CiviCRM Community Forums (archive)

Hello everyone.

I've just recently come across a situation in which one of our client's CiviContribute pages has been used to pass through fraudulent credit card transactions.  While this scenario has been discussed before and implementing reCAPTCHA would be one of the obvious solutions, the client is very much opposed to putting in a CAPTCHA form on the website since the target audience of the site is older individuals who find CAPTCHA very hard to decipher.  Additionally, the client does not want to make the CVV code on the credit card mandatory as this too may cause too much confusion with the users.

Therefore, my question is twofold:  first, is it possible to customize or simplify the appearance of reCAPTCHA to make it easier for older users to decipher.

Second, the client has suggested that we implement a limit on how many times a user may make a donation through the contribution page within a 24 hour period.  Given that the client opposes the use of CAPTCHA and the CVV code to help mitigate the risk of automated form submissions, this would seem to be a possible solution.  However, from what I can determine, there is nothing in place currently that facilitates this functionality.

What would it take to build a function into the CiviContribute module which adds the ability to strictly limit how much a user may donate in a given period?

This is not the best solution, obviously.  But, it is the best solution we can devise under the circumstances.

Just looking for some feedback or ideas in response to this.

Thanks in advance.

The second suggestion holds some possibility.  I'll need to perform some kind of additional filtering though, since the potential pitfall with using it is that the attack on the site made use of a bot which kept entering random number and expiration date combinations until it hit a valid combination.  Since there was a valid combination entered, it would show up as a "valid" contribution.  The credit card processing company reports to us that over 19,000 transactions occurred, of which only around 20 - 30 were actually authorized.  It is further complicated by the fact that the processing company we're using makes use of a hosted payment solution, so the 19,000+ transactions didn't occur on our server.  Still, we need to try to keep the invalid users from getting that far.

Truth be told, I'm not sure that placing a hard limit on donations in a fixed time period (i.e. 24, 48, 72 hours) is a viable scenario, but we need to explore the option given that the client really wishes to avoid using CAPTCHA.  Apparently, 4 seperate users were unable to enter the correct text comb to proceed to the next screen.  Obviously, we're not trying to make it impossible to make a donation, but we need to do something to mitigate "bot" attacks such as this.

We'd like any solution we do implement to integrate with Drupal/CiviCRM rather than be a hack (which will lock us into the current versions of the software or run the risk of being overwritten the next time an update comes out).

The colour of the sky is blue - i guess the color of the sky is ble