Block individuals (human) from shopping

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Block individuals (human) from shopping

Post by patrikG »

The problem is the following: a client of mine has a shop (an OsCommerce installation). However, the shop is hit by repeated attempts at fraudulent transactions, i.e. fraudulent credit card numbers. The only loss is the time to filter out these numbers & ban the account. Apparently, it is one user in particular who is using anonymizer to cloak his real IP - hence IP-banning or IP-range banning is ineffective.

I've suggested implementing CAPTCHA - email-verification (i.e. send out to user) is already in place. However, CAPTCHA only closes the door to machines, not humans.
The only other solution I can think off of the top of my head is implementing 3D-secure, however that has the downside of adding another layer of complexity to the shopping experience and turns away real customers.

Are there other, better solutions to this problem?
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

I am a little confused about these "fraudulent credit card numbers"? Do you first check that the number is in the form of a valid number? And then you to check that the card is valid by using a payment processor, either during the actual checkout or sometime later before shipping? I am not sure how the fraud is occurring?
(#10850)
jason
Site Admin
Posts: 1767
Joined: Thu Apr 18, 2002 3:14 pm
Location: Montreal, CA
Contact:

Post by jason »

arborint wrote:I am a little confused about these "fraudulent credit card numbers"? Do you first check that the number is in the form of a valid number? And then you to check that the card is valid by using a payment processor, either during the actual checkout or sometime later before shipping? I am not sure how the fraud is occurring?
Stolen credit card numbers. Valid information, invalid user.

As for a solution: http://www.maxmind.com/

Learn it.
Love it.
Use it.
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

jason wrote:
arborint wrote:I am a little confused about these "fraudulent credit card numbers"? Do you first check that the number is in the form of a valid number? And then you to check that the card is valid by using a payment processor, either during the actual checkout or sometime later before shipping? I am not sure how the fraud is occurring?
Stolen credit card numbers. Valid information, invalid user.

As for a solution: http://www.maxmind.com/

Learn it.
Love it.
Use it.
Either that or one of those credit card number generators. Excellent link, thanks Jason :)
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

I mostly use Verisign or Authorize.net and just haven't seen those problems. I know the generated numbers don't work because I have tried them. I think maybe I've dealt with one stolen credit card. Maybe it is the types of businesses.
(#10850)
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

It's not fraudulent transactions, it's simply that someone signs up with some email, tries different fraudulent credit cards - no transaction is made - so no actual harm done. The problem is, the way my client's organisation is run, these fraudulent ones have to be filtered out by the person in the department responsible - a far cry from efficient, but they've come a long way...
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

Ahh ... that's the difference. I usually write custom code and don't use a package. And I don't create an order entry until the credit card transaction is completed successfully.

I do get work writing custom checkout and order processing systems for former osCommerce users though. ;)
(#10850)
Post Reply