Adding Burt's Math Capcha to checkout_payment

[otgrouch]

Hello all. 

I have successfully implemented the math capcha on my contact us and create account pages (2.3.4.1 CE) but would like to add it to the Checkout_payment page.  I've tried to no avail (it will require the content but does not recycle the page if you get the math wrong - always goes to the payment portal page upon hitting Continue).  Anyone ever done this?

[Jack_mcs]

19 hours ago, otgrouch said:

would like to add it to the Checkout_payment page. 

I don't have an answer for you. Have you tried asking on his site? If you are going to add it, it probably should go on the confirmation page. But I suggest you install Honey Pot instead. It is much more powerful and will stop more hackers compared to that addon.

[Heatherbell]

On 11/30/2023 at 7:15 PM, otgrouch said:

Hello all. 

I have successfully implemented the math capcha on my contact us and create account pages (2.3.4.1 CE) but would like to add it to the Checkout_payment page.  I've tried to no avail (it will require the content but does not recycle the page if you get the math wrong - always goes to the payment portal page upon hitting Continue).  Anyone ever done this?

All support for 2.3.4.1 CE now at https://phoenixcart.org/forum/index.php

[YePix]

The only question is, for what? Do you want to lose your customers? If a customer is already registered, he or she has already confirmed the security query for spam and this issue is therefore off the table. With freely accessible forms, such as the contact form, things are different.

[Jack_mcs]

7 hours ago, YePix said:

Do you want to lose your customers? If a customer is already registered, he or she has already confirmed the security query for spam and this issue is therefore off the table.

While I don't like captcha's, I doubt they will cause the loss of a customer. In older versions of oscommerce, it was possible to submit the confirmation page via the url so captcha might stop those. But, in Honey Pot, captcha can be turned off without losing the protection.

[otgrouch]

I had someone create an account and then use it to run around 1000 stolen cards to see if they were good.  My card provider made it a requirement that we put a captcha on the payment page to prevent bots from running multiple cards - I feel that a simple math problem isn't likely to run people off (unlike wavy letters and numbers or picking out traffic lights in pictures).   I put it on the account creation page instead and it seems to have satisfied them.

[Jack_mcs]

57 minutes ago, otgrouch said:

I had someone create an account and then use it to run around 1000 stolen cards to see if they were good. 

It is a fairly common problem in older shops. If you stop them from creating accounts in the first place, it can stop a lot of them. But you have to be sure to remove all previous accounts that the hacker created, which is usually quite a few. If the captcha is working for you then that might be all you need, though your are almost certainly getting hit by hackers. I suggest you download Honey Pot and just make the changes for admin. That will allow you to see fake accounts. It won't do anything other than show them so it is safe to do.

[YePix]

Am 10.12.2023 um 22:03 schrieb Jack_mcs:

While I don't like captcha's, I doubt they will cause the loss of a customer. In older versions of oscommerce, it was possible to submit the confirmation page via the url so captcha might stop those. But, in Honey Pot, captcha can be turned off without losing the protection.

Try this: Open a page with captcha, click somewhere around the code a few times, wait a few seconds and you're done. It's so easy to ignore Google. Furthermore, checkout_shipping, checkout_payment, checkout_confirmation and checkout_proccess kicked you out if you weren't logged in. How could you then complete an order via the browser entry as a customer who was not already registered and logged in?

[YePix]

vor 5 Stunden schrieb otgrouch:

I had someone create an account and then use it to run around 1000 stolen cards to see if they were good.  My card provider made it a requirement that we put a captcha on the payment page to prevent bots from running multiple cards - I feel that a simple math problem isn't likely to run people off (unlike wavy letters and numbers or picking out traffic lights in pictures).   I put it on the account creation page instead and it seems to have satisfied them.

That's what I meant too.

[Jack_mcs]

18 hours ago, YePix said:

Try this: Open a page with captcha, click somewhere around the code a few times, wait a few seconds and you're done. It's so easy to ignore Google. Furthermore, checkout_shipping, checkout_payment, checkout_confirmation and checkout_proccess kicked you out if you weren't logged in. How could you then complete an order via the browser entry as a customer who was not already registered and logged in?

You're talking about Googles recaptcha and I agree that it is not that secure. It uses javascript for the protection.  I'm talking about Honey Pot. It uses some javascript but mostly php. Hackers can get by Javascript in some cases but they can't get by php checks.