Captcha in GOLD to Prevent Scripts

[calvis]

We recently underwent an attack in which 20 fraudulent orders (about 4,500 dollars worth) were placed in a span of 2 days. They used the correct billing address and shipped them to random people across the US. They were placing orders via a script because of the speed that the accounts were created and the orders placed. The attacks continued even after captcha was turned on. The attacks used different ip addresses and we found a pattern and were able to manually watch for that pattern thus preventing any more orders being shipped. The attack has since stopped, but we am working on security measures to prevent it if it does happen.

Does anyone know how to make captcha stronger? Seems like reCAPTCHA is the way to go but I am sure how much time and trouble it would be to implement that. This attack was very vicious for the fact they had all the billing information correct on the card and we got lucky to notice it after day 2.

Any other suggestions would be welcomed. I've had this happen before, but not to this scale and which was done by a rogue affiliate, but I am unable to find any motive other than to make us accumulate as many chargebacks as possible.

[sfeher]

We leverage our gateway account (Authorize.net) to ensure that the "Order Velocity" is in check. We run several stores where orders are consistent, but NOT typically that quick.
We usually leave our speed in the range that matches the rolling 12-month average..... Sure helps.

[Shopping Cart Admin]

Hi Charles,

While scripts are easy to create to fill in forms, there isn't a benefit to creating one for twenty orders or twenty of any actions on the internet. It would be days of work. You'd need to add captcha to the user registration page to stop a script, where by default it's only on the returning login of an existing user. Since I don't believe it was a script the captcha wouldn't of accomplished anything in this case as they would of just typed it in. It's super easy to use proxi servers on the internet from a single location to have multiple ip addresses. You don't really sell gifts and I'm guessing your liable to get a pretty high degree of fraud, I'd consider only shipping to the billing address.

[calvis]

Some updates.

After careful review we determined it was not a script but rather a real human being. We were able to catch the orders, but it has started back up again with much more sophistication which has made detection very difficult. in the meantime our fraud rate has skyrocketed. We are looking to to ship orders only to the billing address, but I am not sure how to do that. In the older version of Able there was a setting to prevent shipping to a different address.

Where is the setting in GOLD?