Paid Advertising
web application security lab

DoSing Via Chargebacks

This is a totally theoretical post, so if you are looking for something concrete, skip this post. I had an interesting, albeit pedantic thought on the way into the office today. One of my clients has a problem with people getting into their system, but ultimately there’s no way to really stop it since they must allow random people from the Internet to sign in using credit cards. Sure they could use other factors of authentication (Eg: authentify) to prove they are the card holders, but bear with me for a second. So I was thinking, what if somehow they were able to knock off the bad guys after ten minutes of activity. Even if it’s a magical blackbox process, it doesn’t matter, the bad guys can only be online for 10 minutes and then they get booted. That would actually cause another interesting scenario.

Let’s say those same bad guys had access to other merchant accounts (maybe their own) and knew which ones were low value due to chargebacks. That is, they don’t want to mess up their own merchant account by processing those credit cards for illicit activity. However, the ones that they received charge backs on, are fair game to use however they chose. Sure, they only last ten minutes, but who cares? They are worthless anyway. Meanwhile, the processing explosion occurs, while the bad guy does their ten minutes of bad things (whatever they are).

Now let’s say after a month of this the upstream bank that’s doing the merchant processing notices a huge uptick in chargebacks. Suddenly those accounts are costing the merchant money in fines. Another month passes and the bank tells them to fix the problem or they’re getting cut off. The next month their business is no longer authorized to clear. Denial of service via merchant charge backs! Weird, eh? Of course the merchant does have one piece of recourse and that is to immediately refund the charged card once they realize the account has been used for illicit activity. But it’s an interesting thought.

8 Responses to “DoSing Via Chargebacks”

  1. Awesome AnDrEw Says:

    Interesting idea you’ve come up with.

  2. c0redump Says:

    One word; PCI! ;o)

  3. Kyran Says:

    That’s an acrynom. ;D

    Anyways, I personally think more non-technical style attacks should be taking a stand. Social Engineering and real life DoSes seem to be a good route to look into.

  4. Lawrence Pingree Says:

    Hi Folks,
    As a person who speak to this subject with actual experience this is a serious problem with our credit system. The most notable thing here is that the credit card transaction processing companies actually make more on the chargeback than they do on the valid transaction… check my blog at

  5. Bergo Says:

    In a previous job, I worked with a CC Payment gateway.

    This thing kinda happened to small merchants, if an attacker was using the site to verify CC numbers. Each transaction cost the merchant whatever the payment gateway fee was (25 or 50 cents) regardless of whether it was sucessful or not. If the card number was successful, the merchant would also receive chargebacks. So for a “mum and dad” shop selling t-shirts or something (for a few hundred dollars a month), have thousands of transactions pumped through would cause potentially thousands of $$ worth of fines and fees. Enough to make them pack up shop and get offline. Never really thought of this happening as a targeted attack though.

  6. Bergo Says:

    And forgot to add to the above comment .. that eventually after a couple of months, banks will shut down their account because it’s being abused.

  7. Shoaib Yousuf Says:


    Very Interesting Post. I have worked in Credit Card Security and i guess the best practice is to choose only those merchant which are enrolled in Visa/Mastercard verified facility. Also , make sure merchant directs you to your card institution for verification also do third party verification.

    I know its time consuming but it recduces the charge back risks.



  8. Jon A. Longoria Says:

    Oh ho! Novel idea Robert and I think there is a slight up-trend in these tactics that we’ll see over the next ten years as scam artists become more ‘physically’ destructive.

    That harkens to memories of my social dynamics comparison / analysis I wrote about a few years back, wherein our technological exploitations mimic man’s corrupt physical manifestations which can cause adverse consequences for service providers and consumers alike.