Block / Blacklist customer registration by e-mail or name

[LuizSantos22]

Description (*)

That would be great if there was a way of blocking from registration / blacklist certain customers
I am facing a problem with a customer that is trying to use stolen credit cards and keep trying to make
purchases all the time. Blocking the IP is not an option because he is probably using an IP masking or VPN
so every purchase there's a new IP. This is stressing my credit card processor and I might have issues
with them.

Expected behavior (*)

By implementing this feature the admin could simply insert the customer e-mail in
a blacklist and prevent them from placing new orders

Benefits

I guess this would improve Magento/OpenMage a lot as I don't see this feature anywhere.

Additional information

This could be implemented by adding a new attribute that would be able to block
the customer from trying to make new registration and place new orders.

[addison74]

I did not face this situation but I think it can be approached without a dedicated module in OpenMage. The analysis of the webserver access log will provide you besides the IP address more information. How this attacker interacts with the website to determine if it is an automatic or manual action. A line in the access log also shows the USER AGENT used by this attacker that can be useful.

If blocking the IP is not a solution, blocking a name or email will not change anything. As long as the attacker has the data of a bank card he can use it in its processing. Whether it's a bot or a human action it should be ridiculous to try the same email address or name if it's blocked. Obviously the attacker will use any another combination and the possibilities are endless.

A registered user cannot register again because OpenMage displays an error. Blocking an already created account may be possible through an extension or editing the account information but the attacker can't be stopped to create another account. If he does not have a customer account and can go through all the steps of the sale then he cannot be prevented in any way except by the trace he leaves by accessing.

Any attempt at fraud must be reported to the authorities, not just blocked.

[luigifab]

We have developed an observer for that. If the customer try too many orders in 7 days (we are checking: number of different countries from shipping/billing/ip address, number of credit card used for the customer and for the ip address, number of orders for the customer and the ip address, number of different ip used for the customer, check if customer ip is in firehol lists, and when firstname = lastname), we are removing payment methods.

[LuizSantos22]

@luigifab That is what I am looking for... Is that a module or easy way to implement that in OpenMage?
Regards

[luigifab]

There are an Observer.php and a system.xml + some changes in templates or IPN controller. This is a made for us, not reusable as is. We are using HiPay, PayZen, and our custom module for PayPal, Tpay, and GoPay.

[LuizSantos22]

@luigifab Ok, well, I guess is better leaving this issue opened as a suggestion. It should be implemented by Magento as a default feature... Anyway... I hope someone could implement this...

[LuizSantos22]

@addison74
It is made manually by the attacker, I do understand that if a real person wants to keep trying to make purchases with different e-mails and names (using different IPs), he/she will keep doing it. I am double checking some suspects address on every credit card purchase, I know more or less the pattern, region and kind of product the fake customer tries to purchase, so if I see the purchase and pattern is suspect, I do a manual review.

The issue is, I might face a strike from the credit card processor due to several purchase attemps with the same name and address. They do understand that I am doing nothing to stop these attempts, like blocking this customer from the website, for instance.

I know that because I got my account suspended from another credit card processor due to the same reason.
It had stopped for a while, but now, knowing that they managed to pass through an automatic purchase check (I got them by manual review) they are trying to make new purchases.

What is the reason if they eventually get caught by manual review?
Stress the credit card processor and make the website lose its account with them if they cannot get what they want, at least they screw up the website owner.

So, the goal is not completely stop them from trying to make new purchases, but stop them from trying to do that with the same account.
which is far easier than getting a new customer data and create an account all over again.

The black list could be implemented by a blacklist attribute/module/function, like vat number or e-mail blacklist... Actually I guess using vat number blacklist would be more effective as even if the fake customer tries to create a new account with the same vat number with different e-mails, it would stop them from doing it.

Regards

[addison74]

There are two aspects you need to consider:

1. When someone pays with the card as long as the transaction is processed you are not able to decide if it is a fraud or not. The store is like a man in the middle. Only if a police action is initiated together with the banks involved then you are part of the investigation, but you cannot express our opinion because the decision belongs to the authorities. As long as there is no criminal action you cannot refuse the payment for an order only on the basis of an assumption.

2. We have a lot of elements that can be changed by the attacker like IP, email address, USER_AGENT, name but the card number and the holder remain the same. As commented above @luigifab only with an observer you can analyze this information in the pre-processing phase of bank data. That form should be checked by you before being sent to the card processor. Here are some things that can be illegal, such as storing card information made by the store.

[LuizSantos22]

@addison74
I took into consideration all that
In my country, a site owner if is not confident enough to ship an item, we might cancel or refuse the payment at any time.
As I said, I do know that if the fake customer really wants to keep the "party going", he/she can simply use another customer
data and try all over again. And yes, I do know the pattern and what sells and has a competitive price on the website and
what doesn't.
So if all of a sudden I start selling out like crazy some pretty expensive stuff that does not have competitve price I know
it is an attacker. I do a manual check out like google street or proof of address request and if the buyer fails to do that,
I can simply deny it.

Automatic risk check sometimes approve the purchase and they count that sometimes the automatic check just fails
so that is why I do a manual check and guess what? At 95% of the time, the manual check makes sense, so it is not just
an assumption out of nowhere.

Anyway, I will leave it as a suggestion if someone finds it interesting enough having this feature. Which a lot of other ecommerce platforms have it by default. It might not stop fake customers trying to use stolen credit cards but at least makes their life harder.

Regards
Luiz Santos

[kiatng]

Not sure if this extension helps: https://github.com/riconeitzel/PaymentFilter, you can create a black list customer group and then remove all its payment methods. The customer who is black listed would not be able to checkout.

[addison74]

This seems like a good solution in his case. Once the person is identified you no longer allow him to place the order going through the whole checkout process. Obviously the attacker will make another account, but if there are other added elements that will block him until new ideas he will give up quickly. Please note if you give a try to the extension mentioned by @kiatng check that there are open issues and PRs.

[LuizSantos22]

@kiatng and @addison74
Just to give the feedback. I am testing the module mentioned above and it looks like it is working.
I have created a customer group called "Blacklist" and then, I have used the filter on customer grid to associate that particular customer
to the blacklist group. So now only the payment methods allowed on that group works for that particular customer.

So if anyone wants to use the way I am using follow the steps below:
1 - Install the module mentioned above
2 - Go to Customer/Customer Groups
3 - Add new customer group
4 - Create a new customer group and call it "blacklist" or similar
5 - If you want to allow some payment methods (like bank transfer or online transfer)
you'll need to press control whilst clicking on the payment method you would like to leave enabled.
Hit the "Save" button and that's it.

Associate the customer you want to restric to the customer group with the restricted payment method you've just created

Go to
1 - Customers/Manage customers
2 - Select the blank box on the left aside to the customer name you wish to restrict
3 - On "actions" (on the right) hit the arrow down and you'll see "Assign a Customer group" select it
4 - It will show another option called "Group", hit the arrow down and you'll have all customers
groups available, inclusing the "Blacklist" you created before.
5 - Assign it to the "Blacklist" option and hit "Submit"

Reindex everything and that's it. That customer will only be able to pay by the payment methods enabled
on that group.

Hope that helps someone else

Thank you guys!