Checkout attack vector we haven't seen.

  • Posts: 141
  • Thank you received: 3
  • Hikashop Business
1 year 11 months ago #340701

-- HikaShop version -- : 4.5.0
-- Joomla version -- : 3.10.8
-- PHP version -- : 7.4.28

We're seeing a repeated automated 'attack' on our customer's HikaShop checkout mechanism. (Three attempts so far.)

The pattern is that they register during checkout (the welcome message to their email bounces), and attempt an order which fails due to an invalid credit card. Within the next few hours, an automated system logs in using that new Joomla Account, and makes approximately 100 to 300 attempts which use different credit card numbers, but still use the fake name of the user. No orders succeeded in any of the three attacks, but an order a minute was attempted for between two and three hours each, in the middle of the night. Each of the three attacks came from a different IP address, which was captured when they registered.

I assume that a live person registered because they could successfully get past the Captcha, but as far as I know, there is no captcha presented on a checkout for a logged in user. The multiple orders happened so regularly, I assume that this second part was automated. To all appearances, they aren't looking to actually collect any goods from our customer, they're just trying to find a credit card which gets past the CC validation. So far, none have.

After each attack, I have blocked each IP address, and removed those newly registered Joomla accounts. Requiring the customer to activate their Joomla account in the middle of a normal order process is a point of friction we'd really prefer to avoid - in the past, this has demonstrably deterred elderly customers.

Is there a strategy to prevent this method of. attack? Possibly a way to implement a captcha during checkout?

The best suggestion I (and a wise friend) have come up with is to build a HikaShop plugin that counts each CC failure, which then blocks any order from that user once their credit card attempts have failed X number of times until they have logged out and logged in again - or passed another captcha test.

Ideas?

Last edit: 1 year 11 months ago by icomex.

Please Log in or Create an account to join the conversation.

  • Posts: 81378
  • Thank you received: 13037
  • MODERATOR
1 year 11 months ago #340707

Hi,

In recent years solving captchas for attackers has become easier and easier. So it's possible that the captcha solving is also automated. In that case, adding a captcha for each checkout won't help, and will just burden your users.

I think your (and your wise friend) idea of blocking the orders when there were X failed attempts is a good solution.
I think it would be best to just block the user account (or prevent the order creation) when you find a user matching the criteria, with a message telling them to contact you directly if they have a problem with their payment. That way, even if legit users have a problem with their payment, you'll be able to check what's going on with them, and attackers will just be blocked.

The following user(s) said Thank You: icomex

Please Log in or Create an account to join the conversation.

  • Posts: 141
  • Thank you received: 3
  • Hikashop Business
1 year 11 months ago #340725

I'm moving ahead with the failure limit routine. Thank you for your advice.

In a slightly related issue, Is there a way for a HikaShop administrator to view a customer's existing cart before an order is created? When an order fails, our customer's online customer often calls by phone and wishes to complete it directly - which usually means repeating the order verbally by phone. It would be handy for our customer to be able to identify the user's account over the phone and view their existing online cart firsthand.

Thank you for all your help.

Please Log in or Create an account to join the conversation.

  • Posts: 81378
  • Thank you received: 13037
  • MODERATOR
1 year 11 months ago #340726

Hi,

Well, it depends where they got blocked:
- if it's before login, there is only the IP address of the user and its session id linked to the cart. So it will be hard to find it if you search in the menu Customers>Carts of the HikaShop backend, especially since most users won't know their own IP address (there are online tools like monip.org/ to easily get your own IP address, but I'm afraid it might complexify things more for them than make it easy).
- if it's after login and before finishing the checkout, then the cart should be easy to find in the menu Customers>Carts with the email address of the user or his username.
- if it's after finishing the checkout and before the payment, then it's not a cart anymore but an order and thus it can be found in the menu Orders of the HikaShop backend.

Please Log in or Create an account to join the conversation.

  • Posts: 141
  • Thank you received: 3
  • Hikashop Business
1 year 11 months ago #340734

I have never even noticed the cart list before. Thank you!

Many of their customers are registered from previous orders (hometown business with lot of repeat customers), so the ones most likely to call them will be buying under their usernames. They are also most likely to call immediately when their order fails, so sorting by date could make it easier.

The validation routine takes place in the onBeforeOrderCreate method, so no order should have been created yet.

I'll think through other options, such as adding a password-protected AJAX function to return the cart ID to the user, or to send the cart contents to our customer, while they're on the phone. Possibly even finding a way to use the wishlist methods, somehow. Hmmmm...

Please Log in or Create an account to join the conversation.

  • Posts: 81378
  • Thank you received: 13037
  • MODERATOR
1 year 11 months ago #340741

Hi,

This extension might be interesting for your need:
www.web357.com/product/login-as-user-joomla-component
This would allow the operator to log on the frontend with the user account of the user from the order he found in the backend, and then he could see the cart of the user and proceed to the checkout with the information provided by the customer over the phone.

Please Log in or Create an account to join the conversation.

  • Posts: 141
  • Thank you received: 3
  • Hikashop Business
1 year 11 months ago #340746

That's very interesting. Thank you!

Please Log in or Create an account to join the conversation.

Time to create page: 0.065 seconds
Powered by Kunena Forum