|
channingstrom
|
October 2, 2024 at 7:23 am
How Can I limit the number of declines allowed on one registration?
We have a spammer that has setup an automation on one or sometimes several registrations that keeps trying credit card numbers. They are getting declined but using up resources and declines cost me $0.03 each from Chase.
|
|
channingstrom
|
October 2, 2024 at 8:19 am
What they’re doing is creating a registration or ten, by hand then setting up an automation for trying credit cards on each of the registrations. I can’t trash the registrations because there are “transactions” associated with them.
Can I limit the number of declines to say, three before the registration is cancelled(or disabled in some way).
|
|
Garth
|
October 2, 2024 at 8:38 am
Hi there. I hate when someone does wrong things like this
Event Espresso does not have a setting to limit the number of failed transactions, per-se. It’s not irregular for people to regularly attempt 2-3 times per transaction, and maybe up to 10 attempts with different cards. And this bot/hacker is abusing that situation that merchants have to allow people to try several times.
However, here are a couple suggestions:
1 – Use reCaptcha to require them to prove they are human, which makes it difficult for bots. Navigate to Event Espresso > Registration Form > Registration form Settings tab. There you can activate/control and enter your keys.
2- You can control how quickly people have to complete their purchase by changing the session lifespan. Also on the Registration Forms Settings tab, you can set the checkout process time down (default is 1 hours), down to maybe 15 minutes. If they do not successfully checkout within 15 minutes they will have to start over again.
3 – Block the offending IP address from the server (ask your host the process to do this). This can be a revolving door because people can change their IPs, but it can make it difficult for them that they’ll go somewhere else. This will block them instantly, but not permanently. It might looking at the access logs to see which IPs are hitting the checkout pages */registration-checkout/* more than necessary or repeatedly.
4 – Block the offending user agent. Similar to blocking the IP (check with your host about how to do this). This can also make it difficult for them and hopefully they move on.
Note, each successful transaction and registration does log the IP and user agent (in order to process correctly). That can be be found in viewing the Transaction or Registration Details panel, click the “View additional session details” link (screenshot: https://www.screencast.com/t/bPpMwmMQfoi)
I hope that helps. We will talk internally about logging the ip and user agent for failed transactions too.
|
|
channingstrom
|
October 2, 2024 at 8:56 am
We use your reCaptcha – I freshened the site and secret codes to be sure. Didn’t help. They are getting past the two places EE offers to put reCAptcha. They create the registration by hand then automate the card tries. 1600 times in the last 8 hours. my email processor has reached its daily limit for sending out declined emails. When they push the button, it goes every couple seconds. This isn’t a case for limiting the time. HAve put the IP to our host to try to block but… as you said a bit of wack-a-mole. Must limit number of declines. Three tries is waaay reasonable. Even call it five. Please. I’ve got nothing else. Does my token help work this?
|
|
channingstrom
|
October 2, 2024 at 2:50 pm
Any progress in discussion about limiting declined cards? They’re going to start looking for other events espresso sites to attempt to clear their card numbers. At least that’s what I would do.
|
|
channingstrom
|
October 2, 2024 at 2:58 pm
I’ve deleted the one registration and while their bot is still in it they can keep trying. it just keeps declining, sending emails and I have no control.
Can you include the transaction in the reCAPTCHA coverage?
|
|
Garth
|
October 2, 2024 at 11:33 pm
I can understand your frustration, this has happened to us using the shopping cart we use for managing subscriptions. Keep working with your host or security plugins to continue to identify the IPs and/or User Agents and continue to block them.
|
|
channingstrom
|
October 3, 2024 at 7:00 am
Thanks, blocking IPs is not working. They’re spoofing IPs that are local to my customers. This is an EE vulnerability. I’ve turned off declined card emails – so at least not clogging that system. The solutions I see are enabling reCAPTCHA for each card try or limiting the number of card tries. limiting the time to checkout is not working either. Now set at 15 min, their declined cards go into 30 and 40 minutes, about 5 per minute for each registration they have open at a time. This is costing money and time for us that EE is meant to limit. Is there enough vision into this thing that a token would put somebody on one of my ideas?
|
|
channingstrom
|
October 3, 2024 at 8:35 am
I guess i don’t understand “user agents”. We don’t have customers login to WP for our system. Is that what this means? Many of these registrations don’t seem to have either IPs or user names. Or do they get stripped off when I decline the registration?
|
|
Garth
|
October 3, 2024 at 9:46 am
Hi Again,
locking IPs is not working. They’re spoofing IPs that are local to my customers.
I’m curious about why blocking IPs isn’t working. What happens when you block the IP? Can you explain how they might be spoofing your local customer IPs? It seems very unlikely that they would have access to your Access Logs to know your customers’ IPs.
Also, just a quick note: User Agents identify the browser and operating system accessing your server. Your host should be able to assist you in blocking the user agent from those same IPs as well.
|
