pyounan Posted August 31, 2005 Share Posted August 31, 2005 (edited) The module is located here: http://www.oscommerce.com/community/contributions,3493 What It Does: This mod will enable you to specify a dollar amount at which, and above, a customer will be contacted by Maxmind's automated telephone validation system. The customer will be instructed in the checkout_payment page that they must enter a phone number at which they will be contacted. The customer will be given a random, 4-digit code by the automated phone call. They will have to enter this random 4-digit code in the Order Confirmation page in order to complete the order. The idea is that fraudsters will not be likely to include a telephone number which may increase their risk of being traced and caught. We have implemented this new system in our store and it works great for what we need to do. NOTES: (1) The customer, once having passed the specified dollar amount, will only have to validate themselves ONE time. All subsequent orders from the same customer id will not be required to validate by phone. This will save you money on wasted phone calls, and also save you from a frustrated customer. They've already validated themselves once, there's no need to do it again. (2) The Validation phone number is stored in a new table column, apart from the regular phone number column. This is by design, and an intended security feature. The customer will not be able to change the phone number via their account page after the phone call has been placed. (3) If you want to validate by phone regardless of order amount, simply set the appropriate value in your Admin screen to zero. KNOWN LIMITATIONS: (1) This contribution will not work with the "Purchase without an account" contribution, because the customer information is not added to the database when using that contribution. (2) This contribution does not differentiate by payment type. If you accept Checks you may not care if the customer validates by phone. However, this initial version will require telephone validation on all orders regardless of payment type. (3) The dollar amount threshold is calculated based on the total product price only. Shipping, handling and tax is not considered. I will try to offer as much support at the forums as possible. If you have a problem with this contribution, please be sure to post your question here. This contribution is released under the GNU license. -Paul Younan Edited August 31, 2005 by Johnson Quote Link to comment Share on other sites More sharing options...
Kohn Posted September 1, 2005 Share Posted September 1, 2005 Hi pyounan, Great contribution, we are using it right now. However, there seems to be a bug. Right now we are setting the verification at 250 and although everything turns on and works fine, customer can actually not enter a telephone number and still go to the confirmation page. Also, even after that, customer can complete the transaction without entering the verification code (which defeats the whole purpose of having the verification process, we want to stop those customers who did not enter any number, or verification number). We have updated the code as according to the installation instruction. Are we doing something wrong here? Please let us know. Quote Link to comment Share on other sites More sharing options...
pyounan Posted September 1, 2005 Author Share Posted September 1, 2005 (edited) Hi Kohn, Thanks for the tip. The bug is in checkout_process.php: CHANGE: if ($verificationCode != $randCode) { TO: if ($verificationCode != $randCode || $verificationCode == "") { And you should be all set. The customer will still be able to get to the confirmation page without entering a telephone number, but once they try to confirm the order it will fail unless they have the verification code. We could include some code or javascript on the payment page to make sure the phone number is entered before allowing them to get to the confirmation page, but my thought was that it will not let the order go through anyway, so why bother......at least now that it works the way it's supposed to! Thanks for catching this bug - I also changed it on our website. I will modify the contribution and re-post it. Glad you are enjoying it. Hopefully it will result in less fraud. -Paul Edited September 1, 2005 by pyounan Quote Link to comment Share on other sites More sharing options...
Kohn Posted September 1, 2005 Share Posted September 1, 2005 Hi Paul, I changed the code but the order still went through without entering a verification code? Also, I think it's actually a better idea to not let customer go through if no telephone number is entered. I think this would deter the fraudster right there and then. Furthermore, if no telephone is entered, the information is still sent to Maxmind and recorded in the log (just a blank transaction) and this actually confuses us a lot, as we cannot match the phone calls with the attempts. Please advise. Quote Link to comment Share on other sites More sharing options...
pyounan Posted September 1, 2005 Author Share Posted September 1, 2005 Hi Paul, I changed the code but the order still went through without entering a verification code? Also, I think it's actually a better idea to not let customer go through if no telephone number is entered. I think this would deter the fraudster right there and then. Furthermore, if no telephone is entered, the information is still sent to Maxmind and recorded in the log (just a blank transaction) and this actually confuses us a lot, as we cannot match the phone calls with the attempts. Please advise. <{POST_SNAPBACK}> Hi Kohn, You made the change to checkout_process.php and the order is still going through? It's working on my side, I can't imagine what might be letting the order through on your side. Make sure the mtv_verified column in the customers table for that customers_id is set to "0". Remember, it won't prompt the user again if they've already been verified. Let me know what you find out. -Paul Quote Link to comment Share on other sites More sharing options...
