[bragr]

>that doesn't apply to cc fraud yet

It stops "card testing" where someone has bought or stolen a large number of cards and need verify which are still good. The usual technique is to cycle through all the cards on a smaller site selling something cheap (a $3 ebook for example). The problem is that the high volume of fraud in a short time span will often get the merchant account or payment gateway account shut down, cutting off legitimate sales.

As a consumer, you should also be suspicious of a mysterious low value charge on your card because it could be the prelude to much larger charges.

[Aachen]

Someone who steals money from thousands of individuals for a living won't hesitate to use a botnet either. Cloudflare isn't a payment provider (*shudders* yet), they can't verify transactions, they can only guess at who's "honest". I'm at the losing end of this guess so often as someone who frequently visits friends and family in the neighbouring country they come from, and someone who doesn't have tracking cookies anymore that were set only a few minutes ago, who uses a "non-standard" browser (Mozilla's Firefox), I don't feel like Cloudflare does a very good job at detecting when I'm trying to honestly use the site. At the same time, doing security testing as my job: the customer having Cloudflare enabled usually doesn't matter for us being able to reach and exploit vulnerable pages, it just decides to block you randomly the same way that it does in private time when I'm not trying to break anything. It doesn't properly do the job and it blocks legitimate people based on a gut feeling, and you have no recourse, you can suck it up. Whatcha gonna do, take Cloudflare to court for blocking your access to your bank? Under what law is that illegal? There is nothing you can do; your bank's customer support isn't going to disable Cloudflare for you.

Anyway, no, this guessing game isn't the solution to stolen bank details, the solution is for the payment provider to authenticate the account holder beyond merely entering a public number, especially if they suddenly see a flood of transactions from this one merchant as you describe. They can decide to ask for a second factor: send the person an SMS/email, ask to generate an authenticator code, whatever it is they've got on file beyond your card/account number. Anything else is just guesswork

[doctor_radium]

> Whatcha gonna do, take Cloudflare to court for blocking your access to your bank? Under what law is that illegal?

In the USA, I think it would be worth trying to sue Cloudflare for either "free speech" or "public nuisance" violations. Gonna reach out to the ACLU and EFF in the coming days.

[lmz]

It depends what they're selling. If they're selling something people want - the only answer is enforcing things like 3DS. If they are e.g. a charity receiving donations via card - they may still use it for card testing. Making card testing unprofitable is the point.