How to Secure a Magento Store from Card Payment Attacks?

Recently, there has been a significant increase in “Carding” attacks in Magento 2 websites. These attacks, also known as Credit Card stuffing, involve malicious bots rapidly attempting to initiate checkouts on a website. The process serves as a means to validate stolen card information (Or) use partial details to “crack” correct details. 

This article aims to provide a straightforward and practical solution for addressing Magento card payment attacks. If your store is currently dealing with this issue, implementing the suggested solution will equip you with a robust defense against further failed payment attempts.

What is a Carding Attack?

A Carding attack in Magento is the illicit practice of using stolen credit card information to make unauthorized transactions or purchases online. It involves the unauthorized use of credit card data obtained through various means, such as phishing, data breaches, or purchasing card information from the dark web.

The individuals engaged in carding attacks, known as carders, use the stolen credit card details to buy goods or services online, often aiming to resell them for profit. They may test the validity of the stolen card information through small transactions before attempting larger purchases.

Carders might also use techniques like identity theft, creating counterfeit cards, or exploiting vulnerabilities in payment systems to carry out fraudulent transactions.

Businesses and individuals must remain vigilant against carding attacks by implementing robust security measures, regularly monitoring financial transactions, employing fraud detection tools, and maintaining strict authentication procedures to protect sensitive payment information from falling into the wrong hands.

An evident sign of this assault is a surge in Payment Failures and questionable checkout actions. This attempt mostly happens in Magento Stores with unsupported versions.

Here, we have shared a few essential actions to prevent this.

Enable Captcha with Payment Form

Only the latest Magento versions incorporate this feature. In the older versions, one must implement it specifically. Still, this measure will prevent fake payment attempts made only from the checkout page. Hence, for other scenarios, this measure may not resolve the issue.

Prevent SPAM Bots/IPs via Web Server Configuration

All you need to do is analyze your Magento quote table to find the suspicious attempts and then block the bots’ IPs in your web server configuration file. Note that blocking these IPs may resolve the issue temporarily. It is not a permanent solution because the spammers may try from other IPs. 

Firewall Installation and Configuration

Setting up firewall software such as Cloudflare, Sucuri, or similar options that suit your web server’s requirements is a simple yet effective step in addressing security concerns. Yet, occasionally, adjusting firewall configurations might be necessary to achieve the heightened protection you seek.

You may have a web application firewall in place or an internal cybersecurity team to manage bot mitigation. However, this solution does not provide comprehensive protection for your Magento store against the carding vulnerability.

Blocking Fake API Requests/Attempts

Many of us might have overlooked the possibility that hackers can execute payments via Magento REST APIs. Hackers can exploit Magento’s default APIs to generate multiple payment attempts. However, is there a method to limit these fraudulent payment attempts made through Magento’s APIs?

Yes, we can restrict these malicious payment attempts by following these simple code customization. 

Add a custom condition/validation to the function savePaymentInformationAndPlaceOrder() in Magento\Checkout\Model\GuestPaymentInformationManagement.

The custom condition/validation:

$objctManager = \Magento\Framework\App\ObjectManager::getInstance();
            $remote = $objctManager->get('Magento\Framework\HTTP\PhpEnvironment\RemoteAddress');
            $ip = $remote->getRemoteAddress();

if($ip_attempts = $this->_cache->load(sha1($ip))) {
                if($ip_attempts >= 5) {
                      throw new CouldNotSaveException(__('An error occurred on the server. Please try to place the order again.'));
                else {
                    $this->_cache->save($ip_attempts + 1, sha1($ip));
            } else {
                $this->_cache->save($ip_attempts + 1, sha1($ip));

The above customization will block the payment requests made from the same IP more than five times (adjust this no.of attempts based on your business case). Note that implementing this customization will allow the first few fake attempts but will ultimately safeguard your store from various attempts. Furthermore, implementing it requires minimal time and effort.

As always, apply necessary security patches and upgrade your Magento stores to the latest version to avoid security vulnerabilities. 

Contact Payment Service Provider

Contact the Payment Service Provider to inquire about the activation or deactivation status of fraud prevention services associated with the payment service. Ensure that services such as “AVS” for address validation and “3D Secure” are activated to enhance protection against fraudulent transactions.

How do Carding Attacks in Magento work?

Carding attacks illegally acquire goods or cash out through fraudulent card transactions. To elaborate, consider a typical scenario in such an attack:

The Lifecycle of a Carding Attack

Understanding the lifecycle of a carding attack involves several steps. These steps may include accessing a list of stolen credit card numbers with associated security data, such as card verification values, initiating bot attacks to test the acquired cards, and ultimately determining the disposition of the tested card data.

Malicious Bots Facilitate Carding Attacks

Carding attacks leverage specific use cases of malicious bot attacks. It is because bots, being automated, carry out tasks necessary for the completion of the attack. Bots can test card numbers discreetly by initiating small transactions, avoiding detection. After card verification, they add the validated cards to the list for use in illicit transactions.

Retailers May Suffer Consequences

Once attackers have verified cards, they can easily use them to complete ecommerce transactions. Consequently, when a retailer ships a product, the likelihood of recovering the product diminishes. 

Indications of such attacks include a higher number of failed transactions or multiple payment attempts. This results in an increased number of abandoned carts on websites when bots are used to validate cards from a list.

Enhancing Security Measures Against Carding Attacks in Magento Website

Carding attacks, commonly known as credit card fraud, present a substantial concern for both ecommerce business proprietors and customers. As discussed earlier, there are available solutions to reduce the risk of succumbing to this malicious cybercrime or attack. 

While it’s impossible to eliminate security risks, implementing these best practices suggested by Adobe Commerce enhances the security stance of Commerce installations.

A secure website and infrastructure create a less appealing target for malicious attacks, guarantee the security of the solution and customers’ sensitive data, and reduce the likelihood of security-related incidents that might lead to site disruptions and expensive investigations.

If you have any issues regarding your Magento Website or face challenges in resolving the mentioned issues, please reach out to us today. We’re here and ready to help and have a discussion.

About The Author

We take the guesswork out of ecommerce.
Schedule a consultation call today