Results 1 to 4 of 4
  1. #1
    Join Date
    Feb 2012
    Posts
    19

    Exclamation Security problem / hacking attempts

    PayPal has reported to us that our shopping cart is being abused, apparently by hackers attempting to test fraudulent credit cards. What we are seeing is that a user creates a phony account -- the account has full information with billing & shipping address in the US or Canada -- but access logs show that the source IP is in Indonesia. The user then selects items in a shopping cart and attempt to use the Quick Checkout utility, hundreds of times, with access logs showing hits 10-15 seconds apart.

    In addition to this causing consternation to PayPal (which in turn sends us "action needed" emails -- it's also likely impacting server load & bandwidth.

    I don't know if these people are trying to test out stolen credit cards or just engaged in some sort of DOS attempt -- but in any case it would be nice if there was some sort of setting or script modification that could limit the number of times a user could resubmit an order.

    PayPal suggests one of the following measures:

    ·Velocity Checks

    Velocity refers to the number or speed of payments made within a certain period of time – ten payments sent from the same customer within seconds or minutes of each other, for instance. Monitoring this activity is important. Even with donation sites, it may be unusual for a user to make low dollar payments in rapid-fire succession. Payment velocity can be monitored by dollar amount, user IP, billing address, BIN, or device.

    .Shopping Cart Session Velocity

    This refers to the number of times that one buyer can attempt to complete an order in one shopping cart session. By putting a limit on the attempts in one checkout session, it will allow for the visibility of shopping cart declines, which may assist in identifying a possible carding situation.
    These Velocity checks sound like things that really should be built into the cart already for security reasons.

    Any way to achieve this sort of protection? Legitimate users make mistakes in credit card entry and sometimes have to resubmit, or try a different card if one is declined --but I would think that a limit of 8 or 10 attempts total would be more than enough for any legitimate customer.

    It would be nice if the system also logged credit card declines somewhere, both to prevent fraud and abuse, and also to help debug with legitimate customers who sometimes report difficulty with credit card authorization.

  2. #2
    Join Date
    Aug 2006
    Location
    San Diego, CA
    Posts
    4,333
    We ask that you please open a ticket for this issue. One thing to consider would be a captcha at the final step of checkout which would eliminate this issue completely.

    We have an updated version of the captcha plugin that supports this.
    Chris Talavera
    Turnkey Web Tools, Inc.
    chris{at}twt-inc.com
    1-800-673-4898

  3. #3
    Join Date
    Feb 2012
    Posts
    19
    I am glad to know that the updated CAPTCHA has this feature, but unfortunately I am uncomfortable about using the CAPTCHA plugin. Our business markets educational products for dyslexia, and the particular CAPTCHA plugin that comes with SunShop is also extremely difficult for anyone with dyslexia to manage, as it relies on retyping obscured letters. So we'd be erecting a barrier in front of our primary market to implement that plugin.

    Given that using CAPTCHA is a problem for us, should I still open a ticket?

    I'd add that even though the abusers are obviously using a bot for repeat submission, there clearly is also a human agent involved to create the user account and fill in other form information - so although CAPTCHA would slow them down, I don't think it would necessarily prevent repeat submissions.
    Last edited by AbigailRM; 11-28-2016 at 10:55 PM.

  4. #4
    Join Date
    Aug 2006
    Location
    San Diego, CA
    Posts
    4,333
    Yes, please open a ticket so we can review the issue and possibly provide an alternate solution.
    Chris Talavera
    Turnkey Web Tools, Inc.
    chris{at}twt-inc.com
    1-800-673-4898

Similar Threads

  1. 3.5.1 security hole.
    By clasarc in forum Troubleshooting and Problems
    Replies: 2
    Last Post: 02-04-2011, 01:11 PM
  2. Security
    By Tricon in forum Troubleshooting and Problems
    Replies: 3
    Last Post: 10-16-2009, 09:16 AM
  3. Too Many Login Attempts
    By hawkman in forum Troubleshooting and Problems
    Replies: 1
    Last Post: 09-16-2009, 11:12 PM
  4. Security measures after set up
    By bubbles in forum Troubleshooting and Problems
    Replies: 5
    Last Post: 08-23-2008, 05:05 AM
  5. Hacking - Phishing site
    By stant in forum Troubleshooting and Problems
    Replies: 1
    Last Post: 03-12-2008, 07:14 PM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •