I’ve been dealing with a large number of fraudulent subscription attempts. They began on February 1 and I’ve had over 120 since then. They’re quite easy to spot, since they all come from email addresses with the format NameX@gmail.com, where X is either one or two digits, e.g. Mike04@gmail.com.
Almost all of them failed, either because the bank declined or Stripe blocked the payment. Two succeeded, and I’ve refunded the payments in order to avoid disputes and the dispute fees.
My question is, do I simply have to deal with this through Stripe, or is there something on the Ghost side that I can change to cut this down? Scammers have clearly found my site and I can’t count on them going away anytime soon.
I’ve been in touch with Stripe about the attempted fraud mentioned in my previous message (since I first posted, four more fraudulent payments have been successful; Stripe refers to this as “card testing”). They have given me some advice about how to cut down fraudulent transaction attempts. One suggestion they made is
Card testing can often be prevented by requiring login or session validation when performing certain actions, such as creating an account or making a payment.
This seems like it would be extremely helpful, since all the email addresses being used look extremely fake. Is it possible to configure Ghost so that only users who have signed up and confirmed their email address are able to make a payment?
Just reanimating my own thread from earlier this year. I previously had a problem with a person or persons unknown using my Stripe checkout to test stolen credit card details. After enabling the Stripe fraud team settings, the fraudulent payment attempts stopped.
Unfortunately, they’re now back: about a hundred attempts over the past 24 hours. Stripe caught the vast majority of them, but six got through and had to be manually refunded. (The fraudulent payments are immediately obvious, because they all come from email addresses that look like JjPoRECwftvHs@gmail.com – just random strings of letters instead of a coherent username. Unfortunately, I can’t think of a regex that would let Stripe recognise those automatically.)
I previously asked if it was possible to limit paid subscriptions only to users who had previously signed up and confirmed their email address. If I go into Settings > Membership > Portal settings, it looks like there’s an option to do that:
Unfortunately, deselecting the Premium option seems to make paid subscriptions unavailable to all users, not just to new users at signup. Am I misunderstanding this?
Hi!
I’m just setting up my subscriptions and found your thread here.
To be frank, I’m amazed you have had no replies.
Do you have an update on the outcome please?
I realise asking you here is cheeky as I would have expected a moderator to have given a link to something on this topic and I note it’s not discussed at all in the Ghost Docs.
Thank you
Because your question is so important and has had no replies whatsoever, I have taken the liberty of formally drawing it to the attention of the moderators with a clear explanation that it should not have been left completely unaddressed by Ghost. There is no reference whatsoever in the Ghost Documentation to this important topic. If you take offence to me having done so on your behalf, please accept my apologies.
@stuwest Are you self-hosting or using Ghost(Pro)?
I’m not aware of anything built into Ghost to do fraud-prevention for self-hosted installs. It’s hard problem. As you mentioned yourself, it’s difficult to make a regex to match all fake emails. Requiring confirmed emails does not block spammers, either.
(While I’m a forum moderator, I don’t officially represent the Ghost organization or Ghost(Pro)).
You’ve already been consulting with Stripe about this, and they are well-positioned to understand how fraud affects their system and how to block it general.
Yes, self-hosting. Using Stripe’s Radar for Fraud Teams on a fairly restrictive setting seems to have taken care of the problem for now, although iirc there is a cost associated with the service and I know it has blocked a couple of legit subscribers.
I’d have liked to experiment with confirmed email signup just to see what effect it had on the fraud attempts. Maybe in the future!
One thing I think has helped is that Ghost can now be configured to email me whenever someone signs up for any level of my newsletter, which I don’t think was the case at the time I originally posted. That gives me a bit of early warning if anything weird is going on.
