General security improvements and concerns regarding bin attack prevention.

  • Resolved noknokcody

    (@noknokcody)


    3 years, 5 months ago

    Hi there,

    I’ve recently been back and forth with E-way regarding security around bin attack prevention and Woocommerce EWAY Gateway and I have some general concerns relating to security that both E-Way and I seem to agree on. I’m posting this thread to start a conversation around security, recommend some of my own ideas on how I think security can be improved, and request some more info that can help us all craft some better solutions to improving security as a whole.

    Firstly some context. We were recently contacted by EWay because they detected a range of bin attacks coming from one of the websites we manage. We already had Recaptcha v3 installed on our checkout and had some other server-level software in place to help mitigate these kinds of attacks but somehow they still got through. We decided to switch to a manual captcha and add 2 additional honeypot implementations yet somehow, bin attacks still seem to get through.

    What I can tell is that I believe the checkout form itself is secure from bots but once a checkout session is created, the URL for the credit card form can be passed freely between different sessions and IP’s. You can reproduce this behavior by going to an EWAY Gateway Enabled Woocommerce site. Entering particulars to get to the credit card form and copying the URL. This URL can be passed to different browsers, different IP’s, even different countries, and the user can still complete the credit card purchase on behalf of someone else.

    This means that a secure checkout could be completed by a real user and the credit card form could be passed to a bot to conduct the bin attack on a user’s behalf.

    Now I understand that this plugin isn’t designed with checkout security in mind and that Recaptcha and Honey Pots aren’t really part of the package so you can’t guarantee compatibility. BUT I do know that EWay is telling the customers who are victims of these attacks to install Recaptcha and Honeypots on their checkout forms so I feel that adding some additional security checks here could serve a huge benefit to the plugin and it’s users.

    Another idea is implementing Recaptcha or Honey Pots on the credit card form itself. I tried to investigate whether this idea is possible but I’m not sure. Correct me if I’m wrong but the credit card form connects directly to Eway using their “Eway Rapid” implementation so if the server is not handling these requests, I assume there’s no way to add additional validation to this form.

    In summary I’m looking for
    – Tighter security on the credit card form so that it can’t be transferred between different IP’s or sessions.
    – An answer to the question “Can Recaptcha or honeypots be installed on the credit card form via validation hooks”.

    Cheers and keep up the good work!

Viewing 3 replies - 1 through 3 (of 3 total)
  • AW a11n

    (@slash1andy)

    Automattic Happiness Engineer

    Hey there!

    This is really in-depth, which is appreciated.

    – Tighter security on the credit card form so that it can’t be transferred between different IP’s or sessions.

    I think that doing this will require a not-insignificant amount of revamping the plugin, and how the form works, etc. This kind of request/suggestion is best suited for the Ideas Board(https://ideas.woocommerce.com/forums/133476-woocommerce), which is where developers go to look for future plugin features and improvements.

    – An answer to the question “Can Recaptcha or honeypots be installed on the credit card form via validation hooks”.

    I don’t believe that it can be. Essentially, the page was anticipated to be accessed after the customer went through the checkout flow, which could include things like captchas, etc.

    One thing that I thought of off the top of my head would be to look at loading a captcha in like a lightbox on page load of the card form page, so not allowing access to the page at all until that’s sorted. Since it can’t be validated directly by eWay because of the integration, you could do validation on the page load perhaps.

    Thread Starter noknokcody

    (@noknokcody)

    Hi there,

    Thanks for the quick response!

    An answer to the question “Can Recaptcha or honeypots be installed on the credit card form via validation hooks”.

    I don’t believe that it can be. Essentially, the page was anticipated to be accessed after the customer went through the checkout flow, which could include things like captchas, etc.

    Sadly I figured that may be the case. It’s a shame but I can understand why this implementation may be difficult to pull off for the sake of security for existing
    real customers.

    I’ll go post this over on the ideas board as requested.

    Much appreciated!

    Plugin Support Tseten a11n

    (@tibetanitech)

    I’m glad my colleague was able to assist you with your support request. I’m going to mark this as resolved – if you have any further questions, you can start a new thread.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘General security improvements and concerns regarding bin attack prevention.’ is closed to new replies.

Tags