One thing I excluded from the article was that we intentionally disabled several checks (like hCaptcha) to let them get to the stage of setting up the payment intents. This is not something I've done before, but basically I wanted to see what happens if in future an attacker is able to bypass all IP/captcha/altcaptcha, etc. restrictions and gets to something that actually does damage. This allowed to see how they are trying to bypass various rate limits/checks that we added specifically for that step. Somewhat an isolated experiment.
I have no clue if this worked at all, but in college I made a site that had a checkbox that said “check this box if you’re human” and then hid it with bizarre CSS. If they checked the box, we errored out. I didn’t really do telemetry at all, so no clue if that worked at all, but yeah, I’ve had the same thought!
It's insane to me that Stripe cancels accounts when they get used for card testing. I get that it's because the onus would be on them otherwise, but the problem is that the onus is on anyone but the card companies in the first place.
One thing I excluded from the article was that we intentionally disabled several checks (like hCaptcha) to let them get to the stage of setting up the payment intents. This is not something I've done before, but basically I wanted to see what happens if in future an attacker is able to bypass all IP/captcha/altcaptcha, etc. restrictions and gets to something that actually does damage. This allowed to see how they are trying to bypass various rate limits/checks that we added specifically for that step. Somewhat an isolated experiment.
I would wonder if this could also be used as a kind of tripwire, where legitimate users won't present CAPCHA tokens, etc. But fake connections will.
I have no clue if this worked at all, but in college I made a site that had a checkbox that said “check this box if you’re human” and then hid it with bizarre CSS. If they checked the box, we errored out. I didn’t really do telemetry at all, so no clue if that worked at all, but yeah, I’ve had the same thought!
It's insane to me that Stripe cancels accounts when they get used for card testing. I get that it's because the onus would be on them otherwise, but the problem is that the onus is on anyone but the card companies in the first place.
That's pretty creepy that they found you (well, the author, not sure if this was a self-submit) on discord though. Oof.
Well, their Discord server is right on their front page, so he's pretty easy to find.