u/Worth_Geologist4643

​

I am looking to tighten up my store’s fraud detection and I am currently exploring velocity checks. I want to set up some automated rules to catch suspicious activity before it turns into a chargeback, but I want to be careful not to create friction for legitimate customers.

I am considering implementing the following specific rules

• Limiting the number of allowed transactions from a single device within a 24-hour period.

• Capping the total dollar amount that can be transacted from a single account within a specific time frame.

• Restricting the number of login attempts from the same IP address within a one-hour window.

Exactly how many transactions or logins do you allow before you block or flag an order for manual review? Have you found a good way to handle normal spikes in customer behaviour like holiday shopping or massive sales without triggering these rules? What tools or apps are you using? Are you relying on native platform tools like Shopify's built-in Fraud Analysis or have you had better luck with third-party apps?

I have been cleaning up the fallout on Shopify and WooCommerce stores that I manage and it is really eye-opening. Your checkout is probably loading scripts that you have never properly checked. That is exactly how modern card skimmers, like Magecart-style attacks are getting in.

I used to think that this was a Magento problem but I was wrong. Now I am dealing with the consequences on platforms where the core checkout is relatively locked down. Attackers are still succeeding through the browser layer.

 1. A malicious JavaScript snippet gets added via a compromised third-party app,

 2. An inherited Google Tag Manager container,

 3. A chat widget,

 4. Review tool,

 5. A/B testing script,

 6. Analytics tag,

 7. or even a sloppy edit from a developer.

Once it is on the checkout or login page it silently listens for card number, CVV, expiry and billing details as the customer types them. Then it sends everything in time to the attacker. The scary part is that the checkout still works perfectly. The payment is authorised. Your fraud tools and dashboards look completely normal. You often only find out weeks later when banks or card networks start flagging fraud patterns traced back to your Shopify store. Shopify stores are absolutely, in the crosshairs because while the platforms control the core flow they cannot control every third-party script that you or your apps load on checkout. Server-side protections, WAFs and tokenisation do not stop this because the attack happens client-side in the customers browser.

Common entry points that I am seeing include:

* Outdated or compromised apps or plugins

 * Abused Google Tag Manager containers

 * Chat widgets

 * Review systems

 * Analytics and tracking scripts

 * A/B testing tools

If you cannot list every script that is running on your checkout page and verify where it is sending data then you are exposed. Do not wait for a bank to call you with chargeback spikes or a data breach notification. Check your checkout scripts today. Is anyone dealing with this lately?

What tools or processes are you using to monitor third-party scripts on checkout for your Shopify store?

I am actively dealing with across some of the Shopify stores I manage. Your checkout is probably loading scripts you have never audited, and I am seeing firsthand that this is exactly how card skimmers get in.

My worst nightmare is one of my clients becoming the source of a customer data leak. The reputational damage and the risk of hefty fines can tank a business. I used to think Magecart attacks were an ancient Magento problem. I was wrong. I am dealing with the fallout of what happens when a checkout or login page loads even just a single script we do not fully control.

A few lines of Javascript can steal card data and PII for weeks, undetected, while my dashboards show everything is business as usual. Even with a robust server, WAF, or data tokenisation in place, these Magecart attacks bypass all of it by exploiting the least defended layer: the browser.

A malicious JavaScript snippet gets injected onto the checkout page. In the cases I am untangling, it usually comes through a compromised third-party app, a tag in a Google Tag Manager container I inherited, a chat widget, or a review tool. Once it is there, it sits quietly. It reads card numbers, CVV codes, expiry dates, and billing details the exact moment the customer types them. It then sends all of that, in real time, to a server the attacker controls.

The scariest part for a store manager? The checkout still completes. The payment still goes through. Shopify's fraud score still looks completely normal to me. We only find out three to six weeks later when a US bank or a card scheme flags a pattern of fraud traced back to the store.

In 2024 alone, Recorded Future documented over 11,000 e-commerce domains infected with active skimmers. I am seeing Shopify stores get reached right through their third-party script ecosystem. Shopify controls the core checkout flow, but it cannot control what scripts my clients or their apps load on top of it. Every pixel, widget, and tag that runs on /checkout is my responsibility.

Outdated plugins, sloppy CMS edits from previous devs, weak admin accounts, abused GTM containers, chat widgets, A/B testing tools, and analytics tags are all potential vulnerabilities. If a third-party script can run on your checkout, it can skim your checkout.

The checkout still worked. Payments were still authorised. Transactions still looked normal. Our WAF and SIEM saw nothing because the user's browser never tells them what is leaking. Fraud only shows a few weeks later when banks start calling it out. By then, the attackers have already harvested weeks of cardholder data.

Do you know every script running on your checkout? Do you know where they are sending data? If the answer is no, you are wide open for e-skimming attacks. Do not wait for the bank to call you. Fix it today.