Steve@envisionit.com.au
Advanced Member
Australia
250 Posts Pre-sales questions only (More Details...)
|
 Posted - 04/11/2021 : 22:20:47
How do I make reCaptcha Mandatory. My payment gateway provider has come back with this advice:
Our team has reviewed the URL you shared https://sellcad.com.au/cart.asp and can confirm that the Captcha is a mandatory field for creating a new account.
However, we have placed a test order through the checkout without the requirement of creating a new account. The Captcha on the checkout page is not a compulsory field.
This means that fraudsters may be able to simply checkout as a 'guest' and bypass the Captcha. We recommend reviewing this with your website developer.
Once the Captcha is a mandatory field on the checkout page, please notify our team so that we can add this information to your fee review request.
Steve Bungay
Envision IT Pty Ltd
Suite 4, Level 2, 255 Blackburn Road
MOUNT WAVERLEY VIC 3149
Tel: +61 3 9886 7240
Fax: + 61 3 9886 7377
|
Vince
Administrator
42466 Posts |
Posted - 04/12/2021 : 01:20:50
|
Steve@envisionit.com.au
Advanced Member
Australia
250 Posts Pre-sales questions only (More Details...)
|
Posted - 04/22/2021 : 17:09:30
Thanks. I did that and it worked.
The eWAY team however has come back with this observation yesterday. How do we comply with this:
We can confirm that it is not possible to access the checkout without completing the reCAPTCHA, however on your actual checkout page, we were able to submit card details without completing the second captcha. This means that an attacker could manually complete the captcha to create an account, then set up an automated script on the checkout page itself that will submit transactions without needing to complete a captcha. Once you have updated your checkout to require the captcha to be completed, please let us know and we will review your request further.
Steve Bungay
Envision IT Pty Ltd
Suite 4, Level 2, 255 Blackburn Road
MOUNT WAVERLEY VIC 3149
Tel: +61 3 9886 7240
Fax: + 61 3 9886 7377
|
Vince
Administrator
42466 Posts |
Posted - 04/23/2021 : 10:18:35
|
Steve@envisionit.com.au
Advanced Member
Australia
250 Posts Pre-sales questions only (More Details...)
|
Posted - 04/26/2021 : 20:55:11
Hi Vince
Both the Card Entry and forceclientlogin=TRUE are there. I assume I have entered in the correct file i.e. includes.asp in vsadmin folder.
I am not sure what this means - without completing the second captcha - in eWAY email.
Is it that there should be one more captcha? I am not sure how to replicate this.
Regards
Steve Bungay
Envision IT Pty Ltd
Suite 4, Level 2, 255 Blackburn Road
MOUNT WAVERLEY VIC 3149
Tel: +61 3 9886 7240
Fax: + 61 3 9886 7377
|
dbdave
ECT Moderator
USA
10276 Posts |
Posted - 04/26/2021 : 21:45:13
Hi Steve, based on your original post, you stated they wrote quote:
This means that fraudsters may be able to simply checkout as a 'guest' and bypass the Captcha
Captcha does not stop "fraudsters". It's designed to stop automated bots. If your payment provider is worried about "fraudsters" then I don't see how captcha helps. I suppose maybe you are selling a super high risk item(s) and maybe that's why they are asking for this, but I can tell you that a fast way to push customers away is to force them through multiple captcha(s). Personally, I would not use it on checkout unless for some reason, you absolutely must. But really if the client is required to fill out a captcha to get an account, and customers must log in to an account to checkout, shouldn't that be enough to satisfy this request? David |
Vince
Administrator
42466 Posts |
Posted - 04/27/2021 : 04:48:34
|
Steve@envisionit.com.au
Advanced Member
Australia
250 Posts Pre-sales questions only (More Details...)
|
Posted - 04/27/2021 : 17:59:43
Hi Vince
What can I reply to eWAY on this? Do you mean that we do not use ECT if we have to use eWAY?
On the observation of dbdave, we are not selling anything high risk. We are not selling actually anything that involves a delivery to an unknown buyer. The issue has arisen because someone played with the payment gateway and performed about 400 transactions in an hour. So, eWAY is wary of it.
For us, it is a manageable risk but it would be very high risk for merchants whose living depends on shopping cart.
Steve Bungay
Envision IT Pty Ltd
Suite 4, Level 2, 255 Blackburn Road
MOUNT WAVERLEY VIC 3149
Tel: +61 3 9886 7240
Fax: + 61 3 9886 7377
|
Vince
Administrator
42466 Posts |
Posted - 04/29/2021 : 02:28:05
Hi Steve What I'm saying is that to put CAPTCHA at the point of card entry would mean that I have to POST the CAPTCHA result back to the server before POSTing the card number to eWay. This means that the whole idea of "my server never sees the credit card number as it's posted over a secure connection directly to eWay" goes right out of the window. But there is another thread about duplicate transactions using the same eWay access code and I really don't think eWay should be allowing that, and if 400 transactions were posted in an hour I think what has been done is someone went through the process, got an access code and used that to hit the server. eWay should maybe think about making those access codes one time use, or at least make that a possibility / option. Vince Click Here for Shopping Cart SoftwareClick Here to sign up for our newsletterClick Here for the latest updater |
| |
|
Make reCaptcha Mandatory