Sudden surge of fraudulent payment attempts

I’ve been dealing with a large number of fraudulent subscription attempts. They began on February 1 and I’ve had over 120 since then. They’re quite easy to spot, since they all come from email addresses with the format NameX@gmail.com, where X is either one or two digits, e.g. Mike04@gmail.com.

Almost all of them failed, either because the bank declined or Stripe blocked the payment. Two succeeded, and I’ve refunded the payments in order to avoid disputes and the dispute fees.

My question is, do I simply have to deal with this through Stripe, or is there something on the Ghost side that I can change to cut this down? Scammers have clearly found my site and I can’t count on them going away anytime soon.

I’ve been in touch with Stripe about the attempted fraud mentioned in my previous message (since I first posted, four more fraudulent payments have been successful; Stripe refers to this as “card testing”). They have given me some advice about how to cut down fraudulent transaction attempts. One suggestion they made is

Card testing can often be prevented by requiring login or session validation when performing certain actions, such as creating an account or making a payment.

This seems like it would be extremely helpful, since all the email addresses being used look extremely fake. Is it possible to configure Ghost so that only users who have signed up and confirmed their email address are able to make a payment?

Just reanimating my own thread from earlier this year. I previously had a problem with a person or persons unknown using my Stripe checkout to test stolen credit card details. After enabling the Stripe fraud team settings, the fraudulent payment attempts stopped.

Unfortunately, they’re now back: about a hundred attempts over the past 24 hours. Stripe caught the vast majority of them, but six got through and had to be manually refunded. (The fraudulent payments are immediately obvious, because they all come from email addresses that look like JjPoRECwftvHs@gmail.com – just random strings of letters instead of a coherent username. Unfortunately, I can’t think of a regex that would let Stripe recognise those automatically.)

I previously asked if it was possible to limit paid subscriptions only to users who had previously signed up and confirmed their email address. If I go into Settings > Membership > Portal settings, it looks like there’s an option to do that:

Screenshot 2022-09-10 at 11.16.17

Unfortunately, deselecting the Premium option seems to make paid subscriptions unavailable to all users, not just to new users at signup. Am I misunderstanding this?