Jump to content

Welcome, Guest!

By registering with us, you'll be able to discuss, share and private message with other members of our community.

Question

34 fake accounts registered today. ALL of them card testing. 6 of them got fake orders through. 
Never had this issue with any other cart service. 

Is there some recaptcha service/mod that ACTUALLY works. I don't want to pay for another mod if it's just going to be the same crap. 
I'm legit fed up and have my site turned off right now because I'm tired of it. I should just go back to Miva if this keeps up. Fucking annoying as shit! 
Wouldn't be as bad if I could block registering via VPNs. 

Share this post


Link to post
Share on other sites

9 answers to this question

Recommended Posts

  • 0

Probably best to stick with one thread. How do you know it is the recaptcha that is not working? Are you using v2 or v3? How do you know it is not a bank of people really creating the accounts to test?

Have you checked the IP’s are they all one country? Can you block that country

Stick to one thread then it is easier to piece it all together

Share this post


Link to post
Share on other sites
  • 0
Posted (edited)

Totally agree,  tb needs an outstanding solution for this  and it should be definitely in the pipeline to include it in one of the next update !  Maybe there can be a simple solution that works,  i think the problem is not new and already discussed here.

Edited by DRMasterChief

Share this post


Link to post
Share on other sites
  • 0

I've mentioned this before, yes. But nothing ever comes of it - so "fresh eyes" maybe? 
Google gives you three options of Recaptcha. You can't do the third (newest) version, so I'm stuck with V2. 

Blocking IP addys is a temp solution. Clearly my site is on a list out there for card testers. 

The email addys they use are usually gmail, or fake (@shsksj.com). I've check the IPs, and most are overseas. The odd time, they're VPNs.

 

Share this post


Link to post
Share on other sites
  • 0
Posted (edited)

What good is a Recaptcha if bots are just going to plow through it?

8 more, by the way.

I honestly can't believe there isn't a better security set up for this?!

Edited by bhtoys

Share this post


Link to post
Share on other sites
  • 0

34 fake accounts is not much, so I'm not really convinced this is a bot. I would need to see the logs to be more sure, but this could very easily be real people. If that's the case, there's not much you can do.

How is this card testing works? Do you use some embedded cart form? If so, I would suggest to get rid of it. There's no real reason to have it, anyway. Customers are pretty accustomed with being redirected to payment gateway to complete the transaction. In fact, there are some customers (myself included) that would abandon transaction if store collects (or pretend to collect) the card information directly. 

If you already redirect your customer to payment gateway, and they are not able to stop it -- you should consider using different payment provider with better security radars.

Share this post


Link to post
Share on other sites
  • 0
Posted (edited)
5 hours ago, datakick said:

34 fake accounts is not much, so I'm not really convinced this is a bot. I would need to see the logs to be more sure, but this could very easily be real people. If that's the case, there's not much you can do.

How is this card testing works? Do you use some embedded cart form? If so, I would suggest to get rid of it. There's no real reason to have it, anyway. Customers are pretty accustomed with being redirected to payment gateway to complete the transaction. In fact, there are some customers (myself included) that would abandon transaction if store collects (or pretend to collect) the card information directly. 

If you already redirect your customer to payment gateway, and they are not able to stop it -- you should consider using different payment provider with better security radars.

Over 400 "visitors" to my site in the last 30 minutes, over 100 users adding items to carts that are less than $10 for card testing. 
The fact that two or three of those get through the recaptcha shows me that this is not a single user. 

Here's how card testing works.
- Credit card lists are stolen / sold.
- A bot then seeks out websites to attempt to place a small order (Usually under $10) to not look suspicious. 
- a bot then rolls those numbers on the site at checkout to see if any are legit, or if it can guess the three digit code that should be on the back of the card. 
- When it gets just one successful card, it immediately attempts a new order all over again. 
- Since they were successful on the site, the bots return to the site to do this all over again. 

You could probably google it for more specifics, but that's the basic routine. RARELY is it ever a single user behind all of the transactions. 

and my site doesn't collect any information about you other than what you ordered, and where it's going. All transactions are done via Moneris. They're the most popular and best processing company in Canada. 

They are able to stop it, should I upgrade my service with them, costing me MUCH more per month to do so. 

This doesn't stop fake accounts being made on my site however. And that's the main thing I'd like to stop. If a bot can't make an account on my site, then it clearly can't make a fraudulent order, or perform card testing on it. 

Hope that explains things better. 



While I'm at it, does anyone have any experience with this?
https://www.prestatoolbox.com/security/423-anti-spam-mathematical-captcha.html


  

Edited by bhtoys

Share this post


Link to post
Share on other sites
  • 0

No system is perfect and that includes google re-captcha . It is not the necessarily the module or the programming or shop system, but that people have many ways to circumvent the system (including, yes, human farms. I am sure I can speak for datakick when he and I suggest people we did not mean one person doing it all, but lareg groupd being paid to target)

https://www.perimeterx.com/resources/blog/2020/captchas-hard-for-humans-easy-for-bots/

So, the any module is only part of the armoury.

Have you installed the bad bots module?

Have you scanned all the files on the server for issues?

Have you utilised cloudflare like suggetions on the other threads?

Share this post


Link to post
Share on other sites
  • 0
Posted (edited)
9 hours ago, haylau said:

Have you installed the bad bots module?

Have you scanned all the files on the server for issues?

Have you utilised cloudflare like suggetions on the other threads?

Cloudflare I haven't looked into.
I've checked the files on the server. Nothing wrong there. 

I've never heard of the Bad Bots module, but I just finished installing. 
I trust Datakick and anything he's made. So hopefully this will help somewhat. 

Edited by bhtoys

Share this post


Link to post
Share on other sites
  • 0

There are other things you can do to make it harder for bots. For example, you can try to change friendly urls for cart and order page, or change html id and class of submit button. Depending on the bot logic this could help (or not).

You could also measure time it took to create cookie <--> add product to cart <--> and initiate checkout. If this all took only a few seconds then it's a good indication that it's a bot. This should be fairly easy to implement, using overrides for Cookie.php, Cart.php, and OrderController.php

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...