Addressing thousands of declines
Options
Hello all,
We've had a couple days already this month with thousands of declines. Two records (both now deleted) are responsible for 17k+ declines--nearly all by IP. Thankfully, they are being caught and declined. That said, we get these types of attempts, but we're already at 60% of 2019's total declines. I'm just wondering what we can do to prevent these that doesn't also hamper the donor experience. CAPTCHA is available, but I'm not sure that's going to help our conversion (although maybe a worthwhile test).
Anyway, open to ideas beyond that. Thanks in advance!
We've had a couple days already this month with thousands of declines. Two records (both now deleted) are responsible for 17k+ declines--nearly all by IP. Thankfully, they are being caught and declined. That said, we get these types of attempts, but we're already at 60% of 2019's total declines. I'm just wondering what we can do to prevent these that doesn't also hamper the donor experience. CAPTCHA is available, but I'm not sure that's going to help our conversion (although maybe a worthwhile test).
Anyway, open to ideas beyond that. Thanks in advance!
Tagged:
0
Comments
-
Hi JD,
There's a few options here, the BC SPCA had a similar issue a while back- https://spca.bc.ca/donations/make-a-donation/ uses an LO integration for WordPress to deal with this (additional security layers that are unobtrusive to users but block bots/card running).1 -
JD,
Have you contacted Support for help?
0 -
...additional security layers that are unobtrusive to users but block bots/card running...
I'm interested. Can you elaborate on what you added?
BPM0 -
Brian Mucha:
...additional security layers that are unobtrusive to users but block bots/card running...
I'm interested. Can you elaborate on what you added?
BPMSure, no problem- I added a honeypot trap, timestamp detector, and a measurement of failures per ip address that can result in a bans at the plugin level,and I integrated google's invisible recaptcha v3 (no challenges, just monitors your site behaviour to see if you're a real user and blocks with an error message if you are below a certain human threshold). There's a couple changes/new security things I'll be adding shortly to it as well (the security for the integration changes over time as we swap out old methods via security updates when they are no longer effective). I also encourage clients to install a decent application level firewall/bot list like WordFence security. Overall that cuts down on card running!
Edit: I actually gave a presentation of this at BBCon this year, I've uploaded a pdf if anyone wants to review it.
1 -
We also added a honeypot field (https://secure.nationalmssociety.org/site/Donation2?df_id=63293&63293.donation=form1&mfc_pref=T) and made the form two pages. If a bot populates the field, the "next" button doesn't go to the next page. This cut down on the card running as well as those bots creating bogus records in our system. We instituted the honeypot field on our event donation forms (example: https://secure.nationalmssociety.org/site/Donation2?62768.donation=form1&idb=1744579740&df_id=62768&FR_ID=30911&mfc_pref=T&PROXY_ID=9913980&PROXY_TYPE=20) as well but didn't make they two page forms. We've not a seen any decline / issues with completion rates since the switchover.1
-
Hi all,
Thanks for the feedback and considerations. It wasn't quite a priority at the time, but we've started seeing even more declines, especially in the past week -- and even today. So, here I am again.
We don't use Wordpress, so the plugin doesn't appear to be an option.
Sean Staggs - It seems your honeypot solution would be most relevant for our purposes. Would you mind sharing how you implemented that field?
Thanks again!0 -
I am interested on this topic too and wanted to see if anything we could tap into due to we have also been seeing this carding attempts in bulk hitting our donation forms.
In my opinion, although the honeypot and these stated solutions will help stemmed issue associated with bots spamming through the front-facing form, it might not likely addressed those attackers that hits the end point without having to go through the front-facing form (i.e. cURL POST or REST API submission done directly through tools like POSTMAN)
The non API donation 2 forms have that CAPTCHA data element that I believe is a server-side which will likely address the above, however this is currently not compatible with LO API forms and not to mention the 'intrusive' aspect adding extra steps for end user to donate.
Has anyone else experiencing this type of carding attack where the hacker might not necessarily hit your actual front facing form? Pretty sure there's that honeypot schema on the non API (donation 2) forms yet we are still seeing attacks time to time despite.
