Too many logins - was using my site for card slamming

**seanscully** · 6 Mar 2014, 06:03 PM

An way to get report of who has logged in numerous times?

We noticed attempted fraud when the actual card holders started calling in asking about identical dollar amounts
charged and credited to their accounts. After generating a repot from our merchant on declined orders and searching Abandoned carts with no dollar amount matches as they were using the same dollar amount and trying to look at the times on report to estimate their time zone and search Super Tracker with no luck, I finally setup PayPal to let orders come through so I could capture their IP address and block in my cpanel. I then looked up his account, and found out he had logged in 120 times when all my others average from 1 to 4 times, this account stood out, I did not delete as they will simply create a new account, rather I altered his login email so if he is using an automated system it would jus fail logging in, plus they simply mask their IP. They ran about $200 worth of transaction fees on my merchant account. Why my bank did not call and ask how I did more in one day than I do all month is a different story.

Looking for some helpful input. I have MaxMind, even set Guest Checkout to force logoff, they must have a script that runs the card numbers from a database on my cart and by keeping their session active they never time out. Our report from merchant verified the terminal ID and it was our e-commerce account.

**DrByte** · 6 Mar 2014, 06:55 PM

Zen Cart already does card-slamming protection by logging the customer out and killing their session after 3 failed payment attempts.

If you want to add custom code to do more than just kill the session and require them to login again before slamming some more, you can write a custom observer class to hook the NOTIFY_CHECKOUT_SLAMMING_LOCKOUT notifier point and take whatever additional action you believe will outsmart your visitor just before it logs them out. It could involve sending yourself an email, or maybe something highly sophisticated like triggering IP blocking; although IP blocking is pretty drastic especially if the customer legitimately needs a 4th attempt.

**seanscully** · 6 Mar 2014, 09:46 PM

Thanks, I am version 1.3.9, is the feature you spoke of in mine?

The merchant mentioned when a card gets declined they loop customer back (Using MES payment module) so they have to key in their info all over again, it may upset some customers but they said I is one of many procedures they have to help stop these attacks, much like your comment what I customer needs a fourth try. I was also told by my merchant the Check Box for Terms & Conditions is another step that is basically required by some merchants and helps thwart automated hackers.