. After I helped them to fix the problem

How does one fix the card testing fraud problem? Certainly you can refund people after the fact, but it seems to me any point where small-dollar service/product can be purchased by card is vulnerable and you'd have to kinda guess whether the usage makes sense?

[steveridout]

The ideal fix was to upgrade the version of Stripe checkout. At the time though I was looking for a quick solution and was scared to update the Stripe libraries for fear of accidentally breaking something else. So here's what I did:

- First I tried adding an IP address based rate limiter to the signup and payment routes, and required that all users had translated at least one word before being allowed to upgrade. It stopped the attempts for a few hours, but then they started back up again.

- Next, I used a more drastic approach, which would prevent all payment attempts from all IP address if we received more than 10 failed payment attempts within a 1 minute window. Still didn't work.

- Next, I changed the thresholds to 4 failed payment attempts within 5 minutes, and this finally worked!

Since buying Readlang back, I've updated the Stripe checkout to the latest version, turned off the circuit breaker, and haven't had any further problems.

[base]

There a lot of ways to reduce, just some ideias: turn on 3dsecure authentication whenever available. Check user location vs card location. Validate cvc code and postal code. Check for user activity and user signals (user agent, screen size etc) on the website, and other methods.