Skip to main content
All CollectionsTips and Tricks
Preventing Fraud using Swappy
Preventing Fraud using Swappy

Learn how to best combat fraud, false disputes, and more while using Swappy with Stripe & PayPal!

Bitzer avatar
Written by Bitzer
Updated over a week ago

The general picture

Around 35% of US credit cardholders experienced credit card fraud in 2019. Over 46% of the world's credit card fraud happens in the US. More than $24.2 billion was lost globally due to payment card fraud in 2018. The Federal Trade Commission returned $232 million to victims of fraud and identity theft in 2019. (from legaljobs)

Card testing

Following Stripe's documentation, card testing is a type of fraudulent activity where someone tries to determine whether stolen card information is valid so that they can use it to make purchases. A fraudster may do this by purchasing stolen credit card information and then attempting to validate or make purchases with those cards to determine which cards are still valid. Other common terms for card testing are “carding”, “account testing”, and “card checking.”

Carders

Carding is a term describing the trafficking and unauthorized use of credit cards. The stolen credit cards or credit card numbers are then used to buy prepaid gift cards to cover up the tracks. Activities also encompass exploitation of personal data, and money laundering techniques. (from Wikipedia)

How to protect your Business

We have created this help article to provide you with precise guides on what to do should you be a victim of those attacks.

Stripe

Swappy partners with Stripe API to process debit card payments amongst many other gateways such as Apple Pay, Cashapp Pay, and more!

First off, these settings are a must

  1. Enable Stripe Radar, radar detects and blocks fraud using machine learning that trains on data across millions of global companies.

  2. Create automatic blocking rules (more on that soon) through radar and customize it as best as possible based on your business base data

Enable Stripe Radar

The Golden Rule

This rule is a must-have for Stripe Radar and you should configure it immediately.

It rejects any attempt done with Credit/Debit Cards that have an invalid CVC; in short, it rejects everyone trying to use leaked credit card numbers.

Block if :cvc_check: in ('fail', 'unchecked', 'unavailable', 'not_provided') and :digital_wallet: != 'apple_pay' and :digital_wallet: != 'visa_checkout' and :digital_wallet: != 'android_pay'

Stripe Radar rules

Always require 3DS on all credit card purchases, it's required by EU regulations and it tremendously helps against fraud attempts.

Be sure to enable both

  • Request 3DS if 3D Secure is recommended for card

  • Request 3DS if 3D Secure is supported for card


Blocking failed CVC attempts

One of the most important rules you can enable is blocking payments if the CVC verification fails.

This essentially requires card testers to not only know the Card number and expiration date, but to also guess the CVC, and they'll get either rate-limited or blocked before they are able to get the correct value.

Block if CVC verification fails


Additional rules

If you still see carding attempts happening on your store, you can enable the following rules through your Radar dashboard.

Block if :risk_level: = 'highest'
Block if payment matches one or more values in default Stripe block lists
Block if :risk_score: > 50 and :card_country: = 'US' and :card_count_for_customer_daily: > 1
Block if (:ip_country: in ('ID','TR') or :is_anonymous_ip:) and :risk_score: >=60
Block if :is_disposable_email: and :is_anonymous_ip:
Block if :total_charges_per_card_number_hourly: > 10 and :card_country: != 'US'


Blocking BINs

The BIN, or the Bank Identification Number, is the first six digits on a credit card. These are always tied to its issuing institution – usually a bank. In a BIN attack, fraudsters use these six numbers to algorithmically try to generate all the other legitimate numbers, in the hopes of generating a usable card number.

Add the following rules to block the known BINs used by fraudsters.

Block if :card_bin: includes '402' and :risk_score: >= 0
Block if :card_bin: includes '420' and :risk_score: >= 0
Block if :card_bin: includes '4355' and :risk_score: >= 0
Block if :card_bin: includes '478' and :risk_score: >= 3
Block if :card_bin: includes '440' and :risk_score: >= 3
Block if :card_bin: includes '461' and :risk_score: >= 3


Stricter Rules

If carding attempts keep going through, there are a few additional ones you can add.

Block if :total_charges_per_card_number_hourly: > 3
Block if :risk_score: > 85
Block if :blocked_charges_per_ip​_address_hourly: > 2
Block if :total_charges_per_ip​_address_hourly: > 3
Block if :card_funding: = 'prepaid' OR :card_funding: = 'unknown'
Block if :card_country: != :ip_country:
Block if :is_disposable_email: and :card_funding:= 'prepaid'
Block if :card_3d_secure_support: = 'not_supported' and :is_anonymous_ip:
Block if :cvc_check: in('fail', 'unchecked', 'unavailable', 'not_provided') and :is_anonymous_ip:

Configure Stripe Radar


Card Testing

A ReCaptcha (first invisible, then manual) is required at each credit card payment submission and the invoice is voided if too many attempts fail.

In order to create custom blocking rules and completely block card testing attempts, take a look at Stripe's guidelines on the issue.

Stripe documentation on card testing prevention

Apple Pay, Google Pay, Banking methods

If you're seeing high fraud attempts or fraudulent payments going through when customers use additional payment methods with Stripe, you can disable them directly on your Stripe dashboard.

Go to the Stripe dashboard payment methods

Additional Guide

You can take a look at this other guide on additional rules and potential things you might want to know.

Evaluation period

After you have added all these new rules, take a few weeks with them activated and wait for feedback from your customers.

You can then tweak, remove, tighten or improve them as you see fit.

PayPal

Swappy integrates with PayPal to accept payments from other PayPal accounts!

Card Testing and Carding

Currently, PayPal does not have an efficient system as Stripe does, if you're seeing frequent carding attempts on your account, our suggestion is to block the user from your PayPal Account, Discord, and more. While yes, we have check - It is difficult to definitively block PayPal Card attempts entirely since PayPal does not provide efficient means for us to do so.

Get immediate help if your business is targeted

If you're experiencing these types of attacks, get in touch with our support ASAP. You can find more information on how to contact us here.

Did this answer your question?