Kohn Posted September 1, 2005 Share Posted September 1, 2005 Hi Paul, OK, I tested and verified that if I use PayPal or Money Order, without entering the correct code, I won't pass. However, I am using the PayflowPro contribution and it seems that when I click on Confirm, the checkout_confirmation will use the PayFlowPro module first, bypassing the checkout_process. How can I modify the code so that the verification code is the first thing that confirmation checks? If there's any additional information that you need, please let me know. Meanwhile, keep up the great work :) Hi Kohn, You made the change to checkout_process.php and the order is still going through? It's working on my side, I can't imagine what might be letting the order through on your side. Make sure the mtv_verified column in the customers table for that customers_id is set to "0". Remember, it won't prompt the user again if they've already been verified. Let me know what you find out. -Paul <{POST_SNAPBACK}> Quote Link to comment Share on other sites More sharing options...
Kohn Posted September 1, 2005 Share Posted September 1, 2005 Hi Paul, Is it possible for you to add the javascript validation for telephone entry at the checkout_payment page? Or is this something that I can find coding for (not a programmer here, but I try my best). Thanks for your help, we are plagued by frauds right now ..... Quote Link to comment Share on other sites More sharing options...
pyounan Posted September 1, 2005 Author Share Posted September 1, 2005 Hi Paul, Is it possible for you to add the javascript validation for telephone entry at the checkout_payment page? Or is this something that I can find coding for (not a programmer here, but I try my best). Thanks for your help, we are plagued by frauds right now ..... <{POST_SNAPBACK}> Hi Kohn, I was thinking about that too, but there would be a major probem with the security of it in that some browsers either do no support javascript, or allow the user to turn off the javascript code. In that case, the scammers would be able to simply turn off the javascript on their browsers and bypass the telephone validation. I think it's much safer to have it where it is - on the server side. If someone knows of a way to incorporate the check in the PHP code of the payment page itself, that would be optimal. As for the PayflowPro module, I am not familiar with it since I use the Authorize.net module, but if it is executing that code before the checkout_process code, then that's a problem and we have to put the same code that this mod inserts into checkout_process into the PayflowPro module as well. Can you either post the PayflowPro code, or point me to the mod you are using and I can take a look at it? -Paul Quote Link to comment Share on other sites More sharing options...
Kohn Posted September 3, 2005 Share Posted September 3, 2005 Hi Paul, Thanks for the help. We are using hte CardinalCommerce module, which modifies the PayflowPro module. It seems that when you click on the confirm button at checkout confirmation, the module first goes through payer_auth_auth.php, then to checkout_process and by the time it gets to checkout_process the transaction has already completed. Please see the module here: http://www.oscommerce.com/community/contri...search,cardinal Right now a lot of customers (even those who may not be fraudsters) are simply leaving the telephone field blank, and since the checkout_process.php isn't really validating the verification code, all transactions are still going through. That's why I was wondering if there can be some sort of check to have the telephone number entered (kind of like at user registration the telephone number is necessary?) I really appeciate your help and please let me know what you think. Hi Kohn, I was thinking about that too, but there would be a major probem with the security of it in that some browsers either do no support javascript, or allow the user to turn off the javascript code. In that case, the scammers would be able to simply turn off the javascript on their browsers and bypass the telephone validation. I think it's much safer to have it where it is - on the server side. If someone knows of a way to incorporate the check in the PHP code of the payment page itself, that would be optimal. As for the PayflowPro module, I am not familiar with it since I use the Authorize.net module, but if it is executing that code before the checkout_process code, then that's a problem and we have to put the same code that this mod inserts into checkout_process into the PayflowPro module as well. Can you either post the PayflowPro code, or point me to the mod you are using and I can take a look at it? -Paul <{POST_SNAPBACK}> Quote Link to comment Share on other sites More sharing options...
pyounan Posted September 3, 2005 Author Share Posted September 3, 2005 (edited) Hi Kohn, I think you need to put it in payer_auth_start.php instead: FIND: // avoid hack attempts during the checkout procedure by checking the internal cartID if (isset($cart->cartID) && tep_session_is_registered('cartID')) { if ($cart->cartID != $cartID) { tep_redirect(tep_href_link(FILENAME_CHECKOUT_SHIPPING, '', 'SSL')); } } Immediately after, add the same block of code that you added to checkout_process.php according to the installation instructions. You should be all set - please test and let me know if it works....if it does, we will include the changes to the code for the benefit of others who are using the same payment module you are. I will next look at the registration code to see if we can steal the code that validates that a phone number of some sort was entered. -Paul Edited September 3, 2005 by pyounan Quote Link to comment Share on other sites More sharing options...
