Checkout attack vector we haven't seen.

-- HikaShop version -- : 4.5.0
-- Joomla version -- : 3.10.8
-- PHP version -- : 7.4.28

We're seeing a repeated automated 'attack' on our customer's HikaShop checkout mechanism. (Three attempts so far.)

The pattern is that they register during checkout (the welcome message to their email bounces), and attempt an order which fails due to an invalid credit card. Within the next few hours, an automated system logs in using that new Joomla Account, and makes approximately 100 to 300 attempts which use different credit card numbers, but still use the fake name of the user. No orders succeeded in any of the three attacks, but an order a minute was attempted for between two and three hours each, in the middle of the night. Each of the three attacks came from a different IP address, which was captured when they registered.

I assume that a live person registered because they could successfully get past the Captcha, but as far as I know, there is no captcha presented on a checkout for a logged in user. The multiple orders happened so regularly, I assume that this second part was automated. To all appearances, they aren't looking to actually collect any goods from our customer, they're just trying to find a credit card which gets past the CC validation. So far, none have.

After each attack, I have blocked each IP address, and removed those newly registered Joomla accounts. Requiring the customer to activate their Joomla account in the middle of a normal order process is a point of friction we'd really prefer to avoid - in the past, this has demonstrably deterred elderly customers.

Is there a strategy to prevent this method of. attack? Possibly a way to implement a captcha during checkout?

The best suggestion I (and a wise friend) have come up with is to build a HikaShop plugin that counts each CC failure, which then blocks any order from that user once their credit card attempts have failed X number of times until they have logged out and logged in again - or passed another captcha test.

Ideas?

I'm moving ahead with the failure limit routine. Thank you for your advice.

In a slightly related issue, Is there a way for a HikaShop administrator to view a customer's existing cart before an order is created? When an order fails, our customer's online customer often calls by phone and wishes to complete it directly - which usually means repeating the order verbally by phone. It would be handy for our customer to be able to identify the user's account over the phone and view their existing online cart firsthand.

Thank you for all your help.

I have never even noticed the cart list before. Thank you!

Many of their customers are registered from previous orders (hometown business with lot of repeat customers), so the ones most likely to call them will be buying under their usernames. They are also most likely to call immediately when their order fails, so sorting by date could make it easier.

The validation routine takes place in the onBeforeOrderCreate method, so no order should have been created yet.

I'll think through other options, such as adding a password-protected AJAX function to return the cart ID to the user, or to send the cart contents to our customer, while they're on the phone. Possibly even finding a way to use the wishlist methods, somehow. Hmmmm...

That's very interesting. Thank you!