Paypal says we are being "carded"

We appreciate your feedback - please let us know how we can improve AllProWebTools.
Post Reply
Andy1735
Posts: 537
meble kuchenne Mikołów Knurów Czechowice-Dziedzice
Joined: Tue Sep 08, 2015 2:57 pm
Website: www.secretcompassonline.com

Paypal says we are being "carded"

Post by Andy1735 »

We got this from Paypal this afternoon:

"We received word that your site is being carded. From 07/10/2017 through 07/11/2017 there have been 900 payments declined by CC processors compared to 1 successful transaction. Is this anything you or your team has noticed over the last few days?"

Have you noticed anything?
User avatar
Dave
Support Team
Support Team
Posts: 1221
Joined: Wed May 11, 2011 10:30 am
Website: www.allprowebtools.com
Contact:

Re: Paypal says we are being "carded"

Post by Dave »

When a hacker obtains a long list of credit card numbers. It is common that they will enter those credit cards into website to attempt to purchase a low price item to verify which card number still work. Then they can go on and use them for larger purchases.

I believe that this activity is what is being referred to here.

AllProWebTools has built in security that protects you from known attackers and other malicious activity. But there is currently no defense measures in place for repeated failed credit card charge attempts. The reason for this is that potential security measures could easily be circumvented by changing IP addresses between each charge attempt.

Your next step would be to ask Paypal for their recommendation.
Andy1735
Posts: 537
Joined: Tue Sep 08, 2015 2:57 pm
Website: www.secretcompassonline.com

Re: Paypal says we are being "carded"

Post by Andy1735 »

Is there any way to tell if this activity is coming from secretcompassonline.com ?

I am not seeing any abnormal abandoned carts or anything weird.
User avatar
Dave
Support Team
Support Team
Posts: 1221
Joined: Wed May 11, 2011 10:30 am
Website: www.allprowebtools.com
Contact:

Re: Paypal says we are being "carded"

Post by Dave »

It seems like you would see a high number of abandoned carts or a high number of orders that result in chargebacks. It is possible that the attack is a hack of your PayPal checkout button that is completely unrelated to your AllProWebTools website - and therefore out of our scope and ability to assist you with.

I would advise working with PayPal on this issue as their fraud department will have much more experience with these sort of issues. Feel free to contact us if there is anything PayPal recommends that we can assist you with.
Andy1735
Posts: 537
Joined: Tue Sep 08, 2015 2:57 pm
Website: www.secretcompassonline.com

Re: Paypal says we are being "carded"

Post by Andy1735 »

They sent us a small list of things to do, mainly stuff that is already in place. I will review that again and get in touch with them, and let you know if we need to do anything different.

The fact that these are all being declined is great. The system is working.
Andy1735
Posts: 537
Joined: Tue Sep 08, 2015 2:57 pm
Website: www.secretcompassonline.com

Re: Paypal says we are being "carded"

Post by Andy1735 »

Dave, Paypal says this is still happening and they want it resolved. This is what they said "On 7/16, the merchant experienced an increase in payment declines with 487 attempts. This activity continued into the early morning of 7/16. I recommend reaching out to the merchant and having them add CAPTCHA to the website. The merchant currently does not have this feature in their checkout."

Is CAPTCHA available?
User avatar
Dave
Support Team
Support Team
Posts: 1221
Joined: Wed May 11, 2011 10:30 am
Website: www.allprowebtools.com
Contact:

Re: Paypal says we are being "carded"

Post by Dave »

We are very interested in tracking down this issue for you.

CAPTCHA is available under the following settings, bear in mind that repeatedly submitting credit cards does not necessarily trigger as "threatening" behavior. Your account is currently set at "Medium" - I do not think that setting it to "High" will help you.
The Security Level you choose will determine which visitors will be presented with a challenge page. We recommend starting out at Medium.
Essentially off: Challenges only the most grievous offenders
Low: Challenges only the most threatening visitors
Medium: Challenges both moderate threat visitors and the most threatening visitors
High: Challenges all visitors that have exhibited threatening behavior within the last 14 days
I have extended your server logs to save over the next few days. Your website gets such a high volume of traffic that your server logs were purging every 12 hours - therefore, I am not able to access data from 7/16.

We do not have enough information to assist you in tracing this issue, here are some items that would help:
  • If PayPal can provide the IP address that is initiating these failed transactions
  • The exact time and Date (with Timezone) of the occurrences so that we can track them in the logs
  • The name and address that was submitted with the failed transactions (This will help us to identify if the same account is being used repeatedly)
  • The dollar amounts of the failed transactions
  • Are these transactions being submitted via PayPal Standard or PayPal Pro?
  • Is there a record of these attempts in your PayPal log?
  • The HTTP REFERER variable that PayPal received with the transaction attempts.
Andy1735
Posts: 537
Joined: Tue Sep 08, 2015 2:57 pm
Website: www.secretcompassonline.com

Re: Paypal says we are being "carded"

Post by Andy1735 »

Thanks Dave, I am forwarding to Paypal and will see what they say.
Andy1735
Posts: 537
Joined: Tue Sep 08, 2015 2:57 pm
Website: www.secretcompassonline.com

Re: Paypal says we are being "carded"

Post by Andy1735 »

Paypal is still bugging us about CAPTCHA. Is there a way to require on the all checkouts?

