Announcement

Collapse
No announcement yet.

Someone is creating new fake customers accounts

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Mike521w
    replied
    Hi @sidFeyDesigns, sorry for the delayed response, it's been a while since I logged in.

    Your setup sounds good to me. I agree, if your customer looks at the product page for a while before adding to cart, then the token will expire. The solution would be to run the `grecaptcha.execute()` on form submit.

    This should still work even if you're using ajax to submit the form, and the customer might re-submit the same form later. For example maybe something like:

    Code:
    [script]
    let handleButtonClick = event => {
        event.preventDefault();
        grecaptcha.execute('our_site_key', {action: 'Add2Cart'}).then(function(token) {
            jQuery("#js-purchase-product input[name='GoogleReCaptchaResponse']").val(token);
    
            //proceed with add to cart ajax here, maybe something like:
            jQuery.ajax( jQuery("#js-purchase-product").attr("action"), jQuery("#js-purchase-product").serialize(), response=>{
                //do something with the response
            });
        });
    };
    [/script]
    <button type="submit" onClick="handleButtonClick">Submit</button>
    I just wrote this off the top of my head, syntax etc may be wrong and I'm not sure about the setup for jQuery.ajax, I could have things reversed. But anyway that's a general idea

    Leave a comment:


  • SidFeyDesigns
    replied
    Mike521w I just stumbled upon this thread and was thinking I could try to use your module to help protect our cart from protecting our site fraudulent bot "carding" by trying to prevent them from even adding something to the cart.

    Already have reCaptcha v3 set up and installed your module using ADPR in the action list and 0.3 as the tolerance level.

    On the PROD page I added this inside the add to cart form:

    Code:
    <input type="hidden" name="GoogleReCaptchaResponse" value="">
    And this directly after the form element:

    Code:
    [script src="https://www.google.com/recaptcha/api.js?render=our_site_key"][/script]
    [script]
    grecaptcha.ready(function() {
    grecaptcha.execute('our_site_key', {action: 'Add2Cart'}).then(function(token) {
    jQuery("#js-purchase-product input[name='GoogleReCaptchaResponse']").val(token);
    });
    });
    [/script]
    It works great as long as the customer adds a product to the cart before the token expires which I believe is 2 minutes.

    I would assume a fix for that would be to run the recaptcha function with on submit or on click.

    But it gets tricky (for me at least). Since this form uses an ajax add to cart function I also need it to run the recaptcha function again so a new token is given on the next attempt to add the same product to the cart again.

    I can send the ajax code privately since it will not let me post here.

    Any help would be greatly appreciated.

    Not opposed to hiring someone to help with this either.

    Leave a comment:


  • mvasquez
    replied
    We are seeing a massive spike in fake accounts on account creation page, and a salesforce form handler.. but only on one of our 9 miva stores. Very odd!

    Leave a comment:


  • Bruce - PhosphorMedia
    replied
    Well, yea...if you have that going on you'll need an Account Creation link, but that's rare.

    Leave a comment:


  • William Davis
    replied
    Originally posted by Bruce - PhosphorMedia View Post
    Interesting call. And yes. Basically there is little value (IMO) to offer creating an account for people who are not ordering something. So, having a method (several themes have this built in) that asks to create a account during or after ordering makes sense.
    I've appreciate your honesty to that you have always accustom us all to.

    The only reason I can think of for creating an account without a purchase is for signed-in customer price groups related scenarios, or I'm I missing something something else?

    Leave a comment:


  • Bruce - PhosphorMedia
    replied
    Originally posted by William Davis View Post
    Being that I now have a very similar problem, countless of fake affiliate accounts ...it's only a matter of time before they create fake customers accounts on our site, wouldn't a solution like "Phosphor Media Easy Account" address the issue?

    Essentially speaking, they would have to buy something before they can create the account.

    For a affiliate accounts one one have to come up with something different.
    Interesting call. And yes. Basically there is little value (IMO) to offer creating an account for people who are not ordering something. So, having a method (several themes have this built in) that asks to create a account during or after ordering makes sense.

    Leave a comment:


  • William Davis
    replied
    Being that I now have a very similar problem, countless of fake affiliate accounts ...it's only a matter of time before they create fake customers accounts on our site, wouldn't a solution like "Phosphor Media Easy Account" address the issue?

