Announcement

Collapse
No announcement yet.

Someone is creating new fake customers accounts

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #76
    Bruce, is it possible and is there a market to create a module to help others create their own simple modules for individuals who done know how to create simple modules like Online Miva Merchant Module Builder?
    Possibly, and its something we've (a couple of module developers) have been working on/experimenting with for the last year...but, its probably a 3 to 6 month investment (schedule time, not calendar) and not being able to know what exactly Miva 10 will bring probably means nothing released till after 10.
    Bruce Golub
    Phosphor Media - "Your Success is our Business"

    Improve Your Customer Service | Get MORE Customers | Edit CSS/Javascript/HTML Easily | Make Your Site Faster | Get Indexed by Google | Free Modules | Follow Us on Facebook
    phosphormedia.com

    Comment


      #77
      Originally posted by Bruce - PhosphorMedia View Post

      Possibly, and its something we've (a couple of module developers) have been working on/experimenting with for the last year...but, its probably a 3 to 6 month investment (schedule time, not calendar) and not being able to know what exactly Miva 10 will bring probably means nothing released till after 10.
      Providing Miva 10 and all the stars align just, would such a module permit even novices like myself to create a simple module, or one would still need Miva script knowledge? Just curious.
      Thank you, Bill Davis

      Comment


        #78
        It will still require mivascript, and more importantly, a decent level of understanding of the entire Miva system and API so, no. But, the main idea is to make simply modules EASIER for developers to build and distribute instead of having to try to write and explain complex SMT code.

        For example, the last go round of showing products in that belong to sub-categories of a category. That would be a relatively simple modulette.

        That being said, from a performance perspective, I'd use something like that tool to just assign the products to the top level category and then have that tool run daily or something.
        Bruce Golub
        Phosphor Media - "Your Success is our Business"

        Improve Your Customer Service | Get MORE Customers | Edit CSS/Javascript/HTML Easily | Make Your Site Faster | Get Indexed by Google | Free Modules | Follow Us on Facebook
        phosphormedia.com

        Comment


          #79
          Originally posted by lesliekirk View Post

          Thanks for the module! I'm still trying to wrap my head around version 3. So no checkbox displays? It just sends the form to never-never land if it's a bot?

          I have another question (since this just came up) - will this work on the popup Password Lookup: modal? There is one on the LOGN screen, so would I put LOGN in the Watched Action List?

          Miva Support has told the store owner to add reCaptcha to all the "forms" on her store. I'm thinking if this is the case, should Miva be providing some how-to's for this?

          Leslie Kirk
          Miva Certified Developer
          Miva Merchant Specialist since 1997
          Previously of Webs Your Way
          (aka Leslie Nord leslienord)

          Email me: [email protected]
          www.lesliekirk.com

          Follow me: Twitter | Facebook | FourSquare | Pinterest | Flickr

          Comment


            #80
            Hi lesliekirk - yep it should work fine, correct you would put LOGN in the watched list. Adding Google's ReCaptcha code (html, javascript etc) to the popup is done separately. I haven't tested it for LOGN but I expect it would work fine - let me know if you hit a snag though. My own plan is to eventually add it throughout sites I work on as well.

            About how-to's, at first I was confused by ReCaptcha v3 but after working through it I do understand it better, so I think Google's help pages are ok as far as that goes. But it did take me a couple of reads for whatever reason

            Since there's no built-in way to validate a recaptcha token on a Miva-handled action (like ICST), a how-to from Miva would be a problem. They could explain everything as far as adding the javascript etc, but once it gets to the point of validating the token, we're stuck. The how-to would have to do one (or more) of these:
            • tell users to write a Miva module
            • tell users to contact a 3rd party developer to write the module for them
            • tell users to contact Miva's Professional Services dept (to write the module for them)
            Or I suppose you could tell them to use my free module lol

            Looking for work as of March 2024! I've been a web developer for going on 20 years, with most of that time spent on Miva sites.

