Post by Slow Me Down Baby » Thu Sep 21, 2023 8:39 am

Version 3.0.3.6
Theme: Default X
Addl Extensions:
Disable Add To Cart When Out Of Stock opencarttools@gmail.com 2.X - 3.X Enabled 20/02/2021
Inventory report menu Alin 3.0.0 Enabled 11/03/2021
MailChimp Integration Clear Thinking, LLC v303.4 Enabled 22/02/2021
Out of Stock Rupak Nepali 1.1 Enabled 29/03/2021
Powered by Remover bnit.it 1.0.10 Enabled 05/02/2021
Sanekdev Payment Icons sanekdev 2.0.2 Enabled 10/02/2021
TMD Every Where Captcha TMD(opencartextensions.in) 1.1.x Enabled 27/07/2023

I have been the victim of many card stuffing attacks where the attacker is submitting multiple CC charges per second via API to my CC processor.

I have tried to use cloudflare to stop the attacks with no success, and have installed an invisible captcha at checkout also without any impact on the attacks.

I am wondering if there is a way to set rate limiting somehow within OC? Obviously this is not possible in the admin section but is there code I could modify that would make checkout speed take 2-3 seconds instead of a fraction of a second?


Posts

Joined
Thu Sep 21, 2023 8:31 am

Post by Johnathan » Thu Sep 21, 2023 9:51 pm

Slowing down the checkout page probably wouldn't do anything. I'm guessing the fraudster is accessing the payment method function directly, so it can run a card check. They may not even be accessing the checkout at all.

The best way to rate limit this would be to modify the payment extension code. You could set something where all payments are denied after X number of payments. That's what I do in all of my own payment extensions, and it seems to work well. You could further extend it to automatically ban the IP address when it happened a certain number of times, so the fraudster couldn't switch customer accounts.

If your payment method is a commercial extension, contact the author and see if they can implement a function like that. If you're using a free extension or the developer is unwilling, then you'd need to hire someone to modify the payment extension code for you. If you need to find a developer, you can post a request in the OpenCart "Commercial Support" forum, which is checked by a number of OpenCart developers. You can also try checking out the OpenCart "Partners" area.

Image Image Image Image Image


User avatar
Administrator

Posts

Joined
Fri Dec 18, 2009 3:08 am


Post by Slow Me Down Baby » Fri Sep 22, 2023 1:09 am

Johnathan wrote:
Thu Sep 21, 2023 9:51 pm
Slowing down the checkout page probably wouldn't do anything. I'm guessing the fraudster is accessing the payment method function directly, so it can run a card check. They may not even be accessing the checkout at all.

The best way to rate limit this would be to modify the payment extension code. You could set something where all payments are denied after X number of payments. That's what I do in all of my own payment extensions, and it seems to work well. You could further extend it to automatically ban the IP address when it happened a certain number of times, so the fraudster couldn't switch customer accounts.

If your payment method is a commercial extension, contact the author and see if they can implement a function like that. If you're using a free extension or the developer is unwilling, then you'd need to hire someone to modify the payment extension code for you. If you need to find a developer, you can post a request in the OpenCart "Commercial Support" forum, which is checked by a number of OpenCart developers. You can also try checking out the OpenCart "Partners" area.
Interesting. So you believe they are just using the API key to run the charges without going through the checkout? Im not sure this is the case because I removed guest checkout after the first attack and so the attacker started creating accts to mount the attack from. If it's as you suggest, would simply changing the API key shore up this hole?

One of my failed solutions was Cloudflare bot management which tracks by IP (if I understand correctly) but since the attacker is changing the IP w/ each submission this is not an effective way to capture their activity.

Im using the cardconnect extension that came with the OC download. Cardconnect are washing their hands of this saying it's on my side of the road. They have unplugged my account totally, crippling my business, until I can provide them proof that I have rate limited my checkout page but wont tell me how on earth to accomplish it.