    Essentially speaking, they would have to buy something before they can create the account.

    For a affiliate accounts one one have to come up with something different.

    Leave a comment:


  • Mike521w
    replied
    Hi William Davis - the module I wrote should be able to stop these from being created. The download links / details / instructions are all on this thread, let me know if you have trouble

    Leave a comment:


  • William Davis
    replied
    Fake affiliate accounts started in 11/04/2019, averaging 3 accounts a day for months. Then is slowly increase to an average of 6 accounts a day for months, then 9, etc... Its now averaging 40 accounts a day -consuming bandwidth $.

    No unusual Authorization Failures found during this period.

    Leave a comment:


  • William Davis
    replied
    We just discovered someone is creating fake Affiliate accounts on our website, over 1,700!
    1. Why, what do they gain?
    2. Is there a way to determine IP address for those accounts?
    We are already already taken the following measures for now:
    1. Disable affiliate program option in Admin.
    2. Disabled affiliate log-in page from ReadyTheme navigation set.
    3. Disabled affiliate AFCL page. However, page is still being displayed. How would I stop from that page being displayed?
    Any other suggestions?

    Leave a comment:


  • aimcmc
    replied
    Mike521w Thank you. I understand. When I find some time I think I'll give it a whirl. Appreciate your time.

    Leave a comment:


  • Mike521w
    replied
    aimcmc sorry for such a late response, I was having trouble posting a response to you a while back and finally gave up, and today I remembered to give it another shot.

    Anyway, I understand the trouble! As far as finding developers, I think there's a Help Wanted section on this forum where you can make a post and people will respond if they can help you.

    About where to put the Google javascript, basically you'd put that anywhere on the page that you're checking. So for example if you're checking the ICST page, you'd find the ICST page template in the User Interface section of your Miva admin, and add the code there, somewhere before the closing body tag.

    Leave a comment:


  • aimcmc
    replied
    Thank you Mike521w Yes I did see that. I have been through it. Your instructions are understandable and reasonable. Where I fail is this ...

    "add Google ReCaptcha javascript to your site"

    I understand the google part, not the site (miva) part (where and how to put it on miva). I've searched for examples, instructions, don't see it.

    Where can I find more instruction how to do that?

    Finally, where and how to find a developer if necessary? Personally I've been a developer for over 49 years... from fortran, cobal, c, pascal, php, you name it, so I can still understand some things, but i'm now old and slow and don't have the energy ... so i need handholding in anything new, but i can comprehend when i can see it. That said, of course I value developers but our budget is stretched, so i need to do what i can if i can.

    Leave a comment:


  • Mike521w
    replied
    Hi aimcmc, not sure if you saw it but I have step-by-step instructions on the github page: https://github.com/MWScripts/Miva_GoogleReCaptcha

    It might still be easier for a developer to follow along

    Leave a comment:


  • aimcmc
    replied
    Mike521w so, so happy to hear from you. I've been trying to make sense of this thread and how to fix this problem but wasn't sure what's what and where exactly where to go. I'll dig back and search for your messages. I appreciate your help. Will message again if I can't grab the concept. Thanks again. -Ron

    Followup....

    I looked back. Found your discussion, but honestly, not being a miva developer, rather just a longtime user, it doesn't make a lot of sense to me. I wonder - 1) could someone provide a step-by-step instruction, text or video. I'd need from step one to the finished product. 2) if I'm eventually able to accomplish this, will future miva upgrades break it and we'll have redo any changes? 3) if this is an ongoing and horrid problem for all miva users, why doesn't miva corp make this fix for us? This, to me, seems to be a "must" fix, asap. Am I missing something? Is not this a fairly serious problem?

    I'll keep trying to figure out how to fix this, but more importantly we need to continue making sales rather than wasting time fixing problems that should not be our concern as a user. Miva?

    Followup 2...

    Looked again, a couple of times, wasting too much productive time -- I'm LOST, and don't have the time to figure this out. If Miva doesn't feel this is a problem, I guess we just let the fake users be created and ignore them.
    Last edited by aimcmc; 07-03-20, 02:12 PM. Reason: further followup

    Leave a comment:

Working...
X