search

impress-org / givewp

GiveWP - The #1 Donation Plugin for WordPress. Easily accept donations and fundraise using your WordPress website.
https://givewp.com/
GNU General Public License v3.0
339 stars 191 forks source link

GiveWP should rate limit donation attempts. #5258

Open dschaper opened 4 years ago

dschaper commented 4 years ago

Details

GiveWP happily processes 400 fraudulent donation attempts in less than 5 minutes from the same donor. And then new donor is created and things go from there.

Expected Behavior

After the first 5 donation attempts are rejected by the payment gateway then block the IP and the donor. Or notice the 4 dozen cards associated to the accounts.

I thought Akismet would help with this kind of spam but it seems that's completely nonfunctional.

Visuals

Screenshot_2020-09-11 Search – pi-hole net – Stripe(2)

Screenshot_2020-09-11 Customers – pi-hole net – 1Stripe

Screenshot_2020-09-11 Home – pi-hole net – Stripe

Additional Context

Of course, those two dozen or so charges that made it through are being marked as fraud and cost $15USD each in fees.

System Information

Details GiveWP Version: 2.8.0 GiveWP Cache: Enabled Database Updates: All DB Updates Completed. Database Tables: ✔ wp_give_donors - 1.0✔ wp_give_donormeta - 1.0✔ wp_give_comments - 1.0✔ wp_give_commentmeta - 1.0✔ wp_give_sessions - 1.0✔ wp_give_logs - 1.0✔ wp_give_logmeta - 1.0✔ wp_give_formmeta - 1.0✔ wp_give_sequential_ordering - 1.0✔ wp_give_donationmeta - 1.0 GiveWP Cache: Enabled GiveWP Cache: ✔New Donation✔Donation Receipt❌New Offline Donation❌Offline Donation Instructions✔New User Registration✔User Registration Information✔Donation Note❌Email access✔Daily Email Report✔Weekly Email Report✔Monthly Email Report Upgraded From: 2.7.5 Test Mode: Disabled Currency Code: USD Currency Position: After Decimal Separator: . Thousands Separator: ,
dschaper commented 4 years ago

This really needs some kind of response. This behavior is going to get my account with Stripe disabled.

Screenshot_2020-09-12 Payments – pi-hole net – Stripe Screenshot_2020-09-12 Home – pi-hole net – Stripe

JasonTheAdams commented 4 years ago

Hi @dschaper!

Thank you for taking the time to write up this issue and give us further details on the troubles you're running into. Fraudulent donations suck. It's something we're aware of and, while I can't say exactly what the next steps are just yet, I wanted to let you know this is on my radar and an issue we want to see resolved. Rate limiting is one tactic that can be taken; I'm also exploring other possibilities.

I will keep this Issue open and reference it once we begin to put some solutions into place.