Identifying a websites processor/antifraud stack
Jun
Imagine trying to rob a bank, but its the first time you’ve even been within 100 ft of it. your fucked, security sees your ski and gun and immediatly tackle your ass. When you decide to go and try to card a store that you have not a single clue of how it works, your essentially doing the same thing.
Usually identifying how easy/hard a site is to hit is dependent on 2 things:
1. Payment processor: some good examples are stripe, square, etc. These companies dont know how to take card payments themselves, so they offsource it to a 3rd party provider (stripe is the most common, mostly used on shopify stores)
Stripe in particular has their own antifraud system called “Radar” and oh my god can it become a pain in the ass. They take more info on you than the flock cameras placed throughout our cities.
2. Antifraud: some good examples are SEON, riskified, forter etc. These are the brains making your cards decline. Some are harder than others, some are like taking candy from a baby. They do things like check shipping versus billing, email history, phone number type (voip/sim), everything they do depends from provider to provider.
A sites stack is basically the combination of these 2 3rd party services to ultimately make the checkout experience.
Stripe + forter
Square + riskified
Stripe (radar alone)
All of these have different challenges you need to overcome.
For example, riskified might load during checkout. But forter is watching your every goddamn move since you entered the URL. build those cookies or your shits guaranteed to decline.
Now the company using an antifraud provider can usually adjust how intense it is, more anti = less potential sales, less anti = potentially more fraud, and loss
companies have to find a middle ground usually.
Now that we got what these 2 things actually are out of the way, lets talk about finding them.
Navigate to the site your planning to hit on a computer.
Open up the inspect element, first check the console for HTTP GET requests. on el dorado, you can see forters name in the requests. Next, if you want more, or didnt find anything off that, check sources. It might look like egyptian heiroglyphics if you dont understand how to navigate it. typically you will see a folder with stripe or the payment processors name in it, also potentially antifraud, but typically i see those more under plugins and such under the payment processors folder.
If you dont see anything off opening the site, continue to checkout and then check. Some antifraud systems dont fuck you on how long your browsing, and only activate at checkout. Repeat the same thing and you should be able to identify the stack.
Now if you dont see any antifraud, you might have hit a goldmine. However, if the processor is stripe, that means they are typically just using the standalone stripe radar.
Once you understand what stack its running, hop on dread, or wherever you can find the info, and figure out what exactly that specific antifraud service checks to determine risk scores. Its 12:46am for me right now, and if I wasnt tired I would just write it out for you here for the most common anti providers.
Use that info to plan how you will execute your hit.
Very quick and simple write up, but this WILL bring your hit rates up. Just like scouting before a home invasion or such, we are doing the same thing digitally.