pyounan Posted September 3, 2005 Author Share Posted September 3, 2005 (edited) Kohn, I don't think you are going to be able to keep the PayPal and Check modules if you want to continue using the PayflowPro module with this contribution. Reason being is this: the PayPal and Check modules go directly from checkout_confirmation to checkout_process (which is what this mod was designed for.) However, if you keep the code in checkout_process (as per the instructions) so that you can verify PayPal orders as well, then there's going to be double code in both auth_start and checkout_process. The people using the PayflowPro module, and who validate with phone, will get past the auth_start check....but they will fail the checkout_process check. Here's two scenarios that will work: (a) you turn off both the PayPal and Check modules (and any other payment modules you use), and only use the PayflowPro.....and (B) you use the check only in auth_start.....but not in checkout_process OR We have to find a way to carry the $verificationCode, $randCode and $verifyPhone variables throughout the various PayflowPro scripts all the way through to checkout_process. Let me think about this more......in the meantime, if you can test with scenario one above just to be sure it will work with the PayflowPro module, that would be great. Remember to turn off PayPal and Check....and to take out (or comment) the additions to checkout_process. Let me know. I don't have that module installed, or else I could test it myself. -Paul PS - this contribution seems to have disappeared from the osCommerce site. Anyone know what's going on? Edited September 3, 2005 by pyounan Quote Link to comment Share on other sites More sharing options...
Kohn Posted September 3, 2005 Share Posted September 3, 2005 Hi Paul, OK, actually the code should be in payer_auth_start.php, not in auth_auth.php. After moving the code from checkout_process to auth_start.php it work now as intended. I think it's more critical for this check to be for payflowpro since paypal has some sort of registration in place. Great, now we have it working!! I am still wondering if there can be some kind of check that's not exactly like javascript but more like requiring the user to enter the phone number at the checkout_payment page. Is this possible? Meanwhile, the contribution seems to be gone 2 days ago, sorry I failed to let you know, I thought it was a glitch. This contribution really should there. I think it'll help us little merchants a lot! Once again, thank you Paul for your help :) :) Kohn, I don't think you are going to be able to keep the PayPal and Check modules if you want to continue using the PayflowPro module with this contribution. Reason being is this: the PayPal and Check modules go directly from checkout_confirmation to checkout_process (which is what this mod was designed for.) However, if you keep the code in checkout_process (as per the instructions) so that you can verify PayPal orders as well, then there's going to be double code in both auth_start and checkout_process. The people using the PayflowPro module, and who validate with phone, will get past the auth_start check....but they will fail the checkout_process check. Here's two scenarios that will work: (a) you turn off both the PayPal and Check modules (and any other payment modules you use), and only use the PayflowPro.....and (B) you use the check only in auth_start.....but not in checkout_process OR We have to find a way to carry the $verificationCode, $randCode and $verifyPhone variables throughout the various PayflowPro scripts all the way through to checkout_process. Let me think about this more......in the meantime, if you can test with scenario one above just to be sure it will work with the PayflowPro module, that would be great. Remember to turn off PayPal and Check....and to take out (or comment) the additions to checkout_process. Let me know. I don't have that module installed, or else I could test it myself. -Paul PS - this contribution seems to have disappeared from the osCommerce site. Anyone know what's going on? <{POST_SNAPBACK}> Quote Link to comment Share on other sites More sharing options...
pyounan Posted September 3, 2005 Author Share Posted September 3, 2005 Kohn, I'm very happy it's working for you. We were getting killed on fraud charges, and not one has come in since this telephone validation was developed. Since the contribution is missing in action, add this to the orders.php page in your adming screen: FIND: <tr> <td class="main"><b><?php echo ENTRY_EMAIL_ADDRESS; ?></b></td> <td class="main"><?php echo '<a href="mailto:' . $order->customer['email_address'] . '"><u>' . $order->customer['email_address'] . '</u></a>'; ?></td> </tr> IMMEDIATELY AFTER, ADD: <!-- BEGIN Maxmind --> <?php $maxmind_query = tep_db_query("select mtv_phone, mtv_verification_code from " . TABLE_CUSTOMERS . " where customers_id = '" . $order->customer['id'] . "'"); $maxmind_results = tep_db_fetch_array($maxmind_query); ?> <tr> <td class="main"><b>Customer ID:</b></td> <td class="main"><?php echo $order->customer['id']; ?></td> </tr> <tr> <td class="main"><b>Verification Phone:</b></td> <td class="main"><?php echo $maxmind_results['mtv_phone']; ?></td> </tr> <tr> <td class="main"><b>Validation Code:</b></td> <td class="main"><?php echo $maxmind_results['mtv_verification_code']; ?></td> </tr> <!-- END Maxmind --> You will be able to see the phone number and validation code for the order. Still thinking about the phone check on the payment page.....I will let you know soon. You know, they can still enter a fake number there (like an 800-number) and they still will get to the confirmation page.....but the order won't go through without the right validation code, so no worry there. -Paul Quote Link to comment Share on other sites More sharing options...
