VP-ASP :: Shopping Cart Software

Shopping Cart Software Solutions for anywhere in the World

US/Canada(Toll Free): +1 888 587 2278
Europe/UK: +44 (020) 7193 9408
Australia/New Zealand: +61 3 9016 4497

VP-ASP Shopping Cart Customer Forum

Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 VPCart Forum
 Credit card fraud and hackers
 Multiple fake orders
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

rory
Starting Member

18 Posts

Posted - July 07 2007 :  13:18:21  Show Profile  Reply with Quote
We receive dozens of fake orders every week. All of them fail credit card authorization, but still clutter up our New Orders page. Some are obvious - names like "sfdsdsf". But some go to the trouble of making up fake names and addresses, so we have to look at all of them and try to figure out which ones are real.

We just recently got shut down by Authorize.net because of the volume of fake transactions. So now this is getting to ber more than an inconvenience, if real customers are getting shut out.

Can anyone suggest why hackers go to all the trouble of entering all that fake data on the checkout pages? Seems like a lot of work just to see if they can get an error. Is there something else they're trying to achieve here?

And more importantly, is there any way I can prevent this?

apswater
VP-ASP Super User

317 Posts

Posted - July 08 2007 :  18:10:50  Show Profile  Visit apswater's Homepage  Reply with Quote
I dont get many fake oreders. We do map the ip's on all orders and pick up a stolen credit card every now and again. Nost of the people are very stupid. I had one last week with a USA ship to and bill to address but a portugal IP#, needless to say we stopped the transaction. We are also very weary of people with gmail and yahoo e-mail addresses and we back track those. We also hide the cart and cheut buttons until the actually have something in their cart.

The system also sends us e-mails on all failed credit cards and good cards and we track each IP with a log program that shows the exact path that ip goes to on our site. If the path doesnt make sense, we look at the transaction closely. Doing this , I have never had a chargeback. When you find them, immeadiatly credit the transaction back so you dont lose your merchant account.





Go to Top of Page

support
Administrator

4266 Posts

Posted - July 08 2007 :  20:27:14  Show Profile  Visit support's Homepage  Reply with Quote
One of the things we can do for you with the new VPASP Fraud Alert is have orders that appear suspicious bypass your gateway and instead go through the standard shopcheckout.asp page so you can manually verify them before they hit your gateway.

Once you have verified whether they are legitimate or not you can either process them through your AuthorizeNet admin or just delete them from your admin.

The beauty of this is the fraudster thinks the order has been successful even if it is hasn't been so they generally stop hitting.

Another reason hackers make multiple orders is they are checking whether a credit card will work or not. This is annoying and using the Fraud Alert will block a lot of these from hitting your gateway.

http://www.vpasp.com/virtprog/fraudcheck.htm

Thanks
Cam

VP-ASP Support

VP-ASP Support
Go to Top of Page

rory
Starting Member

18 Posts

Posted - July 09 2007 :  11:55:39  Show Profile  Reply with Quote
Chargebacks are not the problem here. What's happening is the fake orders fail Authorize.net. So we know not to ship anything. But this is becoming more serious - 3 times over the weekend Authorize.net suspended our gateway because of the sheer number of fake orders. Each time they switch us back on again after 30 minutes or 1 hour, but that means we're effectively shut down to legitimate customers for those periods.

I did look at VP-ASP Fraud Alert, but in this case this wouldn't help us - if the transaction fails authorization then we already know it's fake. The problem is stopping them pushing these fake orders through our gateway in the first place.
Go to Top of Page

Peter
VP-ASP New User

125 Posts

Posted - July 09 2007 :  17:05:29  Show Profile  Reply with Quote
quote:
Originally posted by rory
...we already know it's fake. The problem is stopping them pushing these fake orders through our gateway in the first place.



If fraud alert picks up and order with a 'portugal IP', wouldn't this solve the problem?

quote:
Originally posted by support

One of the things we can do for you with the new VPASP Fraud Alert is have orders that appear suspicious bypass your gateway and instead go through the standard shopcheckout.asp page so you can manually verify them before they hit your gateway.