            Comment


              #81
              Thanks Mike521w I'm stuck at
              be sure to use 'GoogleReCaptchaResponse' as the name of the form field for the ReCaptcha token
              in the instructions for your module.
              Leslie Kirk
              Miva Certified Developer
              Miva Merchant Specialist since 1997
              Previously of Webs Your Way
              (aka Leslie Nord leslienord)

              Email me: [email protected]
              www.lesliekirk.com

              Follow me: Twitter | Facebook | FourSquare | Pinterest | Flickr

              Comment


                #82
                lesliekirk Google's docs for this suggest a few ways to verify the token, one of which is to place the token in a form field. From there it will be passed to the backend system when the form is submitted. Their documentation (https://developers.google.com/recaptcha/docs/verify) suggests naming the field "g-recaptcha-response".

                So when you submit the form, the backend system (in our case, the Miva module) look for that field by name. But for some reason I had a problem with that when writing the module. I think it was the dashes if I remember right - having a field name with dashes was a problem. So the module is coded to look for a field named "GoogleReCaptchaResponse" instead.

                So the front end code might look something like this:

                Code:
                <form method="post" action="example.com/mm5/merchant.mvc">
                    <input name="GoogleReCaptchaResponse" value="">
                    <!-- ... other form stuff here -->
                </form>
                [script src="https://www.google.com/recaptcha/api.js?render=_reCAPTCHA_site_key"][/script]
                [script]
                    grecaptcha.ready(function() {
                        grecaptcha.execute('_reCAPTCHA_site_key_', {action: 'homepage'}).then(function(token) {
                           jQuery("input[name='GoogleReCaptchaResponse']").val(token);
                        });
                    });
                [/script]
                (the system wouldn't let me post the script tags like normal so I changed then to [script])

                Now when the page loads, google creates a token, and sets that token as the value for the "GoogleReCaptchaResponse" field. That gets passed to Miva when the form is submitted, and the module reads it and sends it to Google for validation / score retrieval.

                Hope that makes sense, let me know
                Looking for work as of March 2024! I've been a web developer for going on 20 years, with most of that time spent on Miva sites.

                Comment


                  #83
                  Following up on this - I had to disable the module because when someone was trying to log into their account they were greeted with a blank screen. I obviously had it misconfigured. Before I even had a chance to disable the module the store owner had opened a support ticket (understandably so). In the email conversation with support I was asked why I was trying to implement reCaptcha on these submit forms and was given this recommendation:

                  there is a Customer CSRF Setting that you could try checking for to see if it is enabled in the admin under Menu > Customers > Settings tab: Require CSRF Token for Customer Actions. Once enabled, Miva will require this hidden input for all custom account changes (change password, update address, etc). It is recommended the CSRF_Token be added to customer account pages and enabled in the admin for added security. The template changes needed for this feature can be found here: https://www.miva.com/mm9.7_template_changes.html
                  Has anyone tried this?
                  Leslie Kirk
                  Miva Certified Developer
                  Miva Merchant Specialist since 1997
                  Previously of Webs Your Way
                  (aka Leslie Nord leslienord)

                  Email me: [email protected]
                  www.lesliekirk.com

                  Follow me: Twitter | Facebook | FourSquare | Pinterest | Flickr

                  Comment


                    #84
                    Hi lesliekirk sorry for the slow response,

                    I just tested the Recaptcha module on the LOGN page of one of the sites I manage and it worked with no problem. Can you show some code and/or screenshots of your setup? Just be sure to block out the site key and secret key if you screenshot the admin setup.

