限制信用卡处理脚本/机器人的影响
我参与了为非营利组织制作捐赠表格的工作。 我们最近受到一轮快速低价提交的打击。 许多卡都是无效的,但也有一些通过了。 显然有人编写了一个脚本来检查一堆卡号的有效性,可能是为了以后可以出售它们。
关于如何防止或限制未来这种影响的任何想法?
我们可以控制系统的各个方面(代码、网络服务器等)。 是的,该表单通过 https 运行。
I'm involved in building a donation form for non-profits. We recently got hit by a fast round of low dollar submissions. Many were invalid cards, but a few went through. Obviously someone wrote a script to check a bunch of card numbers for validity, possibly so they can sell them later.
Any ideas on how to prevent or limit the impact of this in the future?
We have control over all aspects of the system (code, webserver, etc). Yes the form runs over https.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
当检测到来自单个 IP 地址或小范围地址的大量无效交易时,阻止该地址/网络。
如果正在使用僵尸网络,这将无济于事。 您仍然可以检测大量低金额提交,从而推断出您何时受到攻击; 在这些时间里,推迟低金额的提交,以延长提交时间; 为低额捐款引入验证码; 请咨询您银行的欺诈预防部门,以防他们可以利用您的服务器日志来抓捕肇事者。
强迫捐赠者创建账户才能进行捐赠; 使用验证码保护帐户创建,并限制任何一个帐户的捐赠。
将允许的最低捐款额提高到诈骗者以这种方式利用您不再具有经济意义的程度。
When a flood of invalid transactions from a single IP address or small range of addresses is detected, block that address / network.
If a botnet is in use, this will not help. You can still detect floods of low dollar amount submissions and so deduce when you are under attack; during these times, stall low dollar amount submissions to make them take longer; introduce CAPTCHAs for low dollar amount donations; consult your bank's fraud prevention department in case they can make use of your server logs to catch the perpetrators.
Force donors to create accounts in order to make donations; protect account creation with a CAPTCHA, and rate limit donations from any one account.
Raise the minimum permissible donation to a point where it no longer makes financial sense for the scammers to use you in this way.
您可能想利用大多数人都启用了 javascript 而机器人却没有启用的事实,而不是使用会惹恼用户的验证码。 只需创建一小段 JavaScript,运行时在隐藏字段中插入特定值。
对于那些禁用了 Javascript 的用户,您可以显示验证码(使用
标签),只有在这些措施中的任何一个通过检查后,您才可以接受提交。
为了最大程度地惹恼作恶者,您可以使成功消息和失败消息之间的差异在计算上难以区分(假设一切都相同,除了一张显示消息的图片),但对人类来说很容易理解。
Instead of CAPTCHAs, which will annoy users, you might want to take advantage of the fact that most people have javascript enabled while bots don't. Simply create a small piece of javascript that when run inserts a particular value in a hidden field.
For those that have Javascript disabled you can show the CAPTCHA (use the
<noscript>
tag), and you can then accept a submission only if either of these measures check out.For maximum annoyance to evildoers you could make the difference between the succeed message and the failure message computationally hard to distinguish (say everything is the same, except for one picture that displays the message) but easy to understand for humans.
将来自同一 IP 地址的提交限制为每分钟一次,或真人填写表格所需的任何合理时间段
limit submissions from the same IP address to one per minute, or whatever reasonable period of time it would take for a real person to fill out the form
这。 无论如何,你能用 5 美元以下的钱获得多少合法捐款?
This. How many legitimate donations do you get for under 5 bucks, anyway?