News

Why you should add reCAPTCHA to your subscription forms to stop fraudsters

If your site was attacked by fraudsters, what would you do?

Well, as it just happened to four of our sites, we have first-hand experience
Don't let it happen to you...
Instead, let us take you through this nightmare and explain the 3 steps you should take:

 

3 Important Steps to Take to Secure Your Site

  1. Upgrade to reCAPTCHA 2
  2. Set up and switch to Subscription Form Generator forms
  3. Enable ReCaptcha "site-wide"

(Contact Us if you have custom code)

Background 

Over the past four weekends, first one site then another..then another and a fourth site was attacked by credit card fraudsters
We think they waited until the weekend, in the expectation that there would be no support for the site owner
...could be a thirteen-year-old geek, a couple of high school graduates... or a gang of hardened criminals - who knows?
Working out of a bedroom or basement... a 
back-street garage... a coffee shop...or a hotel lobby?  - there's no way to tell for sure

What we do know now, is that they have coded a bot to fill out the forms rapidly, queued up a bunch of stolen card numbers and let it rip through the site joining form
After trying a thousand or so numbers in the space of a few minutes, they got 6 transactions to work
That's 6 "golden tickets" of working credit cards they can then exploit elsewhere

Now, our sites started getting hundreds of failed transaction messages and so the licensees got in touch with us
We jumped on the case as soon as we were alerted and deployed some code to back-trace the attacks and applied some restrictions

In the meantime, I asked the site owners to remove the subscription form and redirect their pages to the Contact Us page
This way, any new subscribers could get in touch, but the fraudsters would no longer have a form they could post data to
This allowed some respite and we were able to put some barriers in place, while the Licensees got in touch with their Payment Gateway support to ask for help 
They were advised to tighten up certain permissions

With that breathing space, we were able to update our integration of reCaptcha to create a site-wide enabler feature
While the site owners followed the instructions to upgrade from Captcha to reCAPTCHA 2
And switch old 'hard coded forms' over to forms built using the Subscription Form Generator

Now ALL their subscription forms and cart orders are automatically secured with 'reCAPTCHA ' with one click

This stopped the fraudsters - as it takes the automation out of the card processing and discouraged them enough to go elsewhere

What you should do:

 

1. Upgrade to reCaptcha 2

Follow this guide to setting up reCaptcha on your site.

We recommend the old 'hard coded' forms are retired.

Use the Subscription Form Generator for all your subscription forms

 

2. Custom Code? - Contact Us to request the updated reCAPTCHA module

We have already updated sites to use the improved reCaptcha
However some sites have custom coding, and this integration affects all forms, so we need to check before uploading
Contact Us if you have custom code to get the updated module

3. Deploy and enable site-wide

From the right side of your Control Panel under 'API Service Settings' choose 'reCAPTCHA Settings'

  1. In the field 'Add ReCaptcha to all forms' choose 'Yes' from the drop down box
  2. Click the Save reCAPTCHA Settings button

 

Why you should add reCAPTCHA to your subscription forms to stop fraudsters

 

3. Retire & Replace subscription forms

4. Tighten Your Payment Gateway Settings

You should work with your payment Gateway to check your fraud detection settings are tightened up