Malicious users can find sites using this plugin via search engines…

  • Resolved wordmax

    (@wordmax)


    2 years ago

    Regarding the fraudulent user security risk, even with recaptcha enabled, those bad users trying to test cards are coming from asia region.

    We can see that those bad users are using search engines to find sites that are using search engines to locate site that have code showing associate w/ plugin. User was referred to site by Yahoo search and then we immediately see that user attempting cc card tests multiple times triggering stripe errors 15+ cc verify errors in one minute.

    So maybe the plugin developer should minimize the risk of bad users finding sites using the plugin. Recaptcha is fine, but why not make it not so easy to find sites using the plugin in the first place?

    Why not have a setting where admin can limit the number of times form can be submitted per minute(s), and admin setting if form submitted exceeded user is blocked for X (amount of time set by admin). This would solve bad bots hammering form with card testing.

    Looks like this plugin is definitely on the the list a common target for these malicious fraud types.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support mbrsolution

    (@mbrsolution)

    Thank you for reaching out to us. I have submitted a message to the developers to investigate further your request.

    Kind regards.

    Plugin Author mra13

    (@mra13)

    Hi, Thank you for the suggestions.

    Blocking/Hiding pages from search engine is something that should be done using the SEO plugin. Otherwise, there can be unintended consequences that can have a far more negative outcome. It’s not a good idea to try to re-do the functionality of what a SEO plugin offers inside this payment processing plugin. SEO plugins allow you to exclude some pages and post from search engines.

    There is already checks in place for the other item you talked about (limiting submissions). Please note that there are many different categories of bots. The really advanced and smart bots are really the ones creating the issue. Those advanced bots post data remotely to the site (it doesn’t interact with the button).

    It’s easy to think that it is only an issue within the plugin. Let me give you the following data pointer so you can understand that it is a fundamental issue with the particular Stripe API. Otherwise, why would Stripe have the following page on their site explaining the issue and suggesting the usage of captcha?

    https://stripe.com/docs/disputes/prevention/card-testing

    We have been adding checks like the one you suggested in the plugin and we will add even more in the future (as we observe what the bots are doing and adjust things accordingly). But at the same time I want to give you context to understand that this open Stripe API does need a captcha solution for better protection. Otherwise Stripe wouldn’t mention it on their site.

    If you are seeing card testing attempt happening on your site, please enable the debug logging feature in the plugin and then contact us to give the log file. It will be very helpful to analyze the log file as we will be able to detect what it is trying to do and add even more checks in place to block it appropriately.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Malicious users can find sites using this plugin via search engines…’ is closed to new replies.

Tags