Thanks in advance!
regards,
Daniel0 -
Sean, is your honeypot solution still working successfully? Would be grateful to hear an update.
Thanks,
Jessica0
Categories
- All Categories
- Shannon parent
- shannon 2
- shannon 1
- 21 Advocacy DC Users Group
- 14 BBCRM PAG Discussions
- 89 High Education Program Advisory Group (HE PAG)
- 28 Luminate CRM DC Users Group
- 8 DC Luminate CRM Users Group
- Luminate PAG
- 5.9K Blackbaud Altru®
- 58 Blackbaud Award Management™ and Blackbaud Stewardship Management™
- 409 bbcon®
- 2.1K Blackbaud CRM™ and Blackbaud Internet Solutions™
- donorCentrics®
- 1.1K Blackbaud eTapestry®
- 2.8K Blackbaud Financial Edge NXT®
- 1.1K Blackbaud Grantmaking™
- 527 Education Management Solutions for Higher Education
- 1 JustGiving® from Blackbaud®
- 4.6K Education Management Solutions for K-12 Schools
- Blackbaud Luminate Online & Blackbaud TeamRaiser
- 16.4K Blackbaud Raiser's Edge NXT®
- 4.1K SKY Developer
- 547 ResearchPoint™
- 151 Blackbaud Tuition Management™
- 1 YourCause® from Blackbaud®
- 61 everydayhero
- 3 Campaign Ideas
- 58 General Discussion
- 115 Blackbaud ID
- 87 K-12 Blackbaud ID
- 6 Admin Console
- 949 Organizational Best Practices
- 353 The Tap (Just for Fun)
- 235 Blackbaud Community Feedback Forum
- 55 Admissions Event Management EAP
- 18 MobilePay Terminal + BBID Canada EAP
- 36 EAP for New Email Campaigns Experience in Blackbaud Luminate Online®
- 109 EAP for 360 Student Profile in Blackbaud Student Information System
- 41 EAP for Assessment Builder in Blackbaud Learning Management System™
- 9 Technical Preview for SKY API for Blackbaud CRM™ and Blackbaud Altru®
- 55 Community Advisory Group
- 46 Blackbaud Community Ideas
- 26 Blackbaud Community Challenges
- 7 Security Testing Forum
- 1.1K ARCHIVED FORUMS | Inactive and/or Completed EAPs
- 3 Blackbaud Staff Discussions
- 7.7K ARCHIVED FORUM CATEGORY [ID 304]
- 1 Blackbaud Partners Discussions
- 1 Blackbaud Giving Search™
- 35 EAP Student Assignment Details and Assignment Center
- 39 EAP Core - Roles and Tasks
- 59 Blackbaud Community All-Stars Discussions
- 20 Blackbaud Raiser's Edge NXT® Online Giving EAP
- Diocesan Blackbaud Raiser’s Edge NXT® User’s Group
- 2 Blackbaud Consultant’s Community
- 43 End of Term Grade Entry EAP
- 92 EAP for Query in Blackbaud Raiser's Edge NXT®
- 38 Standard Reports for Blackbaud Raiser's Edge NXT® EAP
- 12 Payments Assistant for Blackbaud Financial Edge NXT® EAP
- 6 Ask an All Star (Austen Brown)
- 8 Ask an All-Star Alex Wong (Blackbaud Raiser's Edge NXT®)
- 1 Ask an All-Star Alex Wong (Blackbaud Financial Edge NXT®)
- 6 Ask an All-Star (Christine Robertson)
- 21 Ask an Expert (Anthony Gallo)
- Blackbaud Francophone Group
- 22 Ask an Expert (David Springer)
- 4 Raiser's Edge NXT PowerUp Challenge #1 (Query)
- 6 Ask an All-Star Sunshine Reinken Watson and Carlene Johnson
- 4 Raiser's Edge NXT PowerUp Challenge: Events
