Fraud Prevention System

Our fraud prevention system protects against automated attacks, card testing, and suspicious payment activity. It combines bot detection, card testing prevention, and device fingerprinting.

Protection Layers

Three independent systems work in concert to provide comprehensive fraud coverage at the point of payment.

  • Anti-Bot: Behavioral analysis and challenge-response to detect and block automated traffic.

  • Anti-Card Testing: Detects rapid sequential payment attempts characteristic of stolen card validation.

  • Device Fingerprint: Persistent device identity tracking to link activity across sessions and accounts.

Anti-Bot Detection

The anti-bot layer analyses dozens of passive signals during the payment session, mouse movement entropy, keystroke timing, browser environment consistency, and TLS fingerprint, to produce a bot confidence score for each checkout attempt. We also use a Cloudflare CAPTCHA as an additional layer of protection.

Anti-Card Testing

Card testing attacks involve running large numbers of stolen card numbers against a payment endpoint to identify valid ones. Our system detects this pattern through velocity checks on both the user account and the device fingerprint, regardless of whether a new guest session is opened.

Detection rules

card_testing:
  max_declined_attempts: 3          # within rolling window
  velocity_window_seconds: 300      # 5-minute window
  distinct_cards_threshold: 3       # unique PANs per session
  small_amount_probe_limit: 2       # ≤ $1 micro-auth attempts
  block_duration_hours: 24         # first offence
  repeat_offence_action: "permanent"
        

Detections are keyed on a composite of device fingerprint ID, IP subnet (/24), and account ID (when authenticated). All three keys are checked independently, a match on any single key is sufficient to trigger a block.

Device Fingerprinting

Every checkout session generates a stable device fingerprint that persists across browser sessions, private/incognito mode, and VPN changes. This fingerprint is the primary identity used when evaluating fraud signals and enforcing blocks.

⚠Fingerprints are stored server-side only. They are never exposed to client-side JavaScript and cannot be queried or tampered with by the user.

Block Escalation

When a fraud signal is triggered, the system applies a progressive block policy keyed to the device fingerprint. The escalation is automatic and requires no manual intervention.


Policy Summary

Condition
Action
Duration
Reversible

First fraud signal

Payment blocked

24 hours

Auto-lifted

Retry during 24h block

Permanent block

Indefinite

Manual review only

Permanent block + attempt

Silent reject + alert

Indefinite

No

Card testing velocity

Payment blocked

24 hours

Auto-lifted

Last updated