Skip to main content
Suby’s fraud prevention system protects against automated attacks, card testing, and suspicious payment activity. It combines bot detection, card testing prevention, and device fingerprinting, three independent layers that work together at the point of payment.

Protection layers

Anti-Bot

Behavioral analysis and challenge-response to detect and block automated traffic.

Anti-Card Testing

Detects rapid sequential payment attempts characteristic of stolen card validation.

Device Fingerprint

Persistent device identity tracking to link activity across sessions and accounts.

Anti-bot detection

The anti-bot layer analyses dozens of passive signals during the payment session, mouse movement entropy, keystroke timing, browser environment consistency, and TLS fingerprint, to produce a bot confidence score for each checkout attempt. Cloudflare CAPTCHA is used as an additional layer of protection when the confidence score crosses a defined threshold.

Anti-card testing

Card testing attacks involve running large numbers of stolen card numbers against a payment endpoint to identify valid ones. Suby detects this pattern through velocity checks on both the user account and the device fingerprint, regardless of whether a new guest session is opened. Detection rules: 
card_testing:
  max_declined_attempts: 3          # within rolling window
  velocity_window_seconds: 300      # 5-minute window
  distinct_cards_threshold: 3       # unique PANs per session
  small_amount_probe_limit: 2       # ≤ $1 micro-auth attempts
  block_duration_hours: 24          # first offence
  repeat_offence_action: "permanent"
Detections are keyed on a composite of device fingerprint ID, IP subnet (/24), and account ID when authenticated. All three keys are checked independently, a match on any single key is sufficient to trigger a block.

Device fingerprinting

Every checkout session generates a stable device fingerprint that persists across browser sessions, private and incognito mode, and VPN changes. This fingerprint is the primary identity used when evaluating fraud signals and enforcing blocks.
Fingerprints are stored server-side only. They are never exposed to client-side JavaScript and cannot be queried or tampered with by the user.

Block escalation

When a fraud signal is triggered, the system applies a progressive block policy keyed to the device fingerprint. The escalation is automatic and requires no manual intervention.
ConditionActionDurationReversible
First fraud signalPayment blocked24 hoursAuto-lifted
Retry during 24h blockPermanent blockIndefiniteManual review only
Permanent block + attemptSilent reject + alertIndefiniteNo
Card testing velocityPayment blocked24 hoursAuto-lifted