Kohn Posted September 8, 2005 Share Posted September 8, 2005 Hi Paul, Sorry for the late reply, I was traveling. That was an excellent mod, now we can double check on the telephone number. As for the telephone requirement, I still would like to see it implemented. If the customer enters some fake number, it immediately confirms that they are not willing to show their telephone number - hence it's even more likely to be a fraud. Remember that because we are using the PayflowPro module by CardinalCommerce, the PayPal and Money Order orders can still go through without customers entering a phone number, or a verification code, so I think this is still needed. Also, it's more professional - you ask customer to enter a code, but you let them pass without entering it, seems kind of sloppy? Let me know of your thought on this and if it's possible (I know I am really pushing it here ... :blush: ) Once again, thanks for the help. Quote Link to comment Share on other sites More sharing options...
Kohn Posted September 8, 2005 Share Posted September 8, 2005 Hi Paul, Actually after adding the codes you included above, the orders.php shows the Verification Phone and Validation Code fields but the actual information is not there. Any idea on this? Quote Link to comment Share on other sites More sharing options...
pyounan Posted September 13, 2005 Author Share Posted September 13, 2005 As for the telephone requirement, I still would like to see it implemented. If the customer enters some fake number, it immediately confirms that they are not willing to show their telephone number - hence it's even more likely to be a fraud. Remember that because we are using the PayflowPro module by CardinalCommerce, the PayPal and Money Order orders can still go through without customers entering a phone number, or a verification code, so I think this is still needed. Also, it's more professional - you ask customer to enter a code, but you let them pass without entering it, seems kind of sloppy? Let me know of your thought on this and if it's possible (I know I am really pushing it here ... :blush: ) Once again, thanks for the help. <{POST_SNAPBACK}> Hi Kohn, Sorry about the delay - I was travelling too. In checkout_confirmation.php, find the following: // load the selected payment module require(DIR_WS_CLASSES . 'payment.php'); $payment_modules = new payment($payment); Immediately above that, add the following: // Begin Maxmind if (MTV_ON == 'true') { if ($cart->show_total() >= MTV_ORDER_AMOUNT) { if ( $phoneVerify ) { if ($phone == "" || strlen($phone) < 10) { tep_redirect(tep_href_link(FILENAME_CHECKOUT_PAYMENT, 'error_message=' . urlencode("You must enter a telephone number for validation!"), 'SSL', 'true } } } } // End Maxmind Now, they will have to enter a 10-digit phone number in order to get through. -Paul Quote Link to comment Share on other sites More sharing options...
john678 Posted December 23, 2005 Share Posted December 23, 2005 Hi: I want to use this module, but the link to the module doesn't work. please help. John Hi Kohn, Sorry about the delay - I was travelling too. In checkout_confirmation.php, find the following: // load the selected payment module ?require(DIR_WS_CLASSES . 'payment.php'); ?$payment_modules = new payment($payment); Immediately above that, add the following: // Begin Maxmind if (MTV_ON == 'true') { if ($cart->show_total() >= MTV_ORDER_AMOUNT) { ?if ( $phoneVerify ) { ? ?if ($phone == "" || strlen($phone) < 10) { ? ? ?tep_redirect(tep_href_link(FILENAME_CHECKOUT_PAYMENT, 'error_message=' . urlencode("You must enter a telephone number for validation!"), 'SSL', 'true ? ?} ? ? ?} } ? } ? ? // End Maxmind ? Now, they will have to enter a 10-digit phone number in order to get through. -Paul Quote Link to comment Share on other sites More sharing options...
pyounan Posted December 24, 2005 Author Share Posted December 24, 2005 Hi: I want to use this module, but the link to the module doesn't work. please help. John Hey John, For some reason the contribution was removed by the site administrators. For a copy of it, you can visit: http://www.maxmind.com/app/telephone_api The direct link to the zipped contribution is: http://www.maxmind.com/download/telv/contr...ByPhoneV1.1.zip Let me know if it works out OK for you. Paul Quote Link to comment Share on other sites More sharing options...
john678 Posted December 29, 2005 Share Posted December 29, 2005 Worked great. Thanks a lot. This service is excellent! John. Hey John, For some reason the contribution was removed by the site administrators. For a copy of it, you can visit: http://www.maxmind.com/app/telephone_api The direct link to the zipped contribution is: http://www.maxmind.com/download/telv/contr...ByPhoneV1.1.zip Let me know if it works out OK for you. Paul Quote Link to comment Share on other sites More sharing options...
New 
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.