Im happy to pay for the right solution it's just not clear to me which solution is right for me. Do I modify code? Would biting the bullet and doing an upgrade to the current version of OC mitigate the attacks? Am I using cloudflare wrong? Trying to answer these questions on my own before paying someone what little money I have left to deploy a fix.

Huge thanks for your response.


Posts

Joined
Thu Sep 21, 2023 8:31 am

Post by Slow Me Down Baby » Fri Sep 22, 2023 1:11 am

Side question: Is there a "simple" way to temporarily suspend new account registration? Seems this could be a good half-measure just so I could get some revenues coming back in and be better funded for larger fixes.

edit: I should mention the only mod I saw for this in the marketplace does not extend to my version. Currently reading up on and considering code modification to temporarily remove the register links from all areas of the site though I understand this does not remove the ability to register just the path to it.


Posts

Joined
Thu Sep 21, 2023 8:31 am

Post by Johnathan » Fri Sep 22, 2023 3:22 am

A few points:

1. Upgrading OpenCart will not fix this. 4.0 doesn't even have a free Card Connect extension, so I wouldn't recommend it for you.

2. I'm not a Cloudflare expert, so I don't know if there's some configuration you could use to block this. If they're not automatically detecting it, though, there may not be a lot you can do in Cloudflare.

3. It's very unlikely someone is doing this manually, so they're using programs to run URL calls to your store to set up the necessary data. If you're seeing account registrations, they are more likely programmatically calling the account registration URLs, creating the account, then calling the credit card URL that processes the card.

If they're doing that, then you may be able to stop them by adding a captcha to the account registration. OpenCart 3.0 has that built-in, so you'd set it up in Extensions > Extensions > Captchas, then choose it in System > Settings (Option tab, at the very bottom).

However, someone would still be able to register 1 account manually and then run the credit card URL calls, so it may not be foolproof. You really want to have the payment method code modified. The most foolproof solution would be to add a captcha to the payment method itself, so the customer has to fill in a captcha when they submit their payment. A bot cannot work around that, and while a human could, I highly doubt someone is manually entering the cards on your site.

4. If you can't get it working, you could consider switching to Stripe (stripe.com). I use them they are very quick & easy to sign up for. I also have OpenCart extensions for them:

• Stripe Payment Gateway
• Stripe Payment Gateway Pro

My extensions have the code built in to stop carding attacks like these, and if for some reason that didn't work, I could build a captcha into them as well. If you're on a tight budget, I'm also working on a "basic" version of the extension that is just for credit/debit card processing, so let me know if you're interested in that.

The only thing to note about that is that Stripe does restrict certain businesses, so you'll want to make sure you aren't in one of those areas of business:

https://stripe.com/legal/restricted-businesses

If you want to discuss that option with me you can contact me at www.getclearthinking.com/contact

Image Image Image Image Image


User avatar
Administrator

Posts

Joined
Fri Dec 18, 2009 3:08 am


Post by ADD Creative » Fri Sep 22, 2023 7:42 am

Slow Me Down Baby wrote:
Fri Sep 22, 2023 1:11 am
Side question: Is there a "simple" way to temporarily suspend new account registration? Seems this could be a good half-measure just so I could get some revenues coming back in and be better funded for larger fixes.

edit: I should mention the only mod I saw for this in the marketplace does not extend to my version. Currently reading up on and considering code modification to temporarily remove the register links from all areas of the site though I understand this does not remove the ability to register just the path to it.
A simple way to limit account registrations is by setting Approve New Customers to Yes in your customer groups. Then every new customer would need to be approved in Customer Approvals.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by Slow Me Down Baby » Sat Sep 23, 2023 1:02 am

Thank you both for your kind attention. These answers give me something to chew on. Although I am leaning towards switching to Stripe, I need to think this through a bit before making such a major change. My business is selling physical media (CDs, Records, Tapes) so not restricted from stripes TOS.


