Minus Transactions attack

Overview

In a -Minus Transactions attack, the attacker caused the website owner to be charged processing fees for repeated failed credit card payments.

What makes a site vulnerable?

A site may be vulnerable to the attack if it accepts credit / debit card payments without making checks on the validity of the transaction. By initiating an invalid payment (e.g. the billing address does not match that stored for the credit card), the site may be charged a nominal fee for the failed transaction. If the attacker makes many such invalid payments, the fees charged to the site owner may become significant.

Impact of the attack

The attack potentially allows the attacker to inflict significant financial harm on the website owner.

Preventing the attack

While a number of methods such as CAPTCHAs, preventing repeat requests for the same IP, etc. may make the attacker more difficult, all of these methods can potentially be circumvented.

Website Security Book

Security for websites, web-applications and web-services