Faked Orders

[kevmartin]

Recently we have been experiencing a huge surge in faked orders on our shop sites. I know how they do it, but I'm a little hesitant to post the exact details here as I don't wish to encourage more of this to happen. It is very very easy to do, and instructions are widespread on the web.

We have 1 site on Oscommerce and the other on Oscmax. I have developed solutions on the Osc site, with specific workaround code or each procesor we use there. But Oscmax, we only have one susceptible processor (Paypal), and I havent been able to find a way to beat it. I've tried all I can, using both regular and IPN versions of the PP modules. No good.

Can anyone advise if this issue is known, and if so, is there a solution? The word out there is that the more advanced Paypal modules for oscommerce are not susceptible (though I haven't tried it as we don't accept Paypal at our Oscommerce store).

Thanks.

[michael_s]

PM me the details of the problem.

[kevmartin]

PM me the details of the problem.

Hi - I must be missing something - I don't see a way to send Private Messages in this forum. I see "visitor messages" but those appear to be public - so I have send a request to your Yahoo ID to add me as a contact. I'll send one to MSN too in a moment.

Thanks,
Kevin

[MindTwist]

Just click on his forum name (michael_s) , a menu will pop up with an option to send a private message to him amongst others.

[kevmartin]

Thanks - but I found out that the reason I could not PM was I don't have enough posts in the forum to have that privilege. I got in touch over IM client instead so no problem.

[kevmartin]

michael_s, I don't suppose you ever found that solution you said you were going to dig up for this issue?

(Hoping)

Thanks

[jpf]

Suggestions - setup a "random" question/answer or captcha...

Something thing like
"Complete the following sentence: Roses are red violets are....."
"Enter answer: __________________"

Or look at:
Anti Robot Registration Validation 1.0 + images


Though it will not stop them - at least slow them down.

[kevmartin]

Thanks, but unfortunately that won't help I think.

The issue here is that the evildoers can totally bypass the payment stage of the order process due to a flaw in the design of OsCMax and OsCommerce.

They already happily enter fictional information in the customer registration form and are clearly doing that by hand, so CAPTCHA etc won't bother them at all.

[jpf]

From what I could find.... Please verify the following:

1. This only applies if you are using a payment processing module (like the default Pay Pal module) which has no "call back" to the website.

2. Other payment modules, such as World Pay, Paypal WPP, Express Checkout, Payflow users seem unaffected by this.

3. Are they using this for Downloadable products? - I have solution.

To prevent download stealing a small mod to /catalog/download.php is required

On aprox line 23---Replace

PHP Code:

  $downloads_query = tep_db_query("select date_format(o.date_purchased, '%Y-%m-%d') as date_purchased_day, opd.download_maxdays, opd.download_count, opd.download_maxdays, opd.orders_products_filename from " . TABLE_ORDERS . " o, " . TABLE_ORDERS_PRODUCTS . " op, " . TABLE_ORDERS_PRODUCTS_DOWNLOAD . " opd, " . TABLE_ORDERS_STATUS . " os where o.customers_id = '" . $customer_id . "' and o.orders_id = '" . (int)$HTTP_GET_VARS['order'] . "' and o.orders_id = op.orders_id and op.orders_products_id = opd.orders_products_id and opd.orders_products_download_id = '" . (int)$HTTP_GET_VARS['id'] . "' and opd.orders_products_filename != '' and o.orders_status = os.orders_status_id and os.downloads_flag = '1' and os.language_id = '" . (int)$languages_id . "'"); 


with

PHP Code:

// mod to prevent download stealing - added "o.orders_status = '3' and "
  $downloads_query = tep_db_query("select date_format(o.date_purchased, '%Y-%m-%d') as date_purchased_day, opd.download_maxdays, opd.download_count, opd.download_maxdays, opd.orders_products_filename from " . TABLE_ORDERS . " o, " . TABLE_ORDERS_PRODUCTS . " op, " . TABLE_ORDERS_PRODUCTS_DOWNLOAD . " opd, " . TABLE_ORDERS_STATUS . " os where o.customers_id = '" . $customer_id . "' and o.orders_id = '" . (int)$HTTP_GET_VARS['order'] . "' and o.orders_status = '3' and o.orders_id = op.orders_id and op.orders_products_id = opd.orders_products_id and opd.orders_products_download_id = '" . (int)$HTTP_GET_VARS['id'] . "' and opd.orders_products_filename != '' and o.orders_status = os.orders_status_id and os.downloads_flag = '1' and os.language_id = '" . (int)$languages_id . "'"); 


This does an additional check that order status is 3 (or whatever you have set for payment received). If it does not match then the 'buyer' just sees a blank screen instead of getting access to the download. Instead of
and o.orders_status = '3'
I guess you could use >= '3' or use an or statement.


Other solutions - but hot have looked into them much....


Also look at: suggestions on my site - W3Schools Forum


OR

Try this in the confirmation form:

echo tep_draw_hidden_field('confirm',1);

and this in checkout_process:

if (!$_POST['confirm']) {
tep_redirect(tep_href_link(FILENAME_CHECKOUT_CONFI RMATION, '', 'SSL'));
}

but that is purely for internal so that process is only executed via the confirm button and not url creative editing, when the form goes external that field will not work anymore.


Or

Locate the following lines of code:

PHP Code:

// load selected payment module
require(DIR_WS_CLASSES . 'payment.php');
$payment_modules = new payment($payment);
// load the selected shipping module
require(DIR_WS_CLASSES . 'shipping.php');
$shipping_modules = new shipping($shipping);
require(DIR_WS_CLASSES . 'order.php');
$order = new order; 


and insert the following straight after:

PHP Code:

//Stop direct access to this file
if (!$HTTP_SERVER_VARS['HTTP_REFERER']){
// Send an email as a safe-guard against faliure
$email_message = 'This order failed at the final stage, maybe a checkout hack attempt. The customers name is ' . $order->customer['firstname'] . ' ' . $order->customer['lastname'] .'. There telephone number is ' . $order->customer['telephone'] . ' and email address is ' . $order->customer['email_address'];
tep_mail(STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS, 'Order Rejection', $email_message, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);
// Redirect the user to the checkout payment page with an error
$error = 'A problem has occured whilst processing your payment, the store owner has been notified and should be in contact soon';
tep_redirect(tep_href_link(FILENAME_CHECKOUT_PAYMENT, 'error_message=' . urlencode($error), 'SSL'));
exit;
} 


Now when a customer tries to go directly to the checkout_process.php file they will be immediately thrown back to the checkout payments page and you will be notified of there details.


Good Luck

[kevmartin]

Fortunately, downloads are not an issue as we don't do that. Really it is a matter of inconvenience of the fake orders coming through and having to be manually removed from the accounting records etc.

The if !$_SERVER(HTP_REFERRER) approach was one I tried myself and it works fine but only for payment methods where the customer doesn't leave the site, such as COD.

The sessions suggestion at suggestions on my site - W3Schools Forum seems to hold some promise to me - I had not tried that as sessions is an area I have not really dabbled at all before.

Thanks for your input.