Posts

Joined
Thu Sep 21, 2023 8:31 am

Post by merchantta » Sat Sep 23, 2023 7:32 pm

It's definitely a challenging situation you're facing, and I understand how important it is to protect your business from these card stuffing attacks. Based on the information provided, here's a few suggestions and insights:

Payment Processor Consideration: Exploring other payment processors like Stripe, as you mentioned, is a valid option. Stripe offers advanced security features and has OpenCart integrations available. Be sure to check if Stripe aligns with your business needs and complies with your specific industry regulations.

Cloudflare Review: While Cloudflare can be powerful in mitigating attacks, it may require fine-tuning to address your specific situation. Consider working with a Cloudflare expert or support to optimize your security settings, especially around IP-based rate limiting.

Merchantta is here to help you. We offer ready-to-use Payment Gateways with verified documents along with Ad Account Renting, Account Suspension Removal Services, & Tax Exemption Services at the best market price.


User avatar
Newbie

Posts

Joined
Sat Aug 26, 2023 6:28 pm
Location - 1216 Flatbush Ave, Brooklyn, NY 11226, USA

Post by SohBH » Sun Sep 24, 2023 12:35 am

Hi, it is CardConnect responsibility to safeguard customers and their system from carding.
Rate limit should be done by payment gateway, not merchant.
Choose a different payment gateway.

Web Development | Content Creation | Analytics and Reporting | SEO
https://www.klwebdesign.com.my/


User avatar
Active Member

Posts

Joined
Mon Nov 02, 2020 12:01 am
Location - Malaysia

Post by ADD Creative » Mon Sep 25, 2023 4:59 pm

Slow Me Down Baby wrote:
Sat Sep 23, 2023 1:02 am
Thank you both for your kind attention. These answers give me something to chew on. Although I am leaning towards switching to Stripe, I need to think this through a bit before making such a major change. My business is selling physical media (CDs, Records, Tapes) so not restricted from stripes TOS.
Looking at catalog/controller/extension/payment/cardconnect.php, it's clear they the CardConnect extension takes the card details on your site. One advantage of using a hosted payment page is the card details go straight to the processor and not on your site. This also reduces your PCI scope. Even CardConnect now offer a hosted solution, sadly without an OpenCart extension.

If you were to add protection to your existing payment extension. You would need to work out how the attack is being carried out. What route they use to test a card, how often the IP changes, accounts are created, orders are created, etc. You may find something as simple as blocking some browser user agents will temporarily stop it, or as Johnathan suggested a simple count on the number of payments attempted.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by johnp » Mon Sep 25, 2023 5:17 pm

You could try using Ninja Firewall. That has a rate limiting feature.

https://nintechnet.com/ninjafirewall/pro-edition

Cidram is also worth considering as it blocks traffic from known bad sources.

https://github.com/CIDRAM/CIDRAM

Not a perfect solution but useful layers of protection.

Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD lover, user and geek.
Affordable Service £££ - Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
FREE Guidance and Advice at https://www.ecommerce-help.co.uk


User avatar
Active Member

Posts

Joined
Fri Mar 25, 2011 10:25 am
Location - Surrey, UK

Post by Slow Me Down Baby » Tue Sep 26, 2023 12:31 am

Thanks to each and every one of you for your generous input.

I have deployed the less than ideal situation of manually approving new customers. Lots of problems with that solution but allows the site to be up, and some revenues to come in, which I need in order to address the problem and... pay rent in a week.

I very likely do need change my card processor. Im in the process of finalizing a stripe acct though I would say im still not 100% on that route... but leaning enough in that direction to start the work.

Ninja Firewall looks interesting going to read up on that now.


