I’ve been dealing with a large number of fraudulent subscription attempts. They began on February 1 and I’ve had over 120 since then. They’re quite easy to spot, since they all come from email addresses with the format
NameX@gmail.com, where X is either one or two digits, e.g.
Almost all of them failed, either because the bank declined or Stripe blocked the payment. Two succeeded, and I’ve refunded the payments in order to avoid disputes and the dispute fees.
My question is, do I simply have to deal with this through Stripe, or is there something on the Ghost side that I can change to cut this down? Scammers have clearly found my site and I can’t count on them going away anytime soon.
I’ve been in touch with Stripe about the attempted fraud mentioned in my previous message (since I first posted, four more fraudulent payments have been successful; Stripe refers to this as “card testing”). They have given me some advice about how to cut down fraudulent transaction attempts. One suggestion they made is
Card testing can often be prevented by requiring login or session validation when performing certain actions, such as creating an account or making a payment.
This seems like it would be extremely helpful, since all the email addresses being used look extremely fake. Is it possible to configure Ghost so that only users who have signed up and confirmed their email address are able to make a payment?