Website security is often one of the most overlooked aspects of owning a WooCommerce website, at least until the attacks succeed. One of the most worrying security risks over the last few months is the increase in the frequency of credit card fraud. The increase specifically comprises of card testing and bin attacks. In this article, you will learn how you can protect your WooCommerce website from credit card attacks.
What are Card Testing and Bin Attacks?
Card testing and bin attacks involve an attacker attempting a transaction on your website and testing thousands of credit card number combinations on your checkout page. They will keep doing this until they get a combination that works.
If an attack is successful, they will be able to commit fraud. But even if the attackers don’t succeed, it still doesn’t bode well for the website owners. You will get slapped with a hefty fee worth thousands of dollars by the credit card processor company themselves.
If this hasn’t happened to you yet, consider yourself lucky as it already has to many other store owners. You can improve the security of your site so you don’t fall victim to card testing and bin attacks.
Standard Website Security
If you own a WooCommerce website, you should have already taken the standard security measures for your website. This includes keeping your plugins and themes updated, installing an SSL certificate, installing a security plugin, and other best practices. If you haven’t yet, you can check out these posts.
The Most Important Steps to Take Against Card Testing and Bin Attacks
Credit card processors will usually push the blame of the card testing and bin attacks to the business owner. However, they also have a responsibility to keep their own systems secure. Being financial organizations, credit card processors need to have the most secure systems.
Most merchant account owners would not be aware that card processors have additional security features. These can be configured to prevent card testing and bin attacks. This extra line of security is your best protection against credit card fraud.
While some of these features may bring some additional fees, enabling them is recommended. For example, one of these technologies is 3DSecure. This requires customers to complete an additional verification step for each credit card transaction. In theory, this should fully prevent any automated attacks. And even if an attack does get through, the credit card processor should no longer hold you liable for it.
Some credit cards processors would have other extra security features that don’t require any additional payment. One example is being able to configure simple rules to filter out suspicious card activity. For instance, you could filter out all transaction attempts outside of the countries you are servicing. That would already block most attackers.
You can also filter out transactions that have had a number of failed attempts within a short amount of time. This is called the velocity filter or rate-limiting. For example, you can filter out transactions with 5 failed attempts within 5 minutes. This results in the card processor rejecting further attempts. This won’t stop the attack entirely. However, it can reduce the number of attempts because the rejected combinations are now worthless to the attacker.
Know What Security Tools are Available to You as a Merchant
The most important thing is to know your credit card processor and the security features they have available. Contact them if necessary. If they don’t have any of these, then we strongly recommend switching to another company that offers better security.
Steps to Take on the Website Side to Prevent Card Testing and Bin Attacks
Once the credit card processor side of things has been sorted, next will be the website side. Proper defense against credit card fraud consists of measures taken on both the card processor and website site. To this end, we recommend a system with 3 lines of defense.
Install a Website Firewall
Install a Website Firewall
A website firewall such as Sucuri is designed to monitor activity on the website. It can block brute force attacks, filter user sessions with suspicious behavior, and patch vulnerabilities. For preventing card testing and bin attacks, we want the ability to filter out sessions that display suspicious behavior. Since credit card attacks usually involve bots, a firewall is a good first line of defense.
Add a Captcha
Add a Captcha
A captcha is a verification system designed to filter out bots from legitimate human users. It helps prevent bots from doing any malicious activity on your sites like submitting contacts forms, sign-up forms and even checkout forms.
Preventing bots from completing the checkout form is what we need against card attacks. While Captchas have a slight impact on user experience, they’ve continued to improve over the years. Google’s ReCaptcha v2 and v3 are among the best examples. Learn how to set up Recaptcha for WooCommerce here. And with that, your second line of defense is set.
- Set Checkout Attempt Limit
In the unlikely chance that attackers bypass both the firewall and captcha, this next line of defense is designed to address the main problem. The main issue with card testing and bin attacks is the surge of transaction attempts sent over to the card processor. Similar to the velocity filter on the card processor side, you can set up a similar filter on the website side using the Woo Manage Fraud Orders plugin. You can set it up to automatically block the users that execute consecutive failed attempts at placing an order on your site. The plugin allows you to set a limit to the number of fraud attempts. For example, you can set this at 5 attempts. This way, 5 will be the maximum number of transaction attempts sent to the card processor and the attacker is permanently blocked from the website.
Credit card testing and bin attacks are on the rise. You can prevent it from happening to your site.
Make use of fraud prevention features on your credit card processor and implement our recommended security measures on the website side. Find out what anti-fraud measures are available to you as a merchant. These security tools will save you from being fined thousand’s of dollars. Contact your credit card processors to know what tools you can set up. Implement them. Then proceed to implement the security measures on the website next
If you need any assistance on the technical side, we can help. And if you have questions, don’t hesitate to contact our support team.
Disclaimer: Article contains affiliate links. When you buy through links from this article, we may earn an affiliate commission.