CartMetrix - Do you know yours?

6/22/2007

Zencart Hack - Logout Customer Automatically After X Failed Payment Attempts

Credit card slamming is the practice of trying hundreds or thousands of card numbers and security code combinations to find the few in the batch that will actually work. I have discussed credit card slamming here and over at the ZenCart forums several times in the past.

The code snippet below can be used in modules/checkout_process.php to automatically log a user out after a set number (6 in the below snippet) of payment attempts.

// damonp add auto logoff after 6 attempts
if(! isset($_SESSION['payment_attempt'])) $_SESSION['payment_attempt'] = 0;
$_SESSION['payment_attempt']++;

if($_SESSION['payment_attempt'] > 6)   { // change 6 to change how many attempts to allow before logout
   // log attempt or email report 
   // the following information is useful
   // "Host:\t\t".$_SESSION['customers_host_address'].
   // "\nCustomer:\t".$_SESSION['customer_id'].
   // "\nTotal:\t\t".$_SESSION['cart']->total,
   // destroy session to log customer out
   zen_session_destroy();
   // redirect to timeout page or create new page to redirect to
   zen_redirect(zen_href_link(FILENAME_TIME_OUT, '', 'SSL'));
}

Place in between this code near the top of the file:

// if the customer is not logged on, redirect them to the time out page
  if (!$_SESSION['customer_id']) {
    zen_redirect(zen_href_link(FILENAME_TIME_OUT));
  }

INSERT AUTO LOGOUT FUNCTIONALITY HERE

// load selected payment module
  require(DIR_WS_CLASSES . 'payment.php');
  $payment_modules = new payment($_SESSION['payment']);
// load the selected shipping module
  require(DIR_WS_CLASSES . 'shipping.php');

I found six attempts to work well on the sites I implemented on. You do not want to adversely impact normal users but you do want to make it harder on abusers so that they just go away.

BE WARNED

Improper use of this code could prevent anyone from checking out. The two things that will save you when trying this out are:

  1. MAKE A BACKUP
  2. FULLY TEST BEFORE CALLING IT COMPLETE

Popularity: 22%

Share This

3/18/2007

Zencart Inventory Report Update v0.9.2

Feedback from users prompted me to add an extra column to the report display… the master category. The master_category_id is listed in the products table and is generally the category the product was originally created in (unless changed later). The report won’t show every category a product is listed in if the product has been linked to multiple categories.

Download ZenCart Inventory Report

Thanks to Ron for the donation to help out with these feature additions.

Popularity: 25%

Share This

3/15/2007

Combating Card Fraud (or at least slow it down)

I have a major client whose Authorize.net gateway account gets hit sometimes hundreds of times a day with charge attempts. Most are posted by an automated script from IPs coming out of Indonesia or Eastern Europe in an attempt to find a valid credit card number and security code. Fortunately, it hasn’t cost the client any money directly yet. Out of the thousands of attempts in the last few months only a couple of charges actually captured funds from the stolen card information. All of these were promptly cancelled after review.

In discussions with this client, we came up with the following options. They are listed in order of ease to implement and least impact on legitimate customers.

  1. Require only a billing address and plainly state all orders are only shipped to billing address
  2. Require card billing address and shipping address to be in same country or deny the order before going to authorize
  3. Require all international orders to be Paypal so they can’t automate the whole process (or maybe allow orders from countries with low fraud percentage to use a credit card directly and all others Paypal)
  4. Automatically log user out after X failed attempts
  5. Automatically block the IP address after X failed attempts for a time period between a few hours to a day or two
  6. Match customer’s IP address to billing / shipping country before going to authorize

My thinking is the better methods would include ways of slowing down the requests so that automated script kiddie tools would constantly fail while legitimate users that are just having problems would not be completely prevented from checking out. I also think a more robust system would utilize several layers of protection (same as a multi-layered approach to server security is better in the long run than putting all of your eggs in the single proverbial basket).

Over the course of the next few weeks I will implement some of these options and dream up more if necessary. Stay tuned for updates.

Should your site be experiencing similar issues, contact me to discuss options.

Note

Maxmind supplies a free IP to country database in CSV format along with their commercial IP database products.

Popularity: 20%

Share This

3/10/2007

ZenCart Inventory Report - Updated

Thanks to Ron for posting a bug back on the Zencart forums about my Zencart Inventory Report

Fixed… download… enjoy.

Popularity: 21%

Share This

1/12/2007

ZenCart Manufacturers System Errors

In ZenCart versions immediately prior to 1.3.6 using many of the public side manufacturers functions may produce this error:

Warning: constant(): Couldn't find constant in  .../includes/init_includes/init_add_crumbs.php on line 45

The error is caused by a missing database column that was added in the official 1.3.6 release. If upgrade is not immediately possible the following SQL snippet will correct the problem in most cases:

ALTER TABLE get_terms_to_filter ADD get_term_table varchar(64) NOT NULL;

ALTER TABLE get_terms_to_filter ADD get_term_name_field varchar(64) NOT NULL;

UPDATE get_terms_to_filter SET get_term_table = 'TABLE_MANUFACTURERS', get_term_name_field = 'manufacturers_name' WHERE get_term_name = 'manufacturers_id';

UPDATE get_terms_to_filter SET get_term_table = 'TABLE_MUSIC_GENRE', get_term_name_field = 'music_genre_name' WHERE get_term_name = 'music_genre_id';

UPDATE get_terms_to_filter SET get_term_table = 'TABLE_RECORD_COMPANY', get_term_name_field = 'record_company_name' WHERE get_term_name = 'record_company_id';

If you are using other product types, some additional UPDATE statements will be required for your new product types.

I found this solution after some searching on the ZenCart forums.

Popularity: 24%

Share This

1/9/2007

Interesting Ecommerce Comparison

The “killingest” assumptions businesses make revolve around how their customers buy. Suppose you and 99 other people go into an electronics store and purchase the exact same item. That’s 100 sales. But you can probably guess those 100 sales didn’t unfold in the exact same way. No properly-trained sales person would ever use the exact same language or structure the sale the exact same way for every single customer. And yet, ecommerce sites routinely assume one product page is going to meet the needs of all customers interested in that product. Talk about your huge assumptions!

Source: GrokDotCom

How flexible are your sales processes?

Popularity: 19%

Share This

Next Page »


damonparker.org is proudly powered by WordPress
Entries (RSS) and Comments (RSS).

copyright © 2002-2008 damonparker.org. all rights reserved.

Close
E-mail It