A major new problem for ecommerce websites is called credit card slamming. Credit card slamming is the practice of foreign scammers hitting authorize.net multiple times with different credit cards in an attempt to find credit cards that are active. Why am I writing a post on credit card slamming? A friend of mine recently had his website hit with a credit card slamming scam that racked up tons of transaction charges and charged lots of credit card scam victims thousands of dollars. Most of that money will probably be refunded, but my friend is still stuck holding the bag for authorize.net transaction fees and the client who owned the website may leave him.
I run a website selling truck and car gauges that operates using zen-cart ecommerce software and uses authorize.net (as well as PayPal and Google Checkout) for payments. After I heard about what happened to my friend who got scammed by the credit card slammers, I decided to take proactive action. I use the most up-to-date version of zen-cart and am operating authorize.net with extra security measures. After doing some research I found additional methods for protecting your website from credit card slamming scams:
- Block all IP traffic from outside of your primary sales regions. You don’t really want to be shipping goods to South America or Africa anyways do you? This method is helpful at protecting yourself from criminals, but there are still ways for them to get around those blocks.
- Another method for protecting your zen-cart website from credit card slamming is to use this helpful piece of code from Damon Parker:
“The code snippet below can be used in modules/checkout_process.php to automatically log a user out after a set number (6 in the below snippet) of payment attempts.
if(! isset($_SESSION[‘payment_attempt’])) $_SESSION[‘payment_attempt’] = 0;
$_SESSION[‘payment_attempt’]++;if($_SESSION[‘payment_attempt’] > 6) { // change 6 to change how many attempts to allow before logout
// log attempt or email report
// the following information is useful
// “Host:\t\t”.$_SESSION[‘customers_host_address’].
// “\nCustomer:\t”.$_SESSION[‘customer_id’].
// “\nTotal:\t\t”.$_SESSION[‘cart’]->total,
// destroy session to log customer out
zen_session_destroy();
// redirect to timeout page or create new page to redirect to
zen_redirect(zen_href_link(FILENAME_TIME_OUT, ”, ‘SSL’));
}
Place in between this code near the top of the file:
if (!$_SESSION[‘customer_id’]) {
zen_redirect(zen_href_link(FILENAME_TIME_OUT));
}INSERT AUTO LOGOUT FUNCTIONALITY HERE
// load selected payment module
require(DIR_WS_CLASSES . ‘payment.php’);
$payment_modules = new payment($_SESSION[‘payment’]);
// load the selected shipping module
require(DIR_WS_CLASSES . ‘shipping.php’);
I found six attempts to work well on the sites I implemented on. You do not want to adversely impact normal users but you do want to make it harder on abusers so that they just go away.”
Credit card slamming appears to be a pretty annoying new scam. I would like to hear if anyone else in the zen-cart or authorize.net communities has found a solution for credit card slamming… any ideas?
Interesting-
Does authorize.net simply require a credit card numbers to authorize transactions? Can an ecommerce site require a Vcode or similar physical, back up verification number? And if so, why don’t they?
Yes, they do require a verification code from the back of a credit card, but hackers can still hammer servers enough to get even these. I require it on digital-auto-gauges.com.