Heed my warning: do NOT use Payment Links -- stay far, far away. I made the big mistake of using this solution because I needed to put up a quick checkout page with zero coding. I have been literally paying the price ever since. Within the first month I started to get a trickle of card testing attacks. At first I was delighted, thinking the same person was being so honest, buying one subscription for every employee or something. How naive I was 🙈 ... by the third or fourth month I was getting up to 150 fraudulent card test charges a month.
The attacks were a nightmare, but Stripe's customer support made it worse -- it honestly felt like I was communicating with a bunch of hallucinating AI bots spewing boilerplate responses that didn't address the issue at hand. Eventually they "resolved" my problem by disabling the payment links, so now I have to scramble to update my app and explain to my users why these links are no longer working. 😵
Here are some reasons why Stripe Payment Link checkout pages are a disaster waiting to happen:
There is no unique checkout session ID -- you can bookmark the payment link and come back to it any day to continue card testing attacks.
There is no registration step or email validation, so credit card thieves can enter any email address they want to complete the purchase.
There is no CAPTCHA, which makes it trivial to automate card testing attacks.
Congrats to Stripe, they have invented the most frictionless way for hackers to test charge a stolen credit card number online. Seriously, if I had to do it over again I'd I invest the time & energy into building a proper custom checkout integration with user authentication and reCAPTCHA. Don't make the same mistake I did -- Payment Links just aren't worth the convenience for the price you will eventually pay later. You've been warned.
UPDATE: After many emails with Stripe CS, I learned Payment Links checkout pages actually DO use CAPTCHA, but they are only triggered if a transaction exceeds a fraud threshold. For whatever reason the card tester who attacked me was able to circumvent the protections Stripe put in place. Stripe ultimately added some additional mitigations such as email domain blocking and lowering the threshold required to show the CAPTCHA, and their CS team came together to resolve my case in a way that exceeded my expectations, so hats off to them.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Heed my warning: do NOT use Payment Links -- stay far, far away. I made the big mistake of using this solution because I needed to put up a quick checkout page with zero coding. I have been literally paying the price ever since. Within the first month I started to get a trickle of card testing attacks. At first I was delighted, thinking the same person was being so honest, buying one subscription for every employee or something. How naive I was 🙈 ... by the third or fourth month I was getting up to 150 fraudulent card test charges a month.
The attacks were a nightmare, but Stripe's customer support made it worse -- it honestly felt like I was communicating with a bunch of hallucinating AI bots spewing boilerplate responses that didn't address the issue at hand. Eventually they "resolved" my problem by disabling the payment links, so now I have to scramble to update my app and explain to my users why these links are no longer working. 😵
Here are some reasons why Stripe Payment Link checkout pages are a disaster waiting to happen:
Congrats to Stripe, they have invented the most frictionless way for hackers to test charge a stolen credit card number online. Seriously, if I had to do it over again I'd I invest the time & energy into building a proper custom checkout integration with user authentication and reCAPTCHA. Don't make the same mistake I did -- Payment Links just aren't worth the convenience for the price you will eventually pay later. You've been warned.
UPDATE: After many emails with Stripe CS, I learned Payment Links checkout pages actually DO use CAPTCHA, but they are only triggered if a transaction exceeds a fraud threshold. For whatever reason the card tester who attacked me was able to circumvent the protections Stripe put in place. Stripe ultimately added some additional mitigations such as email domain blocking and lowering the threshold required to show the CAPTCHA, and their CS team came together to resolve my case in a way that exceeded my expectations, so hats off to them.