Your Payment Page Might Be Getting Guessed by Scripts, Second by Second

Last Wednesday afternoon, I was flipping through my Stripe dashboard at home and suddenly saw a $0.50 refund. My heart sank—if a client's card was being tested, could my small business survive the disputes?

I also got stuck on this mental model: I always thought "how could anyone guess a 16-digit card number?" I messed this up. Later I figured out the first 6 digits are the Bank Identification Number (BIN), which is publicly searchable; the expiration date is just 12 months × a few years; and the CVV is only 3 digits. Hackers use scripts to send hundreds of parallel requests simultaneously, cracking a card in minutes.

What Brute Force Is + Who Has Already Been Hit

This attack is called Card Cracking / Brute Force. The principle is simple: take a known card number range (first 6 digits), use an automated script to bulk combine the remaining digits + expiration date + CVV, and fire payment requests at your checkout page. If a combo works, that card is "open."

My friend Xiaolin, who runs an indie e-commerce store, told me on WeChat last month: her Shopify store had three $1 micro-orders on consecutive days, different card numbers, same IP range. She later realized these were "door-knocking orders"—hackers testing if her payment page had rate limits. If unblocked, the next step is massive fraudulent charges.

Replicate Cost Today

Money: $0 (mostly free settings on payment platforms)
Time: 30 minutes
Technical barrier: Just knowing your way around backend settings, no code needed
First step: Log into your payment platform dashboard, find the "Security Settings" or "Risk Control" entry

Specific actions to take:

1. Turning on rate limiting: Limit the same IP to a max of 3-5 payment attempts per minute. In Stripe, add this in Dashboard → Radar rules; for Alipay/WeChat Pay merchants, look for "Frequency Limit" under risk management.

2. Enabling 3D Secure: That's the step where a bank SMS verification code pops up during payment. Search "3D Secure" in Stripe, and turn on "Require high-risk transactions to verify".

3. Setting a minimum amount: Setting the minimum transaction amount to $1 or more blocks $0.01 probing orders.

4. Shutting off "CVV-free charges": Some legacy APIs allow charges without a CVV—I'd make sure this is off.

Advice by Stage

Just Starting Out: If you just started taking payments and have low volume, just enable 3D Secure first. It's the easiest wall to build. Don't stress about the other settings right now.

Have 1-2 Clients: If you already have steady paying clients, I suggest adding rate limits and minimum amounts too. Spend half an hour now to save the headache of arguing with payment platforms later.

Scaling Up: If monthly revenue crosses $10k, seriously turn on all four items above, and scan your refund records for anomalies weekly (like small probing amounts from multiple cards on the same IP). At this stage, the loss from one fraud dispute far exceeds the time cost of setting up protection.

Circling back, not everyone needs this—if you only take bank transfers and don't do online card payments, don't worry about it for now. But if you rely on online payment processors like Stripe or Shopify, it's worth spending half an hour to check. Don't be like me, only realizing something's wrong after weird orders pop up.