[font=“Arial”]On July 19, of this month we became a victim of someone using a script (or some other utility) to make repeated attempts to validate credit card numbers through our cs-cart store. The only way we were able to stop them was to contact our host (WiredTree.com) and have them block the attackers IP address. We now feel very vulnerable with cs-cart.
Earlier today we submitted a request to the cs-cart custom development specialist for a cost estimate for code to be added to our cart so we could manually set a limit on how many times a person could re-submit a DECLINED credit card order. However, after considerable thought, since that attacker was using some type of script I think adding the declined transaction submission limiting feature to the cart would not prevent such attack in the future - because they were using some type of script, circumnavigating the page form. This is definitely a BIG security weakness in cs-cart that we strongly believe needs to be remedied fast. Luckily I was sitting at our computer and saw the multiple ORDER DECLINED emails coming in. In less than 10 minutes 49 DECLINED transactions were processed from the same IP address. We had to contact WiredTree.com and have them immediately put a block on the attackers IP address. Each submission cost us $0.05, no big deal, BUT, if I was not at the computer THOUSANDS of submissions could have been made. Authorize.net refuses to reverse any of the charges. They told me the canned statement that, unfortunately, at the present time they have no way of preventing the problem I encountered. WHAT? That's ludicrous. Any suggestions anyone?
Bill Galkowski, manager/developer[/font]
Didn’t you respond on the same issue in another thread?
[quote name='tbirnseth' timestamp='1311487761' post='118111']
Didn't you respond on the same issue in another thread?
Order Declined - Hints & Modifications - CS-Cart Community Forums
[/quote]
Hello tbirnseth.
You are correct, I did. The reason I added it here is so the issue receives more exposure. The unrestricted repeated “order-declined” submission (in our opinion) is a serious issue that needs attention and remedy quickly. It is very unsettling to me why a method to limit repeated “ORDER DECLINED” submissions is not a standard feature in cs-cart. If it happened to us it can happen to other folks as well. As I indicated in the other post, had I not been at the computer to stop the culprit we could have easily over $10,000 in transaction charges by authorize.net. - as happened to another company. Authorize.net charged them $0.10 for each (declined) transaction, totaling over $10,000! putting the company $6,000 in the red.
I did try the remedy you presented in that other post but unfortunately it did not work - as I hoped it would have. Thanks for your attention tbirnseth, I DO appreciate it. I am now waiting for the custom development team to get a price quote to us to have coding added that will allow us to set such limit.
Bill G.
[quote name='Bill G.' timestamp='1311517838' post='118124']
Hello tbirnseth.
You are correct, I did. The reason I added it here is so the issue receives more exposure. The unrestricted repeated “order-declined” submission (in our opinion) is a serious issue that needs attention and remedy quickly. It is very unsettling to me why a method to limit repeated “ORDER DECLINED” submissions is not a standard feature in cs-cart. If it happened to us it can happen to other folks as well. As I indicated in the other post, had I not been at the computer to stop the culprit we could have easily over $10,000 in transaction charges by authorize.net. - as happened to another company. Authorize.net charged them $0.10 for each (declined) transaction, totaling over $10,000! putting the company $6,000 in the red.
I did try the remedy you presented in that other post but unfortunately it did not work - as I hoped it would have. Thanks for your attention tbirnseth, I DO appreciate it. I am now waiting for the custom development team to get a price quote to us to have coding added that will allow us to set such limit.
Bill G.
[/quote]
You mean to say that you received code from third-party developer, free-of-charge for a problem that effects your store. Then continue to take his time up (and mine) by re-posting this issue on the forum, when there was already a dedicated thread available to discuss in.
Not only did you waste our time, but you've also made it difficult for other users/members whom MAY have your issue in the future.
Consequently, I highly suggest that you
- don't repost this issue
- use the 'Ideas' hyperlink at the top of this page
- contact CS-Cart directly
- Speak to your merchant to see if there are limitations available (fraud protection)
In relevance to this statement:
[quote]It is very unsettling to me why a method to limit repeated “ORDER DECLINED” submissions is not a standard feature in cs-cart.[/quote] What you WANT and WHAT you GET are COMPLETELY different. I manage 50 CS-Cart installations, I get this quotation daily - pay for it, problem solved.
[quote name='JesseLeeStringer' timestamp='1311524529' post='118125']
You mean to say that you received code from third-party developer, free-of-charge for a problem that effects your store. Then continue to take his time up (and mine) by re-posting this issue on the forum, when there was already a dedicated thread available to discuss in.
Not only did you waste our time, but you've also made it difficult for other users/members whom MAY have your issue in the future.
Consequently, I highly suggest that you
- don't repost this issue
- use the 'Ideas' hyperlink at the top of this page
- contact CS-Cart directly
- Speak to your merchant to see if there are limitations available (fraud protection)
In relevance to this statement:
What you WANT and WHAT you GET are COMPLETELY different. I manage 50 CS-Cart installations, I get this quotation daily - pay for it, problem solved.
[/quote]
Hello JesseLeeStringer.
You (sarcastically) said: “You mean to say that you received code from third-party developer, free-of-charge for a problem that effects your store”. And my response to that incorrect assumption is, at no time whatsoever in my prior posts did I indicate in any manner whatsoever that we installed code from [any] “third party”. As a matter of fact, we have NO third party modifications whatsoever in our cs-cart. Moreover, I DID speak to an authorize.net representative and that representative stated that they have no method to prevent someone from continually submitting declined orders. If you want, contact authorize.net your self if you don't believe me.
Contrary to your [incorrect] assumption, we DID contact CS-Cart directly. We are waiting for the price quote from the CS-Cart custom development dept for the code request that I previously wrote about. Furthermore, my prior posts were written very succinctly (clearly) so, why you wrote your sarcastic response I have no idea.
I think Jesse is referring to the code I gave you in the other post for “free of charge from 3rd party developer”…
If everyone double posted when they thought their particular issue was of the utmost importance, the forum would become unusable (same goes for those annoying users who bump posts because they don't get an answer in the time frame they think they should. Sometimes no one has an answer or solution and other times, people just don't see the problem in the same light as the poster.).
I would assume that your problem is not pervasive. I.e. I haven't seen any other posts related to this problem and you can be sure that if merchants here were getting charged more than $2.00 than they think they should, you would hear about it here.
I do see where it could be a problem if someone is using an automated tool to shove CC numbers through your checkout process waiting to find one that “hits”.
[quote name='tbirnseth' timestamp='1311563256' post='118148']
I think Jesse is referring to the code I gave you in the other post for “free of charge from 3rd party developer”…
If everyone double posted when they thought their particular issue was of the utmost importance, the forum would become unusable (same goes for those annoying users who bump posts because they don't get an answer in the time frame they think they should. Sometimes no one has an answer or solution and other times, people just don't see the problem in the same light as the poster.).
I would assume that your problem is not pervasive. I.e. I haven't seen any other posts related to this problem and you can be sure that if merchants here were getting charged more than $2.00 than they think they should, you would hear about it here.
I do see where it could be a problem if someone is using an automated tool to shove CC numbers through your checkout process waiting to find one that “hits”.
[/quote]
Acknowledged tbirnseth, and Thanks.
I will continue this under Hints & Modifications in the ORDER DECLINED thread.