Help! In the past week our e-commerce site has been swarmed by credit
card hackers. They are running 100-200 cards per hour thru our
shopping cart. They use bogus names & addresses, like "fffggg."

I've installed AuthorizeNet Fraud Detection Suite, and while these
transactions are being denied, it hasn't slowed them down at all. I'm
receiving hundreds of denied orders every day.

The hackers are accessing our cart from outside our site or using
dynamic adresses, so I cannot block the incoming IP address.

Even though the orders are being denied, here's what I think is motivating them - 

Our site is hosted by Galaxymall which provided the cgi shopping cart.
The cart returns an error message when the transaction is denied, like
"invalid credit card number." The message changes depending on the
status of the card. This is probably the information the hackers are
using.

I do not have FTP access to change the shopping cart messages, and
Galaxymall has been unable to offer a solution. AuthorizeNet has no
other solutions either, other than to go to AIM processing which
Galaxymall doesn't provide.

Since our real customers are typically one-time shoppers, I feel it
would slow sales to require a customer ID or login-in password to
place an order.

No doubt I need to switch to another webhost and/or shopping cart to
stop these hackers, and I'm seeking recommendations or advice.

This is the second site they've attacked. We had the identical problem
with another Galaxymall HTML programmed store six months ago, and
ended up shutting down the site.

This is a HUGE problem which has cost time and $$$. Immediate
assitance will be greatly appreciated!

Thanks for asking.

Have you asked Galaxymall to further customize your shopping cart's
order validation? I notice Galaxymall services include custom CGI
programming. I would think that this could include programming of
server-side form validation to eliminate the problem of "test" entries
being submitted automatically. Each form field would be "measured"
against set conditions, and invalid entries would require conformance
to whatever standards you choose. A name or address like "fffggg"
would not pass muster. I've even seen very strict validation that
checks for a valid U.S. addresses via postal service zip code guides.

There are two types of commonly implemented form validation, client
side, and server side. I'm recommending use of server-side validation
in this case, due to your unique circumstances. If your spammers are
submitting these orders outside your normal order channel, then
typical client side Javascript form validation would have little
effect. Server side validation, however, should be able to catch and
reject the entries before they're actually accepted by the shopping
cart.

Alternatively, the cart could be customized to -only- accept orders
when browser JavaScript is on, thereby allowing JavaScripted
client-side form validation. The cart could also be configured to
-only- accept orders from a specified URL (i.e. your order URL) in
order to eliminate the problem of orders being submitted via
undesirable channels.


In the same general range as your current provider, the following
e-commerce storefronts offer a greater degree of control over
transactions.

Monster Commerce - Small Business
http://www.monstercommerce.com/ecommerce_small_business.asp

Yahoo Stores
http://store.yahoo.com/

BeanBasket E-Commerce Service
http://www.beanbasket.com/


Further Information: CGI Form Validation
----------------------------------------------------------------------

Avoid Bad Form Code
http://builder.com.com/5100-6371-1044591.html

Validating WebForms with Perl
http://mark.stosberg.com/dfv/

ASP Server Side Form Validation Code
http://www.4guysfromrolla.com/webtech/020799-1.shtml



Search Strategy
----------------------------------------------------------------------

Google Directory Search Terms:

ecommerce
storefront
shopping carts


Should you have any questions about the information or links provided,
please, feel free to ask for clarification.

---larre