We had the same issue (people testing stolen credit card numbers) on Stripe that was close to getting us shut off for a certain credit card company. We implemented a captcha and a tool to validate email addresses (emaillistverify) and it solved the problem.
We had the same issue because Marketing was using a stupid landing page SaaS tool to generate sales, it was connected directly to Stripe and we didn't have any control over it. We discovered the problem through Intercom, which notified us about a high volume of bounced emails (automatically sent after purchase). It was clear what was going on after discovering the same pattern.
To fix it, I had to proxy that unreliable SaaS software to implement CAPTCHAs and stronger bot detection. It was essentially a MITM-style proxy but for protection. It was fun to implement
TIL about emaillistverify. Their website always talks about „bulk email checking“, but I assume they also support „live checks“ through an API? I assume you prevent users from signing up if the check fails?
Top nav of their site has an "API" link which goes to a page that says "ELV’s API keeps your email list clean. Notify website user about an invalid email address when they are filling out a form."
So presumably yes
I tried it out. Yes they do support a live check, but it seems... inadequate? The first Google search result for "disposable email address" yields https://temp-mail.org, and an email addressed created with that service is not recognized as disposable.
When we were having our stolen card testing it was from people using made up gmail handles and ELV handled those easily. I guess it views temp-mail emails (and probably others) as real, which is unfortunate.
I’ve run into this problem before and there’s ways to stop it. Sure your email blocklists work to an extent assuming they’re up to the minute accurate (which they’re not).
I’d look into fingerprinting (https://github.com/fingerprintjs/fingerprintjs), block by ASN if it makes sense for your business (does OVH really need access to my SaaS?), use an active disposable email checker and possibly flag risky orders for manual payment capture if at all possible.
Thanks! I actually just ran into another problem with ELV, a request to their "single email verification" API timed out repeatedly. So not a good experience so far, will probably not keep using it.
This is a very sad incident of carding attempts. You can sign up for FraudLabs Pro service and they have velocity check to prevent carding if it is from similiar browsers, IP or email addresses.
This is probably the best way to stop it from being automated. As well as a verified form of 2FA like a phone or email code.