reCAPTCHA v3 to protect against Botnet attacks

  • Resolved kw11

    (@kw11)


    4 years ago

    It’s clear that your plugin is big enough now that there are sophisticated botnets specifically targeting it for cardscanning operations. Since the attacks are distributed, it can be difficult to control this short of removing payment gateways.

    I’ve read other posts saying you didn’t like Captcha’s. But these WP Give botnets are effectively DDoS’ing sites like mine even if every single payment fails because of incorrect CVV and Zip. Many payments are attempting to be processed per second.

    It used to be these card scanners were using the Stripe Checkout for their operations, so I had to disable this feature. But now it appears they are going directly to sites to use the Credit Card form.

    Stop the Donor Spam is not effective for this security problem and firewalls aren’t generally effective at stopping the payment attempts. This is the third botnet attack. Over time I’ve tightened security, radar rules, firewall rules, made zip code requirements, raised the minimum donation, disabled Stripe Checkout, etc, but it’s not enough. These bots are getting more sophisticated.

    Is it possible for you to integrate reCAPTCHA v3? This shouldn’t hurt donations (other than potential false positives) as the user doesn’t have to do anything.

    I suspect the issue will get worse with time (it already has) and I figure at some point you’ll be forced to implement this feature since it’s a major security risk.

    Thank you,
    Kyle

    • This topic was modified 4 years ago by kw11.
    • This topic was modified 4 years ago by kw11.
Viewing 6 replies - 1 through 6 (of 6 total)
  • Thread Starter kw11

    (@kw11)

    Since this post, I found there is now a link to GitHub with code for implmenting reCAPTCHA v2. I also realized that for my purposes, v2 makes the most sense since the way v3 detects bots is similar to Askimet.

    This is a good solution, but for security of your plugin, I think it makes sense that the plugin should offer reCAPTCHA protection for web and payment security.

    Perhaps by default, reCAPTCHA v2 should come with the free www.ads-software.com version of the plugin and v3 could be a paid add-on (I’ve seen other plugins do this). I know we aren’t supposed to talk about commercialization at www.ads-software.com, but my point is that reCAPTCHA should be offered by default to your free plugin to everyone to increase the security of the web. Adding such a feature can be beneficial for commercial endeavors too, if that’s what you want. There are also different implementations of v2 (checkbox and invisible).

    The code at GitHub works with the Legacy forms, but doesn’t work with the new multi-step forms. And the fact that one has to edit PHP makes it a big security problem for those who are less technically-inclined and don’t know anything about programming.

    • This reply was modified 4 years ago by kw11.
    • This reply was modified 4 years ago by kw11.
    Plugin Support Matheus Martins

    (@matheusfd)

    Hi @kw11,

    Happy to clarify here.

    The decision of not adding reCAPTCHA to our plugin was based on the discussion internally between the team and externally with our users. We don’t generally recommend the reCAPTCHA option because it slows down the donation experience and looks unsightly. It can harm your donations sometimes more than benefit them because you add one more step in the donation process.

    However, sometimes it’s really your last line of defense. So if you really want to implement it, you can use the code that you found in your library, that you can check here https://github.com/impress-org/givewp-snippet-library/blob/master/form-customizations/implement-recaptcha.php.

    I’ve also passed your feedback about adding reCAPTCHA in our plugin, so the product development team can discuss the feasibility of this feature. You can follow up on the discussion here https://feedback.givewp.com/feature-requests/p/add-recaptcha-to-donation-forms.

    Have a great day!

    Thread Starter kw11

    (@kw11)

    Thank you. I would like to mention that I modified this code so it’s compatible with both V2 and V3 reCAPTCHA API keys. Right now, I’m using V2 captchas because there are still some technical bugs in my site/code that I have to iron out.

    It’s worth noting that V3 reCAPTCHAs are almost invisible to the user and require no user input. There is just a small unobtrusive reCAPTCHA logo in the corner of the screen. If you weren’t looking for it, you probably wouldn’t notice.

    I can understand not liking V2 as it requires more user input, but V3 creates additional security with no real downsides.

    -Kyle

    I second the need for a V3 implementation; I think it should come as an option with at least the paid version. But it would really be something if it was across all GiveWP offerings by default.

    Plugin Support Matheus Martins

    (@matheusfd)

    Hi @oxygensmith and @kw11,

    Thank you for your insights! I’ve added both your comments internally here https://feedback.givewp.com/feature-requests/p/add-recaptcha-to-donation-forms, so our product development team can discuss the viability and feasibility of this feature.

    We are always happy to improve our product in the way that most benefits our users, so rest assured that this is on our discussion table.

    Have a great day! ??

    @kw11 Could you share your code? It would be a great help to me … thanks

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘reCAPTCHA v3 to protect against Botnet attacks’ is closed to new replies.