                    For me the setup was:
                    1. add google's script:
                      (asdfasdf = my ReCaptcha v3 site key)
                      Code:
                      script src="https://www.google.com/recaptcha/api.js?render=asdfasdf" /script
                      	script type="text/javascript">
                      	        grecaptcha.ready(function() {
                      	           grecaptcha.execute( "asdfasdf", {action: 'AccountLogin'}).then(function(token) {
                      	             jQuery("#LoginForm input[name='GoogleReCaptchaResponse']").val( token );
                      	          });
                      	       });
                      	       /script
                    2. add the form field to the form with id LoginForm:
                      HTML Code:
                      <input type="hidden" name="GoogleReCaptchaResponse" value="">
                    3. In the module admin, my new settings were:
                      Watched Action List: ICST,LOGN
                      Tolerance Levels: 0.3,0.3
                    Since the watched action list and tolerance levels are comma separated, basically this means that I'm watching ICST and I want a value of 0.3, and I'm watching LOGN and I also want a value of 0.3.

                    I was able to log in before and after adding ReCaptcha. For argument's sake I then changed the Tolerance Level setting to 0.3,5 - which means for LOGN I want Google's score to be 5, and that basically makes it impossible to validate since Google only returns a value between 0 - 1. As expected, on my next login attempt I got a 403 error.

                    This was the first time I tested it with multiple actions being watched, so it looks good to me. Anyway let me know what your setup was and I'll see if anything stands out to me

                    About the CSRF token, I think Miva support mentioned the same thing to me when I was discussing ReCaptcha with them on the ticket I opened when I was trying to stop the fake account creation. I don't know much about CSRF, but the response from ILoveHostasaurus on this thread doesn't seem to indicate that it has much to do with validating human vs bot. In my situation it did nothing to stop the fake accounts from being created on the site I was working on at the time. To be honest, I thought at the time that the Miva support reps were just kind of hoping that the CSRF token would do something that (from what I can tell) it's not intended to do
                    Looking for work as of March 2024! I've been a web developer for going on 20 years, with most of that time spent on Miva sites.

                    Comment


                      #85
                      Just want to thank Mike521w for sharing his module code and answering all the questions. I haven't installed the module but I did appreciate reading the code and learning from it.

                      CSRF tokens are an extra bit of validation that prevents cross site scripts from forging first party cookies. Yet, a sophisticated bot can penetrate CSRF. GoogleReCaptcha works but as you know needs to be validated on the server. Your module is the only and best solution.

                      I know that you have invested a lot of time in this thread and it is sometimes a thankless job -- but THANK YOU!
                      http://www.alphabetsigns.com/

                      Comment


                        #86
                        alphabet no problem, I'm glad it's helpful so far! : )
                        Looking for work as of March 2024! I've been a web developer for going on 20 years, with most of that time spent on Miva sites.

                        Comment


                          #87
                          Just an additional thought for the thread. Cloudflare, even the $20/mo plan, allows you to create custom web application firewall rules and apply them to specific URI's. A very useful first step for sites that are being attacked with credential testing is the ability to place a javascript challenge in front of the customer login page alone; legit customers who click on it will see a 'testing your browser' screen for a few seconds then the login page will appear like normal. Most bots cannot make it past that because they don't behave like real browsers, and then real shoppers don't have to deal with the captcha hassle. You can also dial up captcha as an option, without code changes on the site side.
                          David Hubbard
                          CIO
                          Miva
                          [email protected]
                          http://www.miva.com

                          Comment


                            #88
                            Also have the shadow theme and discovered 100's of weird customer accounts tonight. The name looks like parts of encryption. No address. Is the new miva 10 able to do something about this?

                            Comment


                              #89
                              It would be possible to add a recaptcha to that screen; this is not a built-in feature of the account login screen, so would require adding some code to the page rather than a checkbox. Personally I'm not a big fan of that option because it could inconvenience some shoppers. The cloudflare option where you could apply the few second javascript-based browser check to your account registration URL would be preferable because there's no click here to confirm you're a human, or check which boxes contain traffic lights.
                              David Hubbard
                              CIO
                              Miva
                              [email protected]
                              http://www.miva.com

                              Comment


                                #90
                                Where are we at with this? We're getting slammed with fake registrations. Is there some convenient, effective solution to stop this?

                                Comment

                                Working...
                                X