Carding attack on website

Magento 2.3.0 has CSRF protection for Magento\Paypal\Controller\Transparent\RequestSecureToken out of the box. But CSRF token validation is not enough to completely solve this issue. So, to avoid such vector of attack, Magento team has decided to introduce Captcha validation for Payflow Pro payment form, as it can't be completely solved on Magento side.

You can use Magento Captcha integration or ReCaptcha extension. Now you can require magento/module-paypal-captcha or magento/module-paypal-recaptcha via composer (these packages are already published on repo.magento.com) and configure appropriate Captcha mechanism. Google ReCaptcha much secure but require additional credentials (https://docs.magento.com/m2/ce/user_guide/stores/security-google-recaptcha.html).

You can patch your 2.2.x Magento instance by CSRF token validation fix (https://github.com/magento/magento2/blob/2.2-develop/app/code/Magento/Paypal/Controller/Transparent/RequestSecureToken.php#L99) but, again, it just mitigates risks.

Official guide and contacts https://support.magento.com/hc/en-us/articles/360025515991 (it doesn't contain Captcha installation details).

UPD: The official post was published https://support.magento.com/hc/en-us/articles/360025515991.


I don't have an official answer yet but I wanted to put my notes here and an answer seemed more appropriate.

Anyhow, many including paypal have recommended a captcha on the checkout page but I have yet to find a way to do this that works. I am currently testing one option and will probalby post about it if it works since theres nothing reliable I have found yet.

Another important detail is that I had disabled paypal payflow pro and yet I was still getting hit with credit cards. I think these were automatically rejected due to it being turned off, but the controller remained active and to me this is a security hole. In fact, the ability to manipulate this controller without going through checkout seems like a security hole to me. The malicious party somehow faked a quote.

I have blocked access to this url using cloudflare (which is created by Magento\Paypal\Controller\Transparent\RequestSecureToken and accessible through /paypal/transparent/requestSecureToken/ by the way).

I'm hoping to do 3 things: 1) throttle or block inappropriate access to the aforementioned url 2) add a captcha 3) look for existing patch to this.

The only recent and related info I found on this is: https://github.com/magento/magento2/issues/21781

If you're using paypal payflow chances are you are susceptible to this attack.

I am really behind on Magento though (2.2.4) so hopefully this was fixed already and I can blame myself for not updating.