Someone has a cloud VM running automated attempts to sign up at our website, which is causing the payment processor to block us because of all the suspicious credit card creation attempts, so we get no new signups... I suppose implementing recaptcha is a potential solution/mitigation for this? Do you guys have any other suggestions?

How about not checking credit card at sign up?

@electrineer we do have a trial, but still a credit card is required upfront. Do you suggest verifying at a later step, such as email verification?

@nururururu in that case you still have a messy Auth table. Captcha is da waii

So you send a payment processor call without checking the card first ? Like ask for the CVV, or check the BIN number.

Recaptcha is a great start.

@Grumm as I understand it (not the author of the original code, and not entirely acquainted with the payment validation process), an API call to the payment processor is first made to check the card for validity. The quantity of calls with cards that don't really exist that are being made is being deemed suspicious by the payment processor, and that's what's blocking us.

@nururururu Yes, those are mostly limited or you need to pay extra. (Paypal also has a validator API)

What I suggest is narrow it down before you send the API call.

Why would you even implement a signup UI with payment info without captcha? You’re literally asking for bots.

@latisfeire learning that on my skin :)

The pre-existing signup code was originally done by my boss in a hurry, apparently

@nururururu verify the CC after the email and phine verification step.

Just make a pipeline.

There are some obvious checks that could be done before wasting API calls.

E.g.
Checking empty
Checking all numeric
Check for the luhn number algorithm... (It should be right for credit cards if I remember correctly.)

Only then pass it down to the API.

Should reduce the number of calls *significantly*.

@IntrusionCM Problem with the luhn algorithm is that there are enough CC number generators that make valid numbers (For testing purpose only)

But it is a great start in the process.

Ask your payment provider for help (yes, talk to them). Add a captcha, but be aware there are recaptcha/hcaptcha solver on github. Add a rate limiter (better limiting your service than being limited by your payment provider). Try to detect bot-traffic: maybe they are dumb enough to always use the same IP/browser-agent/browser-fingerprint. If they use IPv4, is it always from the same region? Add logging. Maybe use a service like cloudflare as an immediate solution while baking your own? Good luck!