Over the last few months, we have seen an increased amount of “Carding” attacks on Magento 2 websites. Carding attacks (also known as Credit Card stuffing) is an attack whereby malicious bots rapidly attempt to checkout on a website using it as a testing facility to verify stolen card details

The attacker’s aim is to either:

  • Use stolen credit cards to verify if they are operational and then use that card elsewhere or sell it.
  • To use partial details in an attempt to “crack” correct details e.g. they have the 16 BIN digit but not the matching 3 digit CVV code


A common symptom of this attack is an increase in Payment Failures and suspicious checkout activity. It is important to note that this is not an attack specific to Magento and can be found on various platforms. The purpose of this post is to break down the attack’s impact and provide mitigation measures that could help.

The requests can be made through the front end of a website or via API.

What issues can the attack cause for a Merchant?

Increased Payment Failure Emails

It is common to see a spike of failed payment emails sent to the set contact email address. This can prevent customer services teams from following up with genuine customers and in extreme cases, it can also cause mail deliverability issues if you are using a quota-based email sender.


Resource usage

Depending on the bot’s activities and its frequency, server resources can be taken up by these malicious bots needlessly. In extreme cases, database tables for email logging increase exponentially in size, modules such as “MagePlaza SMTP” can log every outgoing email. This can result in downtime if disk capacity limits are hit.

Security and Financial Impact

In this type of attack, card credentials are not being stolen directly from the targeted website as they are from another source. However, you do not want your website/brand to be used as a testing platform for card theft. A merchant could also see an increase in chargeback requests which could have a negative financial impact and consume internal admin resources dealing with the requests.

What preventative measures can be done for this?

Captcha on Checkout

Depending on the severity and frequency of the attack will gauge how to respond to this. The first port of call is to discuss with the payment provider and website development provider however we have a few options here:

Google Invisible ReCaptcha is available and is likely to be most effective, however, it does mean that regular customers may also have to deal with a captcha if they are suspected mistakenly as a bot. This could then affect conversions negatively.


Captcha Options are available in:

  • Stores > Configuration > Security > Google reCAPTCHA Storefront > reCAPTCHA v3 Invisible
  • Stores > Configuration > Customers > Customer Configuration > CAPTCHA. We advise testing these on a non-production environment first.

Blocking Requests at Source & Rate Limiting

As the bot requests are often hidden as regular customers which can circumvent a web application firewall (WAF) you may have in place, such as Cloudflare or Fastly. You can review and audit web server logs for patterns and block suspicious users. Sometimes, the requests can originate from a single IP address which can be quickly added to a blocklist.

However, blocking singular IP addresses is a very temporary measure and can be circumvented. Should issues continue, you can then look at rate-limiting services; Magento Cloud users will have access to Fastly Rate Limiting out of the box which can be used but requires careful configuration to ensure valid customers and IPs are not blocked mistakenly.

Discuss with Payment Service Provider

Discuss what fraud prevention services are enabled/disabled with the payment service provider; services such as “AVS” address validation service & “3D Secure” should be enabled to help prevent fraudulent transactions.

If you have any concerns about your Magento Website or are struggling to resolve the above, please get in contact with us today and we’ll be happy to assist and discuss.

Will Brammer

Head of Support