Close

August 28, 2015

Declined Card Transaction Management

Recently our client saw a surge in suspicious activity where a user would seemingly login, place an item in their cart, and then proceed to attempt to use fraudulent cards repeatedly. We were able to determine that either this was an absolutely amazing robot processing the orders OR a very determined group of individuals. We suspect it may have been a live person, because all of the IDS web sniffers detected that it was an authenticated browser user.

The robot would have had to submit calls via AJAX, go back several steps to replace information and then retry the order again. Its not impossible as we have built some fairly sophisticated crawlers that could do this, is that the level of skill to actually try to charge the card was not really there. The individuals were trying to ship products to Indonesia, even though they had fairly westernized names.

The other issue, that pressed our decision to build the system, was that the credit card processor would call a “timeout” for the ENTIRE webserver, and lock it out for 30 minutes. So no credit card orders would be able to be placed for that time period.

Irregardless, this was a difficult issue to solve, as our client did NOT want to implement captchas on the system, for fear it would turn off real customers.

Our architecture we came up with is dubbed “Fail Jail”.

Essentially, we wrote a simple module that overrides the OnePage Controller and intercepts any failed payment transactions.
Each user’s fail attempt is recorded in a separate table. After a predetermined amount of failed attempts, the user is essentially “jailed” from the system, and a notification is sent to the store owners.

The controller then redirects the bad buy to a special CMS page letting them know they need to contact the store via phone, in order to complete the order. If the bad guy tries to checkout again, they are instantly redirected back to the same page.

The “jailed” users are then released by another script after a certain “cooling off” period, hopefully in which, the bad guy will just give up.

The module is extremely simple and can easily be turned off with an adjustment of the module config file.

If you would like us to implement the system on your Magento platform, please do not hesitate to Contact Us today!