Go to Top of Page

support
Administrator

4266 Posts

Posted - July 09 2007 :  19:24:36  Show Profile  Visit support's Homepage  Reply with Quote
Hi Rory,

Peter is correct. Using the Fraud Alert we can tweak it so that it checks the likelihood of an order being fraudulent before it hits your gateway.

If it goes above a certain level we can have the customer bypass your Auth Net gateway and instead just see the standard shopcheckout.asp page.

The customer inserts their details as they cannot tell they have been redirected and the order goes through.

The merchant can then view the order in the admin and using Fraud Alert again check the order this time with card details to gain a more accurate test result and if it looks ok manually process it through AuthNet.

If not they can simply delete it from the admin.

The bypass feature is not default functionality however it is quite simple to implement with the Fraud Alert module.

Thanks
Cam

VP-ASP Support
Go to Top of Page

lynch
VP-ASP New User

USA
74 Posts

Posted - July 10 2007 :  13:14:03  Show Profile  Reply with Quote
quote:
Originally posted by rory

Chargebacks are not the problem here. What's happening is the fake orders fail Authorize.net.

This used to happen with my store, so I know what they're doing.

Imagine a hacker has a list of credit card numbers and he wants to know which numbers are valid. He can run bogus transactions with these numbers and tell which ones are valid from the error messages he gets.

Address verification happens after the card is verified and validated. So, if the hacker runs a bogus transaction and fails due to an AVS mismatch, he knows he has a good card number. If the transaction is simply declined, he knows he has a bad card number.

I changed the error message in my anaimshoppayment.asp file so it displays the same text for all kinds of errors. After I did that, my store became useless for this purpose, and those guys went away within a week or two.
Go to Top of Page

apswater
VP-ASP Super User

317 Posts

Posted - July 11 2007 :  01:54:37  Show Profile  Visit apswater's Homepage  Reply with Quote
Here is something I started doing. It isnt perfect but it works a lot.

In my shopdb I added a redirect if the referer page contains "allinurl". What I do is set a session variable when I see the allinurl referer that way they cant get to any pages once they started with the allinurl. I want to pass them a cookie or add them to a block ip list, I havnt got that far yet, for now, they get passed to an FBI cybercrime site. Ligitimate customers will never find you using allinurl. Out of 75,000 users, I had 188 sessions of people looking specifically for vp-asp carts that way. I am sure they are all hack attempts. I have a log that whows the page and they are all looking to sql inject.

Maybe you can add something like that in future versions Cam.

Edited by - apswater on July 13 2007 12:13:34
Go to Top of Page

dwight
VP-ASP New User

USA
143 Posts

Posted - August 07 2007 :  14:21:47  Show Profile  Reply with Quote
Lynch,
I also us authorize.net and was wondering if you could tell me where you changed your error message.

Thanks
Dwight

quote:
Originally posted by lynch

quote:
Originally posted by rory

Chargebacks are not the problem here. What's happening is the fake orders fail Authorize.net.

This used to happen with my store, so I know what they're doing.

Imagine a hacker has a list of credit card numbers and he wants to know which numbers are valid. He can run bogus transactions with these numbers and tell which ones are valid from the error messages he gets.

Address verification happens after the card is verified and validated. So, if the hacker runs a bogus transaction and fails due to an AVS mismatch, he knows he has a good card number. If the transaction is simply declined, he knows he has a bad card number.

I changed the error message in my anaimshoppayment.asp file so it displays the same text for all kinds of errors. After I did that, my store became useless for this purpose, and those guys went away within a week or two.

Go to Top of Page

lynch
VP-ASP New User

USA
74 Posts

Posted - March 07 2008 :  13:37:47  Show Profile  Reply with Quote
quote:
Originally posted by dwight
I also us authorize.net and was wondering if you could tell me where you changed your error message.


I'm apparently not subscribed to this thread, so I missed this question from months ago.

I'm using VP-ASP 5.0 on that site, and my change is around line 335 in my anaimshoppayment.asp file. Look for the text "Your credit card transaction failed" and write your own message.
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Snitz Forums 2000