Hi,
I am sorry to hear that.
As a first step, I’d recommend implementing a 3D secure verification on your site, so that when adding a card the customer will need to go through the verification. This will add an extra security layer on your site. More information is below:
Let us know if you need further assistance.
Thread Starter
Jason
(@galapogos01)
Why does this plugin allow infinite payment attempts with no rate limiting at all?
3DS is not a solution, and this plugin shouldn’t require another plugin to avoid security and performance issues.
Cheers,
Jason
Hi @galapogos01 ,
Why does this plugin allow infinite payment attempts with no rate limiting at all?
There isn’t a rate limiting added by default as that may affect high traffic stores (where all those payment attempts would be valid).
We have more guidance on preventing card testing here, although those require additional plugins as well.
Thread Starter
Jason
(@galapogos01)
Sorry your logic makes no sense.
I had 25,000 payment attempts against a single order from a single IP. This has nothing to do with high volume sites.
Your customers and Braintree themselves would appreciate a proper solution to this very real issue.
Jason
Hi,
I understand your concern.
To set up rules to prevent payment retries after a specific number of attempts, you can use this free plugin:
Please note it is a plugin not supported directly by us, feel free to reach their support in case of interest from your side. This will add a second security layer to your business.
Also, you can turn on Fraud Protection Advanced, by login to your Braintree account, then navigate to Settings > Fraud Management, make sure to enable the Fraud Protection Advanced. More information is below:
https://woocommerce.com/document/woocommerce-gateway-paypal-powered-by-braintree/#fraud-and-verification-tools
Let us know if there are any questions.
Thread Starter
Jason
(@galapogos01)
I already have fraud prevention turned on.
I don’t understand why you think it’s okay to use a third party plugin to solve problems with your own. Your customers are asking you to solve this issue in your plugin. Can you please listen to our request and add this to your development backlog as a high priority?
Jason
Hi @galapogos01
We hear you!
We truly understand the importance of this feature to you and we assure you that we are continuously working on enhancing the functionality and compatibility of our plugin.
However, we appreciate your interest and feedback, and we invite you to submit a feature request for this option. Rest assured that we take our users’ feedback seriously and we always strive to improve our products.
Please let us know if you have any further questions or concerns, and we’ll be happy to assist you.
Thread Starter
Jason
(@galapogos01)
Hi @galapogos01
Thanks for raising your concern as a feature request. Our developers look up to these requests for the next enhancements to be added to the next release.
Meanwhile, I will be marking this thread as resolved. Should you have further inquiries, kindly create a new topic here.
Thanks!
Hi Jason. Welcome to “WC core security gaps victim support group”.
You should first join #security channel on WooCommerce Slack, here’s an invite link https://join.slack.com/t/woocommercecommunity/shared_invite/zt-1uetvimgj-MsoAFa5HbsyFxjcG2Dnjtg
I drove creation of this channel after my WC site went through the same attack you’re experiencing.
WC core currently ships zero protection for this abuse in core. There’s no security team that I know of, even, so it’s not surprising. This attack is gateway-agnostic, my experience with Stripe plugin is described at https://github.com/woocommerce/woocommerce-gateway-stripe/issues/918#issuecomment-1335918154
We need to join efforts to get this situation improved.
-
This reply was modified 1 year, 3 months ago by
lkraav.
Thread Starter
Jason
(@galapogos01)
Thanks for letting me know. I guess WC Core should be the ones fixing this.
We have just experienced this exact same issue, we are using Stripe for payments. Not sure what to do about it at the moment other than to block the IP and hope they are not smart enough to change IP’s!
AFAICT core developers have done nothing to protect from this attack over past months. It needs more drive and demand.
#security channel did get started on WooCommerce Slack.
Your primary defense still is to have a captcha on checkout screen, do not accept orders without passing it.
-
This reply was modified 11 months ago by lkraav.
Thread Starter
Jason
(@galapogos01)
How can we escalate this with the core security team?
i @galapogos01 ,
How can we escalate this with the core security team?
I’d recommend opening an issue on WooCommerce GitHub to start a discussion with the development team.