- 14 Ask an All-Star (Elizabeth Johnson)
- 7 Ask an Expert (Stephen Churchill)
- 2025 ARCHIVED FORUM POSTS
- 322 ARCHIVED | Financial Edge® Tips and Tricks
- 164 ARCHIVED | Raiser's Edge® Blog
- 300 ARCHIVED | Raiser's Edge® Blog
- 441 ARCHIVED | Blackbaud Altru® Tips and Tricks
- 66 ARCHIVED | Blackbaud NetCommunity™ Blog
- 211 ARCHIVED | Blackbaud Target Analytics® Tips and Tricks
- 47 Blackbaud CRM Higher Ed Product Advisory Group (HE PAG)
- Luminate CRM DC Users Group
- 225 ARCHIVED | Blackbaud eTapestry® Tips and Tricks
- 1 Blackbaud eTapestry® Know How Blog
- 19 Blackbaud CRM Product Advisory Group (BBCRM PAG)
- 1 Blackbaud K-12 Education Solutions™ Blog
- 280 ARCHIVED | Mixed Community Announcements
- 3 ARCHIVED | Blackbaud Corporations™ & Blackbaud Foundations™ Hosting Status
- 1 npEngage
- 24 ARCHIVED | K-12 Announcements
- 15 ARCHIVED | FIMS Host*Net Hosting Status
- 23 ARCHIVED | Blackbaud Outcomes & Online Applications (IGAM) Hosting Status
- 22 ARCHIVED | Blackbaud DonorCentral Hosting Status
- 14 ARCHIVED | Blackbaud Grantmaking™ UK Hosting Status
- 117 ARCHIVED | Blackbaud CRM™ and Blackbaud Internet Solutions™ Announcements
- 50 Blackbaud NetCommunity™ Blog
- 169 ARCHIVED | Blackbaud Grantmaking™ Tips and Tricks
- Advocacy DC Users Group
- 718 Community News
- Blackbaud Altru® Hosting Status
- 104 ARCHIVED | Member Spotlight
- 145 ARCHIVED | Hosting Blog
- 149 JustGiving® from Blackbaud® Blog
- 97 ARCHIVED | bbcon® Blogs
- 19 ARCHIVED | Blackbaud Luminate CRM™ Announcements
- 161 Luminate Advocacy News
- 187 Organizational Best Practices Blog
- 67 everydayhero Blog
- 52 Blackbaud SKY® Reporting Announcements
- 17 ARCHIVED | Blackbaud SKY® Reporting for K-12 Announcements
- 3 Luminate Online Product Advisory Group (LO PAG)
- 81 ARCHIVED | JustGiving® from Blackbaud® Tips and Tricks
- 1 ARCHIVED | K-12 Conference Blog
- Blackbaud Church Management™ Announcements
- ARCHIVED | Blackbaud Award Management™ and Blackbaud Stewardship Management™ Announcements
- 1 Blackbaud Peer-to-Peer Fundraising™, Powered by JustGiving® Blogs
- 39 Tips, Tricks, and Timesavers!
- 56 Blackbaud Church Management™ Resources
- 154 Blackbaud Church Management™ Announcements
- 1 ARCHIVED | Blackbaud Church Management™ Tips and Tricks
- 11 ARCHIVED | Blackbaud Higher Education Solutions™ Announcements
- 7 ARCHIVED | Blackbaud Guided Fundraising™ Blog
- 2 Blackbaud Fundraiser Performance Management™ Blog
- 9 Foundations Events and Content
- 14 ARCHIVED | Blog Posts
- 2 ARCHIVED | Blackbaud FIMS™ Announcement and Tips
- 59 Blackbaud Partner Announcements
- 10 ARCHIVED | Blackbaud Impact Edge™ EAP Blogs
- 1 Community Help Blogs
- Diocesan Blackbaud Raiser’s Edge NXT® Users' Group
- Blackbaud Consultant’s Community
- Blackbaud Francophone Group
- 1 BLOG ARCHIVE CATEGORY
- Blackbaud Community™ Discussions
- 8.3K Blackbaud Luminate Online® & Blackbaud TeamRaiser® Discussions
- 5.7K Jobs Board