Thanks for all of the tips. I deal with brain cancer patients... adding in a captcha would make it too difficult. We had this in place since 1996 and never had a problem until today. I am looking throguh the cfform protect documents and will probably implement that.
Banning that IP address worked - when I ban an ip, they get a message that the website has an internal error and to try again later. No bad attempts were made in the hourse since I banned that one At 10:10 AM 8/23/2012, you wrote: >I run several non-profit association websites, and about 2 years ago >we got hit with a similar blitz on our donation forms. We were able >to minimize the number of fraudulent donations by doing the following: > >1) Put into place the CV2 field, and make it required. >2) Put in Captcha >3) Make sure your forms function within the context of a user >session, and when the order is submitted to the payment gateway >(PayPal/Authorize.net), set the authorization code as a session >variable. Then, check for the existence of that session >variable. If it exists, do not allow the user to re-submit their >order. This, more than anything else, helped to cut down the number >of incidences we were seeing. >4) Consider putting into place a minimum donation of a higher amount >(say, $5). It's a pretty common occurrence for donation forms to be >used as a testing ground for stolen cards, because a small charge of >$1 is less likely to be noticed than a larger card. Once a >fraudster figures out which stolen cards still work, they can then >move on to eCommerce sites and use the good cards to make larger purchases. >5) Banning a specific IP address won't do much to stop someone from >using your site as a test-bed. They'll just set up another server >at a different IP address, or use a proxy to mask their true >location. If you know that you're not likely to receive legitimate >donations from certain countries (like Vietnam), you can ban the >range of IP addresses associated with that country, but people will >still be able to find ways around those bans. > >It sucks that charity sites would be targeted as a test bed for >checking stolen cards, but they often represent low-hanging fruit to >a fraudster. If your organization is working towards PCI compliance >(as we did), this type of activity can really put a ding in your >efforts, but it's not too difficult to remedy the problem. > >It would also be a courtesy to get a report of the people whose >cards were stolen (you can get that info from your payment gateway), >and either ask your gateway to inform them, or let them know >yourself. Much better to do that than wait for the flood of calls >that will happen once people see those $1 charges from your >organization on their statements, which are immediately followed by >a $1000 charge to Best Buy. They might wrongly suspect that your >organization was somehow responsible for the card being stolen, and >you definitely don't want that. > >Hope that helps, >Michael > > > >-----Original Message----- >From: Russ Michaels [mailto:[email protected]] >Sent: Thursday, August 23, 2012 8:46 AM >To: cf-talk >Subject: Re: credit card fraud > > >you can also enable 3D secure, which adds an extra level of security. >even if someone has gotten someones creditcard and CV2 number, it is >unlikely they also have their 3dsecure login as well, unless they >garnered the card from a hacked PC with a keylogger trojan. >You copuld also use somehting like http://www.maxmind.com/ , > > >On Thu, Aug 23, 2012 at 2:25 PM, Al Musella, DPM ><[email protected]>wrote: > > > > > I run a charity website and am getting a blitz of donation attempts. > > It looks like they were trying a list of names and credit card > > numbers that they had - but they must have been old because only 1 out > > of hundreds suceeded. They tried to donate $1 with different names > > and credit card numbers on each attempts, but all from the ip address > > 113.161.94.67 which appears to be from vietnam. > > I permanently banned that IP address from all of my websites. > > I am also going to limit bad attempts and increase the minimum > > donation to $2.. > > Is there anything else I should do? > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352297 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
