Jump to content

Security technical flaw in CC5 and Authorize.net


SimChris

Recommended Posts

Hi, folks

ran into a minor issue today, whereby somebody placing a fake order from Germany (.de), with a stolen card with billing address of American Samoa, was able to bypass the CC gateway setting by simply putting American Samoa as the state, and then U.S. as the country, and it pushed through to Authorize.net 2x before I caught it.

Adding an IP check to CC is going to be a mandatory addition to CC6 for us to keep using it as sadly it's too easy for people with stolen cards to use CC to "test" whether cards validate or not; a huge issue with all the hacked sites the past year.

Right now there is basically no way to stop somebody from testing cards, by tricking the country setting to bypass the "don't allow from countries" setting in CC, and Authorize.net doesn't check "country" for AVS, only address, zip, security code, and card number.

Basically ecom systems need to be more and more "locked down" with controls to block and/or blacklist IPs to stop abuse of the system.

Yes, we can manually block IPs at server level, but it doesn't stop somebody from running a series of cards as happened to us on Nov 30th or so, when Ukraine hakcers were running 50+ cards against our store, using stolen American/US cards, when we're closed at night or weekends (when evil doers in other time zones are awake and we're sleeping).

PLEASE consider IP blocking option/blacklist, and possible "lock out" option for more than 5 order attempts.

Link to comment
Share on other sites

True, CubeCart can be used to test a credit card. But so can Walmart (personal experience). Detection of fraudulent card use is not the industry I am in, so I do not know of all the myriad ways and means of "testing" a card. I can say there is no "cheap" way of detecting which transaction may be fraudulent.

 

Authorize.net does have some fraud detection measures in place. Other than AVS, these measures may be at added cost.

 

"Authorize.net doesn't check "country" for AVS."

 

AVS only checks (street number) address, zip (and +5 if selected) of the card's billing address, and only if provided by the card's issuer (which is mostly USA and Canada - maybe GB). Other checks include, security code, expiration date and card number (a parity check). You can have a transaction rejected if the card's issuer does not participate in AVS. But you should know this.

 

What the AVS check will NOT do is tell you what those values should have been. So, processing a card from a customer using a computer with an IP located in Germany will happen if the AVS, expiration date, and CVV2 code is approved by the card issuer. No merchant has the wherewithal to make any assumptions or conclusions about whether the card is stolen. Only the card's issuer can make that determination.

 

You can make a prophylactic attempt to deny sales to a delivery address that is not the billing address, and delivery addresses in the list of countries you will not ship to. I do like your idea of a "brute force" lockout - similar to CC's lockout after failing five times within five minutes to login.

 

There is an entirely different world conversation about how to improve the technology of the credit card so that fraudulent use is abated.

Link to comment
Share on other sites

Well... the issue was with CubeCart specifically, where if I have American Samoa blocked in the CC5 panel for denied countries, the cart will still pass an order for ANY country over to Authorize.net regardless of the actual country the billing address happens to be, if USA is put in the country box on checkout - making the allowed/disallowed countries option meaningless for blocking unwanted customer groups as apparently intended. This happens prior to pushing to Authorize.net, and basically bypasses the behavior of not showing payment gateway option -- ANY country can post to authorize.net as long as United States is put in country box in CC checkout. So, blocking/allowed options in CC admin rendered meaningless. This was the point I was making.

And yes, bsmither, as a company who was building ecom systems for clients as of Jan 1996, including Oprah Winfrey/Civitas, the No Fear clothing company (remember them?), etc. (pardon name dropping), and in business 31+ years we are very aware of how cards work and how ecommerce works. Our old cart system prior to 2010 allowed us to block IP ranges in the cart system to disallow those customers creating accounts by doing IP lookup, which CC doesn't support; nor does it allow for any velocity checks, such as one customer trying 20 different order attempts over and over for THE SAME ORDER; which is not normal.

We don't use delivery addresses other than as required by the cart -- we only sell services, so shipping and tax related stuff generally not relevant to our use case. So checking for delivery address is meaningless in our context since ANY address could be entered when fraudster checking for working cards.

While we can use the advanced fraud detection suite as a paid option, it's not inexpensive, and being able to do basic IP check/deny for account creation and velocity check would be great addition to CC.

e.g.,

1) IP range for Ukraine blocked; on account creation check originating IP and if blacklisted, deny account creation or any purchase attempt before going to payment gateway(s).

2) order velocity check ... 5 or more failed order attempts with any mix of credit cards, all returning decline; stop order process and more order from pending to failed fraud review, etc.

I would think these kinds of options would be important for anybody wanting to sell downloadable content, but in our case completed checkout allows client to move on into our project submission system, which somebody who was a bad hat could take down by overloading the form handler for that, disallowing good customers from turning in work. So, we need to do as much as possible to pre-screen and block the bad hats. Which we do before any work is performed, obviously.

