6/22/2007
Zencart Hack - Logout Customer Automatically After X Failed Payment Attempts
Credit card slamming is the practice of trying hundreds or thousands of card numbers and security code combinations to find the few in the batch that will actually work. I have discussed credit card slamming here and over at the ZenCart forums several times in the past.
The code snippet below can be used in modules/checkout_process.php to automatically log a user out after a set number (6 in the below snippet) of payment attempts.
if(! isset($_SESSION['payment_attempt'])) $_SESSION['payment_attempt'] = 0;
$_SESSION['payment_attempt']++;
if($_SESSION['payment_attempt'] > 6) { // change 6 to change how many attempts to allow before logout
// log attempt or email report
// the following information is useful
// "Host:\t\t".$_SESSION['customers_host_address'].
// "\nCustomer:\t".$_SESSION['customer_id'].
// "\nTotal:\t\t".$_SESSION['cart']->total,
// destroy session to log customer out
zen_session_destroy();
// redirect to timeout page or create new page to redirect to
zen_redirect(zen_href_link(FILENAME_TIME_OUT, '', 'SSL'));
}
Place in between this code near the top of the file:
if (!$_SESSION['customer_id']) {
zen_redirect(zen_href_link(FILENAME_TIME_OUT));
}
INSERT AUTO LOGOUT FUNCTIONALITY HERE
// load selected payment module
require(DIR_WS_CLASSES . 'payment.php');
$payment_modules = new payment($_SESSION['payment']);
// load the selected shipping module
require(DIR_WS_CLASSES . 'shipping.php');
I found six attempts to work well on the sites I implemented on. You do not want to adversely impact normal users but you do want to make it harder on abusers so that they just go away.
BE WARNED
Improper use of this code could prevent anyone from checking out. The two things that will save you when trying this out are:
- MAKE A BACKUP
- FULLY TEST BEFORE CALLING IT COMPLETE
Popularity: 22%
