Velocity credit card attacks
Our website was hit by scammers who were attempting to run stolen credit card lists through our payment gateway. If the card is successful its value increases on the black market.
The credit card velocity attacks began in early November 2024 and continually increased in velocity until it could not be ignored. This begins an arms race between us and the scammers as we raise the difficulty of putting a stolen credit card through our site.
This ultimately concluded in us removing the pay by credit card option entirely over the Christmas period.
Over the past few months, we’ve installed anti-fraud software which scores each purchase attempt before accepting the order. Various aspects are checked including whether the purchases are using a VPN or their browser location matches the customers address. All tests that a scammer would fail, or so we thought.
Enabling the google captcha is the first line of defence. This is also problematic as some customers found themselves timing out as they sought approval codes.
The scammers then switch from known VPNs to unknown VPNs, these are VPNS where a people have download free app with hidden VPN payloads. Scammers can then exploit this so the VPN is undetectable using unsuspecting peoples home Internet connection as part of the VPN.
We use PayPal to process our credit card payments and this seems to have had a flaw in the API that allows scammers to exploit. This was recently patched. We can see the probes coming into the website every minute or so, testing us for access. Probably this will be the norm going forward, so we’ll never be off their list.
At its worst case if the scammers get greedy it would crash our website requiring a manual reset. Now its just additional load that we have to factor for.
How did we survive? We have “Pay by telephone” and “Pay by bank transfer” options. Both of these remained available during the card attacks and bypass almost all of the additional security rules in place making order placement easier.
Pete Watermans Making Tracks 4
What a great exhibition we were able to put on a Blakemere. Attendance was up over 20% on last year and the public enjoyed driving the layout.
We managed to prototype and install working modern image signalling for the layout. Each System2 AutoSignal communicates with the next signal to correctly display four aspects using RGB LEDs (two elements). We also added go/no go signals in the fiddle yard exits to help operators see whether the first half of the scenic section was clear of traffic. The public seemed to like driving to the signals as it added another dimension to our layout.
The System2 AutoSignal product will launch around March 2025 with versions for RGB LEDs, common positive LEDs and common negative LEDs. Options will become available later for built in ABC braking. The System2 AutoSignal reduces wiring as it only requires a network connection to operate. All the blocks are detected and the data placed on the network with any combination of System2 products including: Panel Controller, Mini Panel Controller, IN-32.
Another dimension to Blakemere was the live dashboard on a 65 inch screen. This provided graphical feedback as to the number of laps and Miles driven, broken down by Line, Individual train and totals overall.
Data was uploaded in real time to our database. For Blakemere we uploaded 900,000 network packets and travelled a measured distance of 258.11 Miles with the trains. Quite an achievement I hope you’ll agree.
We’ll continue to develop this further for all Making Tracks events.
AutoYard switching is the cause of most of the Making Tracks short circuits. When an operator hits the exit points and they are not set correctly, we enjoy a short circuit and the layout stops (by design).
With the points sometimes over 50 feet away it’s easy to forget. The biggest single cause of this is when you are in conversation and operating. It’s a mistake and we are all guilty of it.
What we will be trialling is automatically switching the points at the fiddle yard exit. As you approach a block detector will trigger a route from the System2 Route Processor that sets the points for you.
Testing shows that we need the 30 centimetres before the frog as the detection area. We could do it with less, but we have to assume the train is travelling slow.
We’ll be wiring and testing this further in Pete’s Barn, so keep watching the videos for progress.
This brings you up to date. Have a great 2025.