The issue has come up through

1) customer used 45+ cards on ONE pending order in CC5, until one worked, and got order confirmation, passed through to our project platform. Not good. Country on blocked list, but not relevant due to the stolen cards being U.S. based for billing/delivery addresses. No IP check capability to block origination of hacker/fraudster using system at all. We have now blocked Ukraine entirely from our server.

2) fraudster from another country (.de) using stolen card, with blocked country billing/delivery address, bypassed the block list for countries in CC for authorize.net by cleverly just changing country to United States vs American Samoa. CC5 let that go through, got 2 declines, and then I happened to see it purely by chance checking on a good customer payment.

Since we're in the news business, and main site has been online 15+ years, we have very high visibility in search, and so we do end up being targets for various things.

For 2015 I am evaluating other carts and security solutions because of this kind of security issue.

I am only bringing all of this to your attention for possible future solutions in CC6, possible plugin developers who may want to extend CC5/6 with some kind of security black list and velocity check, etc.

Example of some of the options folks are coming up with for other carts like the Woo folk:

http://aelia.co/shop/blacklister-for-woocommerce/

Key Features of Blacklister plugin

•Allows to blacklist email addresses, using exact matches or regular expressions.

•Allows to blacklist IP addresses, using exact matches or IP ranges.

•Customisable error messages to notify the user why their checkout process was halted.

Also for Woo

http://www.woothemes.com/products/woocommerce-anti-fraud/

These are just some of the examples of solutions for open source stuff, but the big commercial store systems are also building stuff like this in to fight the kinds of abuse which are only going to increase more and more.

Love you guys at CC ... almost 5 years now. However, the above kind of stuff needs to be "baked in" for our needs in the future.

Peace out, and happy holidays to all! :-)

Link to comment
Share on other sites

Thanks for the very detailed post. I can see that this is rather a significant deal for you. I want to investigate this and see if we can build something with a monthly subscription if enough demand is there.

Seeing as live IP verification etc is needed it can't be a free service as there are costs involved.

By the way PayPal pro has ALL these features as standard! You can set payments to either be rejected outright or for manual review if you meet any criteria set by you.

E.G. Free email, country, velocity, order total, etc..

Link to comment
Share on other sites

he issue was with CubeCart specifically, where if I have American Samoa blocked in the CC5 panel for denied countries, the cart will still pass an order for ANY country over to Authorize.net regardless of the actual country the billing address happens to be

This was never intended to be a security feature.

Link to comment
Share on other sites

Hi

There are quite a few things that merchants can already do to protect themselves against fraudulent oreders / transactions being converted and against chargebacks if any do slip through.

1) There is a FREE CubeCart plugin provided by FraudLabs which has all / most of these features that you have requested http://www.fraudlabspro.com/features. We use this ourselves in our hosting business (not using CubeCart) and it has the ability to set a threshhold score (1 to 100) and any orders placed with a value above your set level are set to a status of Fraud and held, where they have to be manually released back to Pending ! There is a FREE plan for up to 500 orders per month which would cover a lot of people's stores on here and various paid plans above this - if anyone wants help implementing this, let me know as we are a reseller for this.

2) Due to the nature of our business, we have our threshhold level set slightly higher than many people running CubeCart stores would need to and so a few times a year fraudulent orders do get through. However, because the payment provider that we use (SagePay) has 3d Secure validation (Verified by Visa and Mastercard Securecard) which we make mandatory for all transactions, we have never had a chargeback against us ! In the UK and increasingly across Europe, many card issuers enforce this (you have to enter an additional password or some letters from a password which should only be known to the card holder rather than simply entering the CVV code from the back of the card which anyone that has seen the card will know) although there are still a few that dont. The USA seems to have been very slow adopting this, along with the massive number of card data breaches over the last few years, means that almost all fraudulent attempts are using stolen USA card details. If you have 3d secure verification enabled but the card issuer doesnt yet implement it, they will not be able to issue a chargeback for any fraudulent transactions that get through

Thanks

Ian

Link to comment
Share on other sites

Yes exactly ! A true plugin that is obviously easy to install and is FREE as I said. We have several customers with it installed and it works well once it is configured correctly. FraudLabs provide many integrations for different software packages for free hence there also being one for the software that we use for our hosting business

Ian

Link to comment
Share on other sites

Additional costs -- it's not free.

What did they quote you for the monthly fee?

Hi

There are quite a few things that merchants can already do to protect themselves against fraudulent oreders / transactions being converted and against chargebacks if any do slip through.

