Recaptcha THAT WORKS?!?

[bhtoys]

34 fake accounts registered today. ALL of them card testing. 6 of them got fake orders through. 
Never had this issue with any other cart service. 

Is there some recaptcha service/mod that ACTUALLY works. I don't want to pay for another mod if it's just going to be the same crap. 
I'm legit fed up and have my site turned off right now because I'm tired of it. I should just go back to Miva if this keeps up. Fucking annoying as shit! 
Wouldn't be as bad if I could block registering via VPNs. 

[haylau]

Probably best to stick with one thread. How do you know it is the recaptcha that is not working? Are you using v2 or v3? How do you know it is not a bank of people really creating the accounts to test?

Have you checked the IP’s are they all one country? Can you block that country

Stick to one thread then it is easier to piece it all together

[DRMasterChief]

Totally agree,  tb needs an outstanding solution for this  and it should be definitely in the pipeline to include it in one of the next update !  Maybe there can be a simple solution that works,  i think the problem is not new and already discussed here.

Edited May 9, 2021 by DRMasterChief

[bhtoys]

I've mentioned this before, yes. But nothing ever comes of it - so "fresh eyes" maybe? 
Google gives you three options of Recaptcha. You can't do the third (newest) version, so I'm stuck with V2. 

Blocking IP addys is a temp solution. Clearly my site is on a list out there for card testers. 

The email addys they use are usually gmail, or fake (@shsksj.com). I've check the IPs, and most are overseas. The odd time, they're VPNs.

 

[bhtoys]

What good is a Recaptcha if bots are just going to plow through it?

8 more, by the way.

I honestly can't believe there isn't a better security set up for this?!

Edited May 9, 2021 by bhtoys

[datakick]

34 fake accounts is not much, so I'm not really convinced this is a bot. I would need to see the logs to be more sure, but this could very easily be real people. If that's the case, there's not much you can do.

How is this card testing works? Do you use some embedded cart form? If so, I would suggest to get rid of it. There's no real reason to have it, anyway. Customers are pretty accustomed with being redirected to payment gateway to complete the transaction. In fact, there are some customers (myself included) that would abandon transaction if store collects (or pretend to collect) the card information directly. 

If you already redirect your customer to payment gateway, and they are not able to stop it -- you should consider using different payment provider with better security radars.

[bhtoys]

5 hours ago, datakick said:

34 fake accounts is not much, so I'm not really convinced this is a bot. I would need to see the logs to be more sure, but this could very easily be real people. If that's the case, there's not much you can do.

How is this card testing works? Do you use some embedded cart form? If so, I would suggest to get rid of it. There's no real reason to have it, anyway. Customers are pretty accustomed with being redirected to payment gateway to complete the transaction. In fact, there are some customers (myself included) that would abandon transaction if store collects (or pretend to collect) the card information directly. 

If you already redirect your customer to payment gateway, and they are not able to stop it -- you should consider using different payment provider with better security radars.

Over 400 "visitors" to my site in the last 30 minutes, over 100 users adding items to carts that are less than $10 for card testing. 
The fact that two or three of those get through the recaptcha shows me that this is not a single user. 

Here's how card testing works.
- Credit card lists are stolen / sold.
- A bot then seeks out websites to attempt to place a small order (Usually under $10) to not look suspicious. 
- a bot then rolls those numbers on the site at checkout to see if any are legit, or if it can guess the three digit code that should be on the back of the card. 
- When it gets just one successful card, it immediately attempts a new order all over again. 
- Since they were successful on the site, the bots return to the site to do this all over again. 

You could probably google it for more specifics, but that's the basic routine. RARELY is it ever a single user behind all of the transactions. 

and my site doesn't collect any information about you other than what you ordered, and where it's going. All transactions are done via Moneris. They're the most popular and best processing company in Canada. 

They are able to stop it, should I upgrade my service with them, costing me MUCH more per month to do so. 

This doesn't stop fake accounts being made on my site however. And that's the main thing I'd like to stop. If a bot can't make an account on my site, then it clearly can't make a fraudulent order, or perform card testing on it. 

Hope that explains things better. 



While I'm at it, does anyone have any experience with this?
https://www.prestatoolbox.com/security/423-anti-spam-mathematical-captcha.html

  

Edited May 10, 2021 by bhtoys

[haylau]

No system is perfect and that includes google re-captcha . It is not the necessarily the module or the programming or shop system, but that people have many ways to circumvent the system (including, yes, human farms. I am sure I can speak for datakick when he and I suggest people we did not mean one person doing it all, but lareg groupd being paid to target)

https://www.perimeterx.com/resources/blog/2020/captchas-hard-for-humans-easy-for-bots/

So, the any module is only part of the armoury.

Have you installed the bad bots module?

Have you scanned all the files on the server for issues?

Have you utilised cloudflare like suggetions on the other threads?

[bhtoys]

9 hours ago, haylau said:

Have you installed the bad bots module?

Have you scanned all the files on the server for issues?

Have you utilised cloudflare like suggetions on the other threads?

Cloudflare I haven't looked into.
I've checked the files on the server. Nothing wrong there. 

I've never heard of the Bad Bots module, but I just finished installing. 
I trust Datakick and anything he's made. So hopefully this will help somewhat. 

Edited May 10, 2021 by bhtoys

[datakick]

There are other things you can do to make it harder for bots. For example, you can try to change friendly urls for cart and order page, or change html id and class of submit button. Depending on the bot logic this could help (or not).

You could also measure time it took to create cookie <--> add product to cart <--> and initiate checkout. If this all took only a few seconds then it's a good indication that it's a bot. This should be fairly easy to implement, using overrides for Cookie.php, Cart.php, and OrderController.php