Theme: Default X
Addl Extensions:
Disable Add To Cart When Out Of Stock opencarttools@gmail.com 2.X - 3.X Enabled 20/02/2021
Inventory report menu Alin 3.0.0 Enabled 11/03/2021
MailChimp Integration Clear Thinking, LLC v303.4 Enabled 22/02/2021
Out of Stock Rupak Nepali 1.1 Enabled 29/03/2021
Powered by Remover bnit.it 1.0.10 Enabled 05/02/2021
Sanekdev Payment Icons sanekdev 2.0.2 Enabled 10/02/2021
TMD Every Where Captcha TMD(opencartextensions.in) 1.1.x Enabled 27/07/2023
I have been the victim of many card stuffing attacks where the attacker is submitting multiple CC charges per second via API to my CC processor.
I have tried to use cloudflare to stop the attacks with no success, and have installed an invisible captcha at checkout also without any impact on the attacks.
I am wondering if there is a way to set rate limiting somehow within OC? Obviously this is not possible in the admin section but is there code I could modify that would make checkout speed take 2-3 seconds instead of a fraction of a second?
The best way to rate limit this would be to modify the payment extension code. You could set something where all payments are denied after X number of payments. That's what I do in all of my own payment extensions, and it seems to work well. You could further extend it to automatically ban the IP address when it happened a certain number of times, so the fraudster couldn't switch customer accounts.
If your payment method is a commercial extension, contact the author and see if they can implement a function like that. If you're using a free extension or the developer is unwilling, then you'd need to hire someone to modify the payment extension code for you. If you need to find a developer, you can post a request in the OpenCart "Commercial Support" forum, which is checked by a number of OpenCart developers. You can also try checking out the OpenCart "Partners" area.
Interesting. So you believe they are just using the API key to run the charges without going through the checkout? Im not sure this is the case because I removed guest checkout after the first attack and so the attacker started creating accts to mount the attack from. If it's as you suggest, would simply changing the API key shore up this hole?Johnathan wrote: ↑Thu Sep 21, 2023 9:51 pmSlowing down the checkout page probably wouldn't do anything. I'm guessing the fraudster is accessing the payment method function directly, so it can run a card check. They may not even be accessing the checkout at all.
The best way to rate limit this would be to modify the payment extension code. You could set something where all payments are denied after X number of payments. That's what I do in all of my own payment extensions, and it seems to work well. You could further extend it to automatically ban the IP address when it happened a certain number of times, so the fraudster couldn't switch customer accounts.
If your payment method is a commercial extension, contact the author and see if they can implement a function like that. If you're using a free extension or the developer is unwilling, then you'd need to hire someone to modify the payment extension code for you. If you need to find a developer, you can post a request in the OpenCart "Commercial Support" forum, which is checked by a number of OpenCart developers. You can also try checking out the OpenCart "Partners" area.
One of my failed solutions was Cloudflare bot management which tracks by IP (if I understand correctly) but since the attacker is changing the IP w/ each submission this is not an effective way to capture their activity.
Im using the cardconnect extension that came with the OC download. Cardconnect are washing their hands of this saying it's on my side of the road. They have unplugged my account totally, crippling my business, until I can provide them proof that I have rate limited my checkout page but wont tell me how on earth to accomplish it.
Im happy to pay for the right solution it's just not clear to me which solution is right for me. Do I modify code? Would biting the bullet and doing an upgrade to the current version of OC mitigate the attacks? Am I using cloudflare wrong? Trying to answer these questions on my own before paying someone what little money I have left to deploy a fix.
Huge thanks for your response.
edit: I should mention the only mod I saw for this in the marketplace does not extend to my version. Currently reading up on and considering code modification to temporarily remove the register links from all areas of the site though I understand this does not remove the ability to register just the path to it.
1. Upgrading OpenCart will not fix this. 4.0 doesn't even have a free Card Connect extension, so I wouldn't recommend it for you.
2. I'm not a Cloudflare expert, so I don't know if there's some configuration you could use to block this. If they're not automatically detecting it, though, there may not be a lot you can do in Cloudflare.
3. It's very unlikely someone is doing this manually, so they're using programs to run URL calls to your store to set up the necessary data. If you're seeing account registrations, they are more likely programmatically calling the account registration URLs, creating the account, then calling the credit card URL that processes the card.
If they're doing that, then you may be able to stop them by adding a captcha to the account registration. OpenCart 3.0 has that built-in, so you'd set it up in Extensions > Extensions > Captchas, then choose it in System > Settings (Option tab, at the very bottom).
However, someone would still be able to register 1 account manually and then run the credit card URL calls, so it may not be foolproof. You really want to have the payment method code modified. The most foolproof solution would be to add a captcha to the payment method itself, so the customer has to fill in a captcha when they submit their payment. A bot cannot work around that, and while a human could, I highly doubt someone is manually entering the cards on your site.
4. If you can't get it working, you could consider switching to Stripe (stripe.com). I use them they are very quick & easy to sign up for. I also have OpenCart extensions for them:
• Stripe Payment Gateway
• Stripe Payment Gateway Pro
My extensions have the code built in to stop carding attacks like these, and if for some reason that didn't work, I could build a captcha into them as well. If you're on a tight budget, I'm also working on a "basic" version of the extension that is just for credit/debit card processing, so let me know if you're interested in that.