Posts

Joined
Thu Sep 21, 2023 8:31 am

Post by johnp » Tue Sep 26, 2023 1:02 am

Slow Me Down Baby wrote:
Tue Sep 26, 2023 12:31 am
Ninja Firewall looks interesting going to read up on that now.
You'll need the paid for version to get the rate limiting feature. Personally I think it's money well spent. I put Ninja on all my OC sites. :)

Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD lover, user and geek.
Affordable Service £££ - Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
FREE Guidance and Advice at https://www.ecommerce-help.co.uk


User avatar
Active Member

Posts

Joined
Fri Mar 25, 2011 10:25 am
Location - Surrey, UK

Post by Slow Me Down Baby » Fri Sep 29, 2023 11:12 am

Hello friends.

I didn't even know this was possible, but the risk dept at Card Connect denied my claim for a refund on the swipe fees for the brute force attacks. What does that mean for me? It means they keep my 7k they had taken. Wow.

So if anyone is reading this and considering Card Connect, RUN dont walk. Totally lame company.

This seals my transition to Stripe I guess which hopefully will solve my rate limiting problem as well, though I still need to probably pay a consultant to tune up cloudflare or else switch to Ninja.

Thanks all for your contributions to this thread.

@Johnathan ill be purchasing your Stripe module in the next day or so. Appreciate you.


Posts

Joined
Thu Sep 21, 2023 8:31 am

Post by johnp » Fri Sep 29, 2023 4:35 pm

Slow Me Down Baby wrote:
Fri Sep 29, 2023 11:12 am
Hello friends.

I didn't even know this was possible, but the risk dept at Card Connect denied my claim for a refund on the swipe fees for the brute force attacks. What does that mean for me? It means they keep my 7k they had taken. Wow.

So if anyone is reading this and considering Card Connect, RUN dont walk. Totally lame company.

This seals my transition to Stripe I guess which hopefully will solve my rate limiting problem as well, though I still need to probably pay a consultant to tune up cloudflare or else switch to Ninja.

Thanks all for your contributions to this thread.

@Johnathan ill be purchasing your Stripe module in the next day or so. Appreciate you.
You can get Ninja up and running in 15 mins easy enough. Maybe try the free version and get the paid for version when you have the funds. :)

Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD lover, user and geek.
Affordable Service £££ - Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
FREE Guidance and Advice at https://www.ecommerce-help.co.uk


User avatar
Active Member

Posts

Joined
Fri Mar 25, 2011 10:25 am
Location - Surrey, UK

Post by Johnathan » Fri Sep 29, 2023 10:00 pm

Slow Me Down Baby wrote:
Fri Sep 29, 2023 11:12 am
I didn't even know this was possible, but the risk dept at Card Connect denied my claim for a refund on the swipe fees for the brute force attacks. What does that mean for me? It means they keep my 7k they had taken. Wow.

So if anyone is reading this and considering Card Connect, RUN dont walk. Totally lame company.
Sorry to hear that -- I'm not sure if there's anything you can do about that legally, since it's probably in the contract you signed. It's still a huge bummer when a giant corporation passes these kinds of fees onto a small business owner, though.

@Johnathan ill be purchasing your Stripe module in the next day or so. Appreciate you.
Sounds good, let me know if you have any questions about it before or after purchase:

www.getclearthinking.com/contact

Image Image Image Image Image


User avatar
Administrator

Posts

Joined
Fri Dec 18, 2009 3:08 am


Post by Joe1234 » Mon Oct 02, 2023 12:49 am

Question for my knowledge since the OP solved his issue. Instead of turning on approval by admin for new accounts, would implementing a simple mod to auto delay approval for 30sec to two min resolve an issue like this (this assuming the attacker doesn't recognize and recode his system to delay the time it inputs the credit card info)? I just see problems doing the admin approval thing while people are trying to purchase.

v3.0.3.8
I'm here for a reason, if your response is contact a/the developer, just don't reply.


Active Member

Posts

Joined
Sat Jan 01, 2022 5:47 am
Who is online

Users browsing this forum: No registered users and 11 guests