Best way to prevent bogus subscriptions?

I’ve been using s2Member Pro and a PayPal Pro-Form for a long while to process paid subscriptions to my website’s protected content. I had recaptcha enabled, but for some reason it failed. 208 bogus subscriptions were processed before I caught the issue after a couple of days. This happened about a month ago.

• All of them had gibberish names like “Szkew Ewefoie”
• All of them used gibberish email addresses ending in gmail.com like "SzkewEwefoie@gmail.com"
• All of them used a credit card without logging in to PayPal
• None of the users has logged in after signing up
• A rogue file showed up in my site’s files with Amazon product information, which I deleted
• I had Sucuri do a malware scan and it came up clean
• I don’t believe I have any continuing issues

What is the best way to protect against this? I have recaptcha enabled again, and the issue stopped. But I’d like to lock it down as much as possible. What would you do?

For those thinking this isn’t a big deal, here is the aftermath. The credit card companies saw a lot of these charges come through and disputed the charges. That means my account received the payment, and it was put on hold. Each one is being slowly returned, which is fine (I believe the payments are going back to the original card holders, which is not the same as the purchasers). However, I’m being charged $20 for a chargeback fee from PayPal for each one. I have to call PayPal and ask to be reimbursed for each one, which takes some time (about 30 minutes per call, and I may not be reimbursed for 48 hours). So, it has been a pretty unpleasant experience.

How do I avoid this in the future? It seems I need to hold off on a PayPal charge until it can be verified as legitimate (or I can do it). I’m not sure how to do this. Thanks!

I’m sorry that happened, but it doesn’t sound like an s2 problem, probably more a Wordpress security problem. Maybe caused by another plugin or something outdated? The rogue file is evidence that something’s allowing something in and if it was s2 more ppl would experience this.

Happy to hear that PayPal reimburses chargeback fees. I got an email from Stripe recently saying they won’t do that anymore, even when you “win,” but I only have one chargeback every couple months or so.

I deleted my last comment bc it was meant for another post.

Yeah, that sounds pretty unpleasant. It sounds like an attack, because I don’t see what benefit they’d get from making those payments like that.

I’ve seen it attempted on my account, but Stripe blocked them all correctly (I pay the added Radar feature to protect against fraudulent payments).

I haven’t had this happen with PayPal. What PayPal service/integration are you using? Do users go to PayPal’s site to complete the checkout, or do you have PayPal Pro and users enter the card on your site?

It’s most likely someone verifying stolen credit cards. Beware that can get very expensive for you and PayPal/stripe will close your account if you don’t prevent it. For stripe you need to configure the radar to prevent them. Had twice in the last 5 years scammers checking credit cards and just hardened the rules to I think 50 points down from 80 because one payment with stolen card went through.
I don’t know what to do for PayPal in your account. PayPal button payment shifts the problem to PayPal.

This has taken a turn for the worse. PayPal is not refunding my chargeback fees anymore. This attack is going to cost me about half of what the site makes in a year.

I’m using PayPal Pro through s2Member. If I have to approve all memberships, will that stop the credit card only payment from going to PayPal? Or how does that work?

This is very upsetting. I’m just trying to provide a service and a place for people to chat about their Jeep and offroad hobbies. But I’m not sure it’s worth it anymore…

Nope, only approving every payment at PayPal could stop that. But be happy on stripe this would have cost you even more - but can be prevented with strict stripe radar settings.

It’s credit card scamming as I told you. Can happen to any website having a payment form.

If you don’t find a way to stop that from within PayPal settings you need to switch to button payments, then you only have this problem on subscriptions but first time payment credit card scamming is onto PayPal to prevent.

Isn’t PayPal still the one approving payments even with s2Member Pro? The form may be on my site, but doesn’t it send the info to PayPal for approval when the payment button is pressed?

If so, why would PayPal not be responsible for approving the payment just because the form was on my site?

@TrailDamage Can I ask where the rogue file was located? Was it in the root directory, or maybe a plugin folder? Just asking in case something like this happens to someone else.

Scary to think PayPal users are sitting ducks.

PayPal just checks if the credit card number is correct. Actually I found their filters, you need to set them up:
https://developer.paypal.com/api/nvp-soap/payflow/fmf/integration-guide/FMFSummary/

Thanks for the link.

@clavaque In the section on Advanced filters for Website Payments Pro, there is yet another warning from PayPal stating “Important : PayPal isn’t accepting new users for this feature, and we require existing users to upgrade to our Advanced Debit and Credit solution that supports EMV 3DS (3DS 2.0) for PSD2.”

I’d switch to a regular PayPal Business. The s2 PayPal pro-form will keep working, but instead of entering the card details on your site, the user would be taken to Paypal to complete the payment, and that should take off the risk of the attack you received.

For on-site payments entering the card right in the pro-form, you could try Stripe with Radar, which has been very reliable so far.

Thanks Stephen. I’m looking into that.

Thanks Cristian. I’m sure upgrading the implementation is quite the process and I don’t pretend to know the first thing about it. But if you are able to figure it out, I’m sure many, many people will sleep better.