The only thing to note about that is that Stripe does restrict certain businesses, so you'll want to make sure you aren't in one of those areas of business:
https://stripe.com/legal/restricted-businesses
If you want to discuss that option with me you can contact me at www.getclearthinking.com/contact
A simple way to limit account registrations is by setting Approve New Customers to Yes in your customer groups. Then every new customer would need to be approved in Customer Approvals.Slow Me Down Baby wrote: ↑Fri Sep 22, 2023 1:11 amSide question: Is there a "simple" way to temporarily suspend new account registration? Seems this could be a good half-measure just so I could get some revenues coming back in and be better funded for larger fixes.
edit: I should mention the only mod I saw for this in the marketplace does not extend to my version. Currently reading up on and considering code modification to temporarily remove the register links from all areas of the site though I understand this does not remove the ability to register just the path to it.
Payment Processor Consideration: Exploring other payment processors like Stripe, as you mentioned, is a valid option. Stripe offers advanced security features and has OpenCart integrations available. Be sure to check if Stripe aligns with your business needs and complies with your specific industry regulations.
Cloudflare Review: While Cloudflare can be powerful in mitigating attacks, it may require fine-tuning to address your specific situation. Consider working with a Cloudflare expert or support to optimize your security settings, especially around IP-based rate limiting.
Merchantta is here to help you. We offer ready-to-use Payment Gateways with verified documents along with Ad Account Renting, Account Suspension Removal Services, & Tax Exemption Services at the best market price.
Rate limit should be done by payment gateway, not merchant.
Choose a different payment gateway.
Web Development for service businesses serious about online growth
Looking at catalog/controller/extension/payment/cardconnect.php, it's clear they the CardConnect extension takes the card details on your site. One advantage of using a hosted payment page is the card details go straight to the processor and not on your site. This also reduces your PCI scope. Even CardConnect now offer a hosted solution, sadly without an OpenCart extension.Slow Me Down Baby wrote: ↑Sat Sep 23, 2023 1:02 amThank you both for your kind attention. These answers give me something to chew on. Although I am leaning towards switching to Stripe, I need to think this through a bit before making such a major change. My business is selling physical media (CDs, Records, Tapes) so not restricted from stripes TOS.
If you were to add protection to your existing payment extension. You would need to work out how the attack is being carried out. What route they use to test a card, how often the IP changes, accounts are created, orders are created, etc. You may find something as simple as blocking some browser user agents will temporarily stop it, or as Johnathan suggested a simple count on the number of payments attempted.
https://nintechnet.com/ninjafirewall/pro-edition
Cidram is also worth considering as it blocks traffic from known bad sources.
https://github.com/CIDRAM/CIDRAM
Not a perfect solution but useful layers of protection.
Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD lover, user and geek.
Affordable Service £££ - Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
FREE Guidance and Advice at https://www.ecommerce-help.co.uk
I have deployed the less than ideal situation of manually approving new customers. Lots of problems with that solution but allows the site to be up, and some revenues to come in, which I need in order to address the problem and... pay rent in a week.
I very likely do need change my card processor. Im in the process of finalizing a stripe acct though I would say im still not 100% on that route... but leaning enough in that direction to start the work.
Ninja Firewall looks interesting going to read up on that now.
You'll need the paid for version to get the rate limiting feature. Personally I think it's money well spent. I put Ninja on all my OC sites.Slow Me Down Baby wrote: ↑Tue Sep 26, 2023 12:31 amNinja Firewall looks interesting going to read up on that now.
Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD lover, user and geek.
Affordable Service £££ - Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
FREE Guidance and Advice at https://www.ecommerce-help.co.uk
I didn't even know this was possible, but the risk dept at Card Connect denied my claim for a refund on the swipe fees for the brute force attacks. What does that mean for me? It means they keep my 7k they had taken. Wow.
So if anyone is reading this and considering Card Connect, RUN dont walk. Totally lame company.
This seals my transition to Stripe I guess which hopefully will solve my rate limiting problem as well, though I still need to probably pay a consultant to tune up cloudflare or else switch to Ninja.
Thanks all for your contributions to this thread.
@Johnathan ill be purchasing your Stripe module in the next day or so. Appreciate you.
You can get Ninja up and running in 15 mins easy enough. Maybe try the free version and get the paid for version when you have the funds.Slow Me Down Baby wrote: ↑Fri Sep 29, 2023 11:12 amHello friends.
I didn't even know this was possible, but the risk dept at Card Connect denied my claim for a refund on the swipe fees for the brute force attacks. What does that mean for me? It means they keep my 7k they had taken. Wow.
So if anyone is reading this and considering Card Connect, RUN dont walk. Totally lame company.
This seals my transition to Stripe I guess which hopefully will solve my rate limiting problem as well, though I still need to probably pay a consultant to tune up cloudflare or else switch to Ninja.
Thanks all for your contributions to this thread.
@Johnathan ill be purchasing your Stripe module in the next day or so. Appreciate you.
Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD lover, user and geek.
Affordable Service £££ - Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
FREE Guidance and Advice at https://www.ecommerce-help.co.uk
Sorry to hear that -- I'm not sure if there's anything you can do about that legally, since it's probably in the contract you signed. It's still a huge bummer when a giant corporation passes these kinds of fees onto a small business owner, though.Slow Me Down Baby wrote: ↑Fri Sep 29, 2023 11:12 amI didn't even know this was possible, but the risk dept at Card Connect denied my claim for a refund on the swipe fees for the brute force attacks. What does that mean for me? It means they keep my 7k they had taken. Wow.
So if anyone is reading this and considering Card Connect, RUN dont walk. Totally lame company.
Sounds good, let me know if you have any questions about it before or after purchase:@Johnathan ill be purchasing your Stripe module in the next day or so. Appreciate you.
www.getclearthinking.com/contact
v3.0.3.9 php 8.1
I'm here for a reason, if your response is contact a/the developer, just don't reply.
Users browsing this forum: No registered users and 12 guests