This plugin should include reCAPTCHA to help prevent credit card bot attacks.

Hi @chipx,

There’s some incorrect information in this review that I am going to clear up. Braintree doesn’t charge for all transactions except in very specific scenarios. When your partner bank is NAB you are liable for all transaction fees incurred, which Braintree is pretty open about. Here’s a publicly accessible article about NAB.

NAB Banking Partner

With regard to our plugin not supporting reCAPTCHA, there are tons of reCAPTCHA plugins out there, a simple search shows that and they are very simple to setup.

As part of any secure site, you should also have advanced fraud enabled, cvv validations enabled, and make sure you are protecting your private key. Your increase in failed transactions could have easily been due to a compromised private key. I recommend you review some of these fraudulent transaction ID’s to see if they contain actual order data that is specific to your checkout form.

Lastly, that big “Support” icon on every page of the plugin exists for a reason, so merchants can reach out with questions. Our average response time is around 5 minutes so there isn’t any excuse not to contact us if you have concerns.

Kind Regards,

@chipx,

To further add to my previous response. I personally spoke with Braintree’s support staff and they confirmed that if advanced fraud is enabled (like we recommend) the transaction data is first sent to Kount for validation and if it passes, it’s then sent on for transaction processing.

I recommend you look at those transactions from January and see if you even had advanced fraud enabled and if not that’s a big part of the problem.

The moral here is take ownership of your site. We build an awesome, secure plugin, but it’s up to merchants to use all the tools we provide.

Kind Regards,

There are a lot of advanced fraud options in the plugin, we’re using some on our sites and it works well.

This seems like a biased review tbh, what if Braintree didn’t charge @chipx for the fraudulent transactions?

You can lead a horse to water, but you can’t make it drink.

I never questioned they quality of your support. It’s always been highly responsive and useful.

Advanced Fraud Tools weren’t available when we first setup our merchant account with Braintree and installed your plugin. It looks like the relationship with Kount was announced after that, and the communication makes it look like an optional purchasable extra. All of the other suggested security measures were put in place as per the documentation available at the time. The initial email from Braintree telling us about the attacks, and the steps we had to take to reactivate our merchant account, also never mentioned the Advanced Fraud Tools. I found those myself and have since activated them. I can’t find any historical communication about those tools becoming available with a suggestion that they should be implemented. This is after it took them 24 hours to identify fraudulent attempts were being made on their/your CC form (It’s not our form… that’s the whole point of using a SAQ A PCI Compliant credit card form).

It’s interesting that 7 days after this incident occurred Braintree sent our a bulk email notifying it’s users that it was applying a default set of fraud tool settings to everyone’s accounts… frankly, an admission that their base security settings weren’t adequate.

The primary reason for this review is the lack of inclusion of reCAPTCHA. The addition of that to the form specifically was a firm requirement by Braintree. Your plugin presents itself as an official Braintree plugin from the Plugin Homepage link. In addition I have an email from Braintree stating they would be forwarding the request to add reCAPTCHA to the plugins’ form. I don’t see any reference in your documentation stating a 3rd party plugin should be used to protect your credit card form. Given that it’s apparently a requirement to have a Braintree merchant account, it’s surprising this isn’t mentioned in your plugin documentation nor in the Braintree Getting Started guide or Braintree onboarding process.

I had already reviewed all the transactions and the raw access logs on our server. The bot was trawling through the site adding products to the cart, then proceeding to the checkout page and trying randomised card details repeatedly. The attack came from an IP address in Israel. I actually thought I had blocked payments from countries outside of Australia and New Zealand, but I’ve just blocked shipping. That setting is something that is available on a separate payment gateway on a website I’m involved in.

So far as the publicly available fees information regarding NAB. It’s buried in documentation and certainly not made clear during the signup phase or clear on the main Braintree website.

In addition it’s really not that clear since this plugin was made free if it is part of Braintree or not. paymentplugins.com no longer loads and the official documentation page is branded as Braintree.

Just an FYI, not that it affects you, this incident has been reported to CERT NZ and after their review they’ve forwarded it onto the Cybercrimes unit of the New Zealand Police. So hopefully NAB will step up to the plate. And hopefully this plugins’ documentation and that of Braintree’s can be improved to make these requirements more clear for others moving forward.

@benbrooklyn thanks for your opinion…. every review on the planet, in their very nature is biased. You are clearly totally on top of your security on your website, well done, I hope you never get ripped off by some low life scum with nothing better to do in their lives than impart misery onto others.

• This reply was modified 5 years ago by chipx.

Hi @chipx,

I appreciate your detailed response and I agree it sucks what happened to you but it looks like you’re taking your frustration out on our plugin when it’s not our fault. The reason our plugin doesn’t mention reCAPTCHA is because by enabling fraud tools you don’t need it for 99.99% of scenarios which are caught by Kount. Plus reCAPTCHA causes friction on a checkout page and lowers conversion rate. Also newer versions of WC have added rate limiting which further adds to security.

On the Advanced Settings page of the plugin, there is a direct link to Braintree’s best practices article regarding fraud tools. We provide that article so merchants can educate themselves on how to best configure the plugin.

The excuse that fraud tools weren’t available when you installed this plugin doesn’t hold water. We’re all adults here and it’s up to the site owner to review changes to the plugin, especially a payment plugin where security is very important.

Hopefully it works out for you regarding NAB.

Kind Regards

It’s not an excuse. It’s a statement of events. I have also seen the wording you refer to in your plugin settings when I reviewed all the security in January.

I want to be clear. I’m not putting responsibility for this hack on you and your plugin. I know I have a part to play in this. So does Braintree, it’s negligent of them to have taken as long as they did to recognise the activity as fraudulent.

And my point about reCAPTCHA is that Braintree has stated it’s a requirement in writing to me. I’m happy to forward that onto you, since apparently it’s a standard they haven’t documented publicly and a change in policy since January. Braintree told me the implementation of your/their plugin was insecure, and to secure it they stated it needed reCAPTCHA and nothing else would be appropriate… they didn’t even list the Advanced Fraud Tools as a requirement to stop this kind of attack, which is at odds with your information above. They should have made that a requirement based on your conversations with them, and they should be making you add reCAPTCHA based on their communication with me.

@chipx,

Please feel free to send that email chain to me via our support email so I can take a look.

I just got off the phone with Braintree’s Risk team and they stated they recommend reCAPTCHA for merchants that have been flagged like in your case. The fact that this plugin does’t offer reCAPTCHA does not make it insecure in any way.

Kind Regards,