Fraudulent charges – Site attacked

Hi.

1. is it possible for someone to attempt to transact a different amount than what’s listed on the checkout form? In my case, I saw hackers attempted value of $29-$30, whereas my form has the product listed for $89? How is that even possible??

Since you can adjust product price via tax, variations etc, it is possible. However, it is not intended behavior in this case.

2. About 3% of the attempts were successful (visa prepaid, debit card, etc.) with a value of $29-$30, however I didn’t see any of those listed on the Stripe plugin Orders page? It is a good thing that my product was not stolen, but I need to know how is that possible?

Plugin Orders page shows only plugin-related orders. You should check your Stripe’s account for the transactions.

3. Going forward, how do I block or beef up security on the checkout form? I am also disappointed in Stripe, however to be fair, they were able to block 97% of the transactions. I am working with them to see how to prevent this from happening again in the future.

You can configure your Stripe Radar https://stripe.com/docs/radar/rules
You can also install free reCaptcha add-on https://s-plugins.com/stripe-payments-recaptcha-addon/. If you configure Invisible reCaptcha, your customers shouldn’t be annoyed by “I’m not a robot” checkbox, it will only be displayed for suspicious visitors.

One more thing. Could you get in touch with us here https://s-plugins.com/contact-us/? We would like to see your server logs with form submission attempts from the bots. This should help us figure out how the bots are abusing it and implement counter-measures.

Thanks for your quick reply. Appreciated.

Your suggestion with regard to ReCaptcha is great, and I have implemented it now. I have to say that Stripe support is just awful!

I am happy to share the server logs to make the plugin more robust, please share with me how to collect the stripe plugins related logs.