News
If your site was attacked by fraudsters, what would you do?
Well, as it just happened to four of our sites, we have first-hand experience
Don't let it happen to you...
Instead, let us take you through this nightmare and explain the 3 steps you should take:
3 Important Steps to Take to Secure Your Site
- Upgrade to reCAPTCHA 2
- Set up and switch to Subscription Form Generator forms
- Enable ReCaptcha "site-wide"
(Contact Us if you have
Background
Over the past four weekends, first one site then another..then another and a fourth site was attacked by credit card fraudsters
We think they waited until the weekend, in the expectation that there would be no support for the site owner
...could be a thirteen-year-old geek, a couple of high school graduates... or a gang of hardened criminals - who knows?
Working out of a bedroom or basement... a back-street garage... a coffee shop...or a hotel lobby? - there's no way to tell for sure
What we do know now, is that they have coded a bot to fill out the forms rapidly, queued up a bunch of stolen card numbers and let it rip through the site joining form
After trying a thousand or so numbers in the space of a few minutes, they got 6 transactions to work
That's 6 "golden tickets" of working credit cards they can then exploit elsewhere
Now, our sites started getting hundreds of failed transaction messages and so the licensees got in touch with us
We jumped on the case as soon as we were alerted and deployed some code to back-trace the attacks and applied some restrictions
In the meantime, I asked the site owners to remove the subscription form and redirect their pages to the Contact Us page
This way, any new subscribers could get in touch, but the fraudsters would no longer have a form they could post data to
This allowed some respite and we were able to put some barriers in place, while the Licensees got in touch with their Payment Gateway support to ask for help
They were advised to tighten up certain permissions
With that breathing space, we were able to update our integration of reCaptcha to create a site-wide enabler feature
While the site owners followed the instructions to upgrade from Captcha to reCAPTCHA 2
And switch old '
Now ALL their subscription forms and cart orders are automatically secured with 'reCAPTCHA ' with one click
This stopped the fraudsters - as it takes the automation out of the card processing and discouraged them enough to go elsewhere
What you should do:
1. Upgrade to reCaptcha 2
Follow this guide to setting up reCaptcha on your site.
We recommend the old 'hard coded' forms are retired.
Use the Subscription Form Generator for all your subscription forms
2. Custom Code? - Contact Us to request the updated reCAPTCHA module
We have already updated sites to use the improved reCaptcha
However some sites have custom coding, and this integration affects all forms, so we need to check before uploading
Contact Us if you have custom code to get the updated module
3. Deploy and enable site-wide
From the right side of your Control Panel under 'API Service Settings' choose 'reCAPTCHA Settings'
- In the field 'Add ReCaptcha to all forms' choose 'Yes' from the
drop down box - Click the Save reCAPTCHA Settings button
3. Retire & Replace subscription forms
- Clear all instances of old
html subscription forms - Set up and switch to Subscription Form Generator forms
4. Tighten Your Payment Gateway Settings
You should work with your payment Gateway to check your fraud detection settings are tightened up