I see "recaptcha configuration" on my administrator page but it is not turned on.
Andy1735
Posts: 537
Joined: Tue Sep 08, 2015 2:57 pm
Website: www.secretcompassonline.com

Re: Paypal says we are being "carded"

Post by Andy1735 »

Here is Paypal's response:

1. If PayPal can provide the IP address that is initiating these failed transactions We do not provide the IP address
2. The exact time and Date (with Timezone) of the occurrences so that we can track them in the logs Jul 16, 2017 21:13:04 CDT - Jul 17, 2017 00:05:08 CDT
3. The name and address that was submitted with the failed transactions (This will help us to identify if the same account is being used repeatedly) Vava Heslen, I did not find an address
4. The dollar amounts of the failed transactions $500.00
5. Are these transactions being submitted via PayPal Standard or PayPal Pro? PRO
6. Is there a record of these attempts in your PayPal log? Yes, we can see them in our backend
7. The HTTP REFERER variable that PayPal received with the transaction attempts. I am not sure about this one
User avatar
Dave
Support Team
Support Team
Posts: 1221
Joined: Wed May 11, 2011 10:30 am
Website: www.allprowebtools.com
Contact:

Re: Paypal says we are being "carded"

Post by Dave »

This information was helpful.

From the information provided, it sounds like this issue was isolated to a single user account on your website. I used the information "Vava Heslen" to lookup this user in your account and found that the phone number and email address on this account were both bogus. The account also shows the billing address as "Oregon" but the IP address that was used to create the account appears to have originated in London (https://dig.whois.com.au/ip/198.134.108.78)

The information that you provided also suggests that this has not occurred again since Jul 17, 2017 00:05:08 CDT.

I suggest that you close this "user account" on your website to prevent them from logging in again in the future. You can do this by looking up the account in your console and then you will see a button in the top right that says "introduce". There is a dropdown arrow next to this button. If you click the dropdown arrow, you will find an option to "reset password" - if you do this, they will not know the new password and can no longer login.

If you wish to delete this account all-together, you should do it AFTER you have reset the password.
Andy1735
Posts: 537
Joined: Tue Sep 08, 2015 2:57 pm
Website: www.secretcompassonline.com

Re: Paypal says we are being "carded"

Post by Andy1735 »

Alright, I found a couple more account apparently created by this person and also reset the password on those. I will keep an eye out for future accounts that appear to be from this person.

Is there any way to block the IP address?

How is this person able to push through so many attempts with the Paypal PRO system? 900 attempts on 7/10 and 500 on 7/16. That can't be someone manually entering all those card numbers in.
User avatar
Dave
Support Team
Support Team
Posts: 1221
Joined: Wed May 11, 2011 10:30 am
Website: www.allprowebtools.com
Contact:

Re: Paypal says we are being "carded"

Post by Dave »

Please provide the other accounts that you have found so that we can continue looking into this issue. This will allow us to see if they are using the same IP address each time. It is most likely that they are using a different IP each time, which makes blocking a single IP ineffective.

The more information that you can provide, the more helpful it will be to our investigation into this matter.
Andy1735
Posts: 537
Joined: Tue Sep 08, 2015 2:57 pm
Website: www.secretcompassonline.com

Re: Paypal says we are being "carded"

Post by Andy1735 »

Ids 15411, 15415, 15472, 15497, 15499. I have done the password reset on all of them as they seem to be using fake emails. The last two are recent, only noticed this morning
Andy1735
Posts: 537
Joined: Tue Sep 08, 2015 2:57 pm
Website: www.secretcompassonline.com

Re: Paypal says we are being "carded"

Post by Andy1735 »

also, 15500 seems to have just been created.
User avatar
Dave
Support Team
Support Team
Posts: 1221
Joined: Wed May 11, 2011 10:30 am
Website: www.allprowebtools.com
Contact:

Re: Paypal says we are being "carded"

Post by Dave »

Thanks for the additional information. We were able to determine that these account seem to be created manually, but from IP addresses all over the world including New York, London, Indonesia, and Utah. An IP block will not help.

We are currently working on a solution for you and we will post additional information here.
Andy1735
Posts: 537
Joined: Tue Sep 08, 2015 2:57 pm
Website: www.secretcompassonline.com

Re: Paypal says we are being "carded"

Post by Andy1735 »

Sounds good. Thank you!
User avatar
Dave
Support Team
Support Team
Posts: 1221
Joined: Wed May 11, 2011 10:30 am
Website: www.allprowebtools.com
Contact:

Re: Paypal says we are being "carded"

Post by Dave »

We are currently testing the new solution. We will notify when it is ready to be implemented.
Andy1735
Posts: 537
Joined: Tue Sep 08, 2015 2:57 pm
Website: www.secretcompassonline.com

Re: Paypal says we are being "carded"

Post by Andy1735 »

Hey Dave, paypal is pissed. From them: "From 7/23/17 through 7/24/17 there have been 1,127 transactions declined by CC processors" and they really want to see a captcha on the checkout submit page for all orders. Any way to turn that on for everyone?
User avatar
JohnB
Support Team
Support Team
Posts: 1022
Joined: Wed Nov 04, 2015 3:57 pm
Website: www.allprowebtools.com

Re: Paypal says we are being "carded"

Post by JohnB »

Hello,

We have just rolled out the ability for you to add a Recaptcha to the checkout page of your site.

Just head to Settings->Administrator, and under the "Recaptcha Configuration" panel, you can click on the link Get Key to set up a Recaptcha Key and Secret through your google account. Once you've set that up, saved the information in AllProWebTools, and turned Recaptcha on with the switch at the top of the panel, you can click on the Recaptcha Location button in that same "Recaptcha Configuration" panel, and make sure the "Checkout Page" is set to "Show" to enable Recaptcha on your checkout page.

This video may be helpful in setting up your Recaptcha Site Key and Secret if you need help:


Please let me know if you need any more assistance in getting this turned on for your site!
Andy1735
Posts: 537
Joined: Tue Sep 08, 2015 2:57 pm
Website: www.secretcompassonline.com

Re: Paypal says we are being "carded"

Post by Andy1735 »

Awesome! I have it set up. Thanks!
Post Reply