[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Preventing Credit Card Form Abuse Captcha Solution

Posted on 2011-02-16
3
Medium Priority
?
439 Views
Last Modified: 2012-05-11
We have a donation form on our charity site. We would like to accept donations without requiring users to set up an account. We have PayPal set but we also have a form for entering credit card info. Previously we had a very difficult captcha. Later we changed this to human readable question, e.g. "is the sun hot or cold"  (answer, cold) We have about 15 questions that a called by random. But it is being hacked. Someone keeps using the form to test credit cards, charging $1 to $50.00 onthe same and different cards. Obviously he is testing and when one goes there he use it to purchase things  or whatever.  So we need to set up again, a strong defense for this abuse, but we are not sure the best method. Some new captcha methods are good, but so difficult that you have to be an artist or super visual brain to do them. We want a system that works, but will not  be so hard as to cause resistance to users to donate.
0
Comment
Question by:Sivakatirswami
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 12

Accepted Solution

by:
Amick earned 2000 total points
ID: 34915365
The simple captchas with very readable text obscured by a randomly spaced grid pattern seem to be useful  because they're easy enough for humans while difficult enough for computers.  Be certain that your captchas are randomly generated, not generated once and reused.  You should also avoid any tell-tale in the captcha object that would provide a hacker with a clue. Captchas do reduce response rates, sometimes very significantly, so perhaps a better method would be to capture the user's IP address and programatically insert a wait that increases with frequency of use. The first attempt from an IP within a chosen time frame would result in no wait, but the next attempt would insert a half-second,  subsequent attempts would double the wait time until some maximum has been reached. While you have the IP, you may also want to look up the point-of-origin. A local charity in Honolulu may be wary of connectons from the other side of the world. It would be good to be able to report the most frequently used IPs (this information is probably already in your server logs) and if you can tie them to incidences of fraud or abuse, you may want to blacklist those addresses.  

If you make it difficult or time-consuming for a dishonest user to abuse your site, they will go somewhere where it is easier to get the result they're after.  Unfortunately, if you make it difficult and time-consuming for a good donor to use your site, they too may go elsewhere.

Good luck.
0
 

Author Comment

by:Sivakatirswami
ID: 34918084
@amick Thanks for the very clear advice. I asked the accounting team (who see the charges being made) the time between charges. sometimes it was a few minutes. So, I have heard of the IP wait, but we don't think it will help. Either he was running dictionary attacks on the form (to get words that would answer our human readable questions)  which would take some time (until he had the answers and logged those and then he could reduce his dictionary to the answers that worked before)  OR he was manually sitting there madly filling in the form and entering CC numbers by hand. Hard to know... We took down the form, but forgot to disable the CGI, so he already had a copy of our form and continuing POSTing directly to the CGI without going thru our form, we finally had to turn disable the CGI itself.

I found another system we are going to try: it generates a random set of colored digits that are relatively easy to read along with a MD5 hash string in a hidden field that must be submitted back along with the form.

So this will a) be relatively easy for users to see and enter but b) impossible to attack programatically. (we think)

So, this will leave him no choice but to manually fill in the form. Hopefully this will reach critical mass for "difficult and time-consuming..."

we will see

0
 
LVL 12

Expert Comment

by:Amick
ID: 34918580
It sounds as if you've got a good plan for the challenge.

If this were my site, I would keep an eye on the "top IP" reports from my web server, and archive the server logs.  Also, don't hesitate to get the authorities involved - In the US wire fraud is a Federal offense, but the penalties range from a fine and probation to several years in prison depending upon the severity of the crime and the history of the offender.  There is a website that accepts reports of Internet crime, http://www.ic3.gov, and there may already be a wealth of information available from the FBI to help you prevent further attacks.

It is good that you are taking the problem seriously, and with a combination of luck and skill you'll have this problem controlled very soon.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A brand new malware strain was recently discovered by security researchers at Palo Alto Networks dubbed “AceDeceiver.” This new strain of iOS malware can successfully infect non-jailbroken devices and jailbroken devices alike.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question