You are viewing this forum as a guest. Login to an existing account, or create a new account, to reply to topics and to create new topics.
NOTE: This post was created on 2024-01-04 on the Kryptronic eCommerce Community facebook page, which has been replaced with this forum. All facebook support content was migrated into this forum in April 2024.
Graham:
I'm getting hassle from Worldpay who are my card processing gateway, because someone is doing "card testing" ie spamming lots of credit card transactions in the hope that they find one that's valid.
Worldpay have said that I should add a Captcha to the checkout (even though the transactions don't seem to be coming through my shopping cart) and the latest release mentions that this can be done, but I can't find where to add it and the online K9 manual doesn't mention it either.
Please can someone tell me where I can set this up.
Kryptronic:
You can turn on a captcha in checkout by accessing Store / Commerce / Checkout Form Fields and adding a Captcha-type field to checkout. Make it required.
Graham:
Is that under Custom Fields?
There doesn't seem to be anything I can see that says Captcha.
Kryptronic:
We're working with you on this via our ticket system at this point. For everyone else, when you choose to add/update a checkout field, and you choose the form field type, CAPTCHA is a form field type you can select.
Rob:
Something similar happened to us a while back - as an additional precaution we set up World Pay to only send payment request responses to our domain - eg yordomain.com/utilities/ecomrelay.php - this prevents anyone card testing on your account from anywhere other than your site where the Captcha should add too much friction. Too long ago to remember where in World Pay this is, but was not hard to find.
Graham:
Thanks for your suggestion.
As you'll see from my other post, I've fixed this now by changing to a 28 character alphanumeric ID which is going to be a lot harder for the scammers to guess!
Rob:
Hi Graham - ****2EE0E4B53B2B25C267E****
Not going to say how for obvious reasons - took me two attempts with publicly available info - but I could now test as many cards as I wanted.
Definitely suggest tightening up where World Pay will accept requests from and where it will send responses to.😃
Graham:
But can you get the contents of the "Transaction Key/ Password" field too...? 😉
Rob:
To test a card I only need a Worldpay instId which I can get. But sounds like you are supper happy with how things are. 😃
Graham:
Well, the daily number of Card Test transactions has been zero for the past, so it seems to be working ok 🙂
Graham:
An update to this:
As mentioned after I contacted Worldpay I tried setting up a Captcha, but it didn't solve the problem, because the scammers were going directly to the payment Gateway, not through my site.
So I called WP again and actually got to speak to someone who knew what he was doing.
The issue is that the basic Worldpay ID is only 7 numbers, so scammers just keep trying until they find one that works, then send through their dodgy transactions trying to find valid cards.
What he suggested instead is that I change from the 7 figure Method User/Store ID to an alternative one that's 28 alphanumeric characters and, since then, all the scam transactions have stopped!
Kryptronic:
Thanks for the update on this. One would think that WorldPay would just issue those 28 character ids to everyone with the 7 digit ids to solve this.
Offline