Home        Features       Demo        Download       Pricing        Support        Contact            
Download the free cart
Direct Links
Have pre-sales questions? - E-mail us now here...


Comersus 8 is here
Categories discount, new theme with snippets, new theme also for BackOffice Plus, Error log, Top Customers report, more gateways, recurring items, HTML emails and more.
Download Comersus 8 now.

News and announcements blog
View Comersus News, Video Tutorials and Announcements here.
Visit Comersus blog.

Technical Support
Visit Comersus Official Technical Support for Free Distribution and Power Pack.
Visit Comersus Forum.

Support in Twitter
Follow our Support team in Twitter
Follow Support in Twitter.

E-commerce Hosting
Comersus Hosting
Host with us and get free Comersus Cart installation! (a $100 value)
E-commerce Hosting Plans.

Reseller Kits
Resell our Shopping Cart
Several options available. Use Comersus brand or your Company name.
Resell e-commerce.

Templates
Change your store design
Lots of templates available. Download and change your storefront design. You can also ask for a quote for a custom template.
Download Templates.



 

Brute Force attack to get credit card numbers.

About Crackers using brute force to validate credit card numbers.

Date: Jan-2009

We were recently contacted by a Comersus user to report an attack with certain particularities.

The person who attacked his store had not found a security breach or had stolen data from his database but tried to make payments over and over again.

From a superficial analysis we noticed that the attacker was not trying to get merchandise since he did not even want to pass unnoticed. He created hundreds of users using the same data, placed orders with quantities that would have caught the attention in any type of store and did not even bother to use a name that looked real.

What was the purpose of this attack?

The attacker for sure had obtained partial credit card data from another store and was trying to fill in the gaps of that information to make fraudulent purchases. He probably didn't have the CVV2 or the ZIP code of the billing address.

In any case, the store owner was extremely upset since his database was being flooded with spurious information, the store performance had decreased due to the number of transactions generated by a bot script used by the attacker and last but not least: his payment gateway kept on charging for every transaction, even for those that had been rejected.

What to do in a similar case?

There isn't necessarily a failure in the shopping cart since the cart is allowing the posting of orders and payments.

The main action that an admin should take is to enable the Comersus functions that block these attacks. It's possible to block the attacker's IP, block the keywords he uses in his name or e-mail address and block the orders for more than certain amount (attackers typically place orders for high amounts to also determine the credit available in the card)

This helps preventing some attacks but others keep taking place since the attackers change IPs, keywords and in some cases, they even attack the payment script.

In these cases we advise you to:

1. Install a custom patch for the payment script so as to determine it belongs to a valid session, to an active and logged-in customer and to an order having a pending payment.

2. Install a captcha verification code on the payment script. That is, the customer will have to enter a verification code before making a payment.

3. Change payment gateways and use one that does not charge for rejected transactions.

If you need assistance with these tasks, Comersus customization services are available.

Lastly, please take into account the basic security recommendations before putting your shopping cart in production mode.

A. If you use Access database: rename the database folder, rename the mdb file and request your hosting provider tech support to prevent that file from being downloaded through the web.

B. Use strong passwords for your FTP, control panel, database and BackOffice. Use combinations of letters and numbers avoiding the use of common words.

C. Rename the backoffice folder.

D. Keep only strictly necessary scripts in your website. If you are not using the BackOffice Lite, delete the folder. If you don't use off-line credit cards, delete the comersus_offLinePaymentForm.asp script, etc. If you don't use PayPal, delete the comersus_gatewayPayPal.asp script.

E. Never leave your store in "automatic" mode. Log in to your BackOffice frequently and check that the payment, e-mail address and admin settings are being kept.

F. Update to the latest release of Comersus Cart

Comersus Open Technologies

>> Download Free Comersus ASP Shopping Cart here...

>> Visit our online demo here...

>> Contact Comersus here...

 

Comersus Open Technologies LC 2010
Home | Features | Demo | Download | Pricing | Hosting | Forum | Support | Contact
Company | Blog | Customers | Investors | Spanish
Terms and Conditions

Credit Card Abuse protected by
ChargebackProtection

E-commerce RSS news