There's of course always CFFormProtect (http://cfformprotect.riaforge.com/) - has worked for me for years and years. Great to stop bots, works 99,99% of the time. And it is unobtrusive for the end user.
Sebastiaan On 08/23/2012 04:10 PM, Patti, Michael wrote: > I run several non-profit association websites, and about 2 years ago we got > hit with a similar blitz on our donation forms. We were able to minimize the > number of fraudulent donations by doing the following: > > 1) Put into place the CV2 field, and make it required. > 2) Put in Captcha > 3) Make sure your forms function within the context of a user session, and > when the order is submitted to the payment gateway (PayPal/Authorize.net), > set the authorization code as a session variable. Then, check for the > existence of that session variable. If it exists, do not allow the user to > re-submit their order. This, more than anything else, helped to cut down the > number of incidences we were seeing. > 4) Consider putting into place a minimum donation of a higher amount (say, > $5). It's a pretty common occurrence for donation forms to be used as a > testing ground for stolen cards, because a small charge of $1 is less likely > to be noticed than a larger card. Once a fraudster figures out which stolen > cards still work, they can then move on to eCommerce sites and use the good > cards to make larger purchases. > 5) Banning a specific IP address won't do much to stop someone from using > your site as a test-bed. They'll just set up another server at a different > IP address, or use a proxy to mask their true location. If you know that > you're not likely to receive legitimate donations from certain countries > (like Vietnam), you can ban the range of IP addresses associated with that > country, but people will still be able to find ways around those bans. > > It sucks that charity sites would be targeted as a test bed for checking > stolen cards, but they often represent low-hanging fruit to a fraudster. If > your organization is working towards PCI compliance (as we did), this type of > activity can really put a ding in your efforts, but it's not too difficult to > remedy the problem. > > It would also be a courtesy to get a report of the people whose cards were > stolen (you can get that info from your payment gateway), and either ask your > gateway to inform them, or let them know yourself. Much better to do that > than wait for the flood of calls that will happen once people see those $1 > charges from your organization on their statements, which are immediately > followed by a $1000 charge to Best Buy. They might wrongly suspect that your > organization was somehow responsible for the card being stolen, and you > definitely don't want that. > > Hope that helps, > Michael > > > > -----Original Message----- > From: Russ Michaels [mailto:[email protected]] > Sent: Thursday, August 23, 2012 8:46 AM > To: cf-talk > Subject: Re: credit card fraud > > > you can also enable 3D secure, which adds an extra level of security. > even if someone has gotten someones creditcard and CV2 number, it is unlikely > they also have their 3dsecure login as well, unless they garnered the card > from a hacked PC with a keylogger trojan. > You copuld also use somehting like http://www.maxmind.com/ , > > > On Thu, Aug 23, 2012 at 2:25 PM, Al Musella, DPM > <[email protected]>wrote: > >> I run a charity website and am getting a blitz of donation attempts. >> It looks like they were trying a list of names and credit card >> numbers that they had - but they must have been old because only 1 out >> of hundreds suceeded. They tried to donate $1 with different names >> and credit card numbers on each attempts, but all from the ip address >> 113.161.94.67 which appears to be from vietnam. >> I permanently banned that IP address from all of my websites. >> I am also going to limit bad attempts and increase the minimum >> donation to $2.. >> Is there anything else I should do? >> >> >> > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352285 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