1) There is a FREE CubeCart plugin provided by FraudLabs which has all / most of these features that you have requested http://www.fraudlabspro.com/features. We use this ourselves in our hosting business (not using CubeCart) and it has the ability to set a threshhold score (1 to 100) and any orders placed with a value above your set level are set to a status of Fraud and held, where they have to be manually released back to Pending ! There is a FREE plan for up to 500 orders per month which would cover a lot of people's stores on here and various paid plans above this - if anyone wants help implementing this, let me know as we are a reseller for this.

Hi, Ian

thanks for sharing. I'd never heard of that plugin, and I did look around for one (guess they need to do some advertising!). I will look into that since we generally do less than 200 orders a month.

he issue was with CubeCart specifically, where if I have American Samoa blocked in the CC5 panel for denied countries, the cart will still pass an order for ANY country over to Authorize.net regardless of the actual country the billing address happens to be

This was never intended to be a security feature.

Um, then what is the point of having a feature to allow or disallow countries for each gateway, exactly?

Link to comment
Share on other sites

As I said we're leaning to another system altogether for next year, which either had these types of features built-in, or one time fee vs ongoing added costs (E.g., Authorize.net's system is good, but not very cost effective for our small number of orders, albeit some with big ticket dollar value).

Just bringing this up that the built-in tools were not useful in blocking the issue we were having. It might not impact others, although I can see it being huge issue for those with downloadable content without "operator approval" for downloads (e.g., "instant download").

In any case for those of us in the USA, this might be some food for thought for additional CC6 features as selling point for the increasingly security conscious.

Thanks again for all the feedback :_)

Link to comment
Share on other sites

As I said we're leaning to another system altogether for next year, which either had these types of features built-in, or one time fee vs ongoing added costs

I would be concerned about anyone claiming to offer this type of service for free or for a one-time cost unless at a very low level (like FraudLabs do with their free plan) as the data gathering requirements are huge and constantly changing

Link to comment
Share on other sites

Um, then what is the point of having a feature to allow or disallow countries for each gateway, exactly? 

 

I would expect in the US this isn't of much use but in Europe certain countries have certain payment methods others don't. For this reason it was designed to allow the merchant to show payment options for specific countries. As a quick example in the UK paying with a bank transfer is common or maybe even a cheque. Buyers in the Netherlands don't tend to have credit cards.. etc... etc..

 

It was never supposed to work with the country drop down on "seamless" credit card forms like in AIM. 

 

 

 

I would be concerned about anyone claiming to offer this type of service for free or for a one-time cost unless at a very low level

Completely agree with Ian. I'm sure it can be free is no real time data lookup is needed though. e.g. Free email account and velocity is easy to monitor. 

Link to comment
Share on other sites

Chris out of interest are you using AIM? If this store has such a low order turnover surely the expensive PCI scanning services make this payment method the wrong choice entirely?

 

Why not alleviate PCI responsibility and use a hosted payment form from a payment company that has built in fraud tools at no extra cost?! That seems like a no brainer to me but of course I don't know your requirements and contracts etc so its easy for me to assume. :)

Link to comment
Share on other sites

  • 3 weeks later...

Hi, Al

thanks for all the feedback. Always know my feedback has always ever been intended to better the product, vs being one of the whiny complaining folk you sometimes run into around such forums. :-)

We are using AIM. We have no expensive cost for the PCI-DSS compliance as it's included in our merchant services contract now, and First Data covers that cost for us now. Since we've been in business, have a merchant account for 20 years, have our own servers, etc., why pay to host a payment system elsewhere which we cannot control security on. Prefer to do it in house. Our ecom systems have not been hacked EVER, although numerous attempts since 1996 ;-) Paranoia mode = on!

For CubeCart ...

My main "wish list" for security would be the ability to always capture IP (yes, we know it can be forged) on any account setup, and be able to query that against an internal blacklist, to stop some folks from creating further fake accounts to test the system, either as spam account, to see how far they can get without using credit cards, see what kind of email replies they get to assess mail and php replies, etc.

So,

fake customer sets up dummy account; IP 1.2.3.4

fake customer sets up dummy account; IP 1.2.3.5

fake customer tries fraud; IP 2.3.4.5

blacklist 1.2.3.4, 1.2.3.5

blacklist 2.3.4.5

fake customer tries setup; IP = blacklist ; warning message not allowed due to system abuse - goodbye! Account NOT written to dbase and deleted, NO email sent to FAKE client, but logged as bad IP attempt.

We have something similar for those who try to login to our WordPress sites, by guessing username/passwords. After 3 attempts, the IP is blocked for 4 hours; further attempts from same IP, blocked for 2,000 hours (!).

Same idea. Nothing too horribly complex, just a "check new customer setup IP against internal black list" step. This assumes no guest checkout.

Thanks for all the great work. Has it really been 5 years ?

Happy holidays!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...