What are the challenges for the Baltic's largest game code online store?
The dream of every e-shop is to reach as many customers as possible and grow as big as possible. However, achieving this comes with several different challenges.
Punktid.com which sells various digital products from games to antiviruses, was established in 2009. The site has 100,000 - 200,000 monthly users and has been translated into seven different languages. The customer receives the products that are sold on the page immediately after the successful completion of the purchase. Still, the purchase process itself contains many different risks and challenges, which we can conditionally divide into three major categories:
- challenges with fraudsters
- system monitoring
- page security
We will look at these three points in more detail and give recommendations that ensure the system works smoothly without major problems.
1. Challenges with fraudsters
Since you can buy products on the Punktid.com website that are disposable immediately after making the purchase, it attracts a lot of people who try to outwit the system and create benefits for themselves in a malicious way.
Fraudsters typically try to buy products with stolen accounts or in bulk and later claim that someone got into their account and didn't want to purchase the product themselves.
This may entail an obligation for the company to reimburse the customer. However, the product cannot be put up for sale again, as the product was a single-use code, which has already been used by that time. In addition, it is a huge waste of time and a big headache for everyone in this situation.
How to avoid such situations?
Ask the customers for the necessary data
One of the ways is to oblige the customer to provide the necessary information about himself so that the correct buyer can be verified and to ensure the user's payment account has not been stolen.
This works effectively with the PayPal payment solution. First, to make a payment, the user must create an account for themselves, ensuring that we know their correct e-mail address (the user must confirm the account via e-mail and log in to make the purchase).
In addition, before we allow the customer to pay, they must also verify their phone number. If we have the user's e-mail and phone number, after making the payment, we can compare whether the contact details of his registered account match the contact details in PayPal. A big red flag is if they don't match, and then we have the opportunity to check the order manually.
Another security measure is that we always send purchased products to the e-mail used to register the PayPal account. This ensures that the products reach the genuine buyer's e-mail, even if the purchase was made with a stolen payment account.
Other scenarios when the order needs to be manually reviewed:
- the same person has placed several orders in a row in a short period
- the order contains a large number of products
- the cost of the order is an unusually large sum
- a suspicious order has already been flagged with an e-mail
These are some examples of what kind of transactions the system detects. We can cancel a relatively large number of fraudulent orders by manual order review.
Set payment limits
Each user registered and who has made a purchase is assigned a personal purchase level on the page - bronze, silver or gold. Each customer's level depends on how much they have purchased in the last year.
User bonus levels can also be used to mitigate risks from fraudsters. A customer who has made several previous purchases without problems is a sign that their future purchases will probably be successful and problem-free.
Based on the above, we can set payment limits for users. For example, a "Gold" status user can buy products for 500€ per week, while a "Bronze" level user can buy a few hundred euros.
Remove security holes from the system
When developing a system, someone must constantly review the code written by another programmer (Code review).
For example, we once identified a person who had found a way to outwit the system and get the products without paying for them. Since this fraudster bought very rarely and for small enough amounts, we could not flag the fraud for a long time. This enabled the fraudster to collect free products worth several thousand euros for themselves over several years.
Such misediting was possible because one of the developers of the page forgot to remove a line from the code that prevented verification of the bank payment. This means that if a person knows the correct URL to which the user will go after a successful payment, it was easy for them to get free products.
All you had to do was go to the correct link. Consequently, it is essential always to use a second pair of eyes who will check the code and reduce the probability that such code will be uploaded to the website.
Try to think through the eyes of a fraudster
As we mentioned, users must verify their phone number when paying with PayPal. In itself, it seems simple: The user enters a phone number. A code is sent to them. They enter the code that was sent to them. They're done.
This way, the user proves that it is their phone number.
At first glance, it is a fairly rock-solid solution that is difficult for anyone to turn against us. However, it was still possible to create a fraud scheme and cause financial loss. On the first day, we got an invoice for over €600, where one confirmation of a phone number cost only a few cents. The given solution started spamming and thus created an account on the punktid.com page.
Fortunately, the solution here was simple. We allowed a maximum of 10 phone number verifications per logged-in user and from each IP address. Since it was no longer possible to make unlimited confirmations, the problem disappeared.
What did we learn? It is always important - even in the case of an apparently very foolproof system - to think through all possible aspects and situations in which a malicious user might be able to abuse the system.
2. System monitoring
In order to be aware of what exactly is happening in the system, it must be monitored. The main things to monitor: whether the system is fast enough, whether the ordering works correctly whether the external connections of the system are in working order.
The first monitoring tool is Cloudflare. First, Cloudflare helps to make the page faster by being able to provide customers with pre-stored content (the system does not have to generate the page from scratch for each visitor).
In addition, it makes the page more secure, allowing you to repel cyber-attacks (such as a DDoS attack). It also allows you to monitor the traffic on the page. Regarding monitoring, Cloudflare notifies you via e-mail when an unusually high amount of traffic has entered the page. If such a message comes, you can immediately react and see if it is an attack and if all the critical systems of the page are functioning correctly.
DigitalOcean is an environment where you can manage your servers and databases. In addition, DigitalOcean offers good monitoring options. There it is possible to monitor, for example, page processor load, data volume, database load, ongoing database queries and much more.
DigitalOcean allows you to set monitoring notifications as you wish. For example, a corresponding notification will appear if the processor load has been over 50% for the last 10 minutes. However, notifications for this environment come to Slack, not to e-mail.
Again, this is a good way to receive notifications because in Slack, you can put all the people who need to be notified in one channel. In this case, there is an opportunity for the team dealing with the problem to communicate immediately. Everyone is informed whether the problem is being dealt with and what is the current situation.
Cloudflare and DigitalOcean help monitor the general state of the system, but it is also necessary to know what is happening inside the system and in the so-called corners. A separate monitoring system has been created to obtain information about the internal life of the system.
In addition, a separate page has been built into the Punktid.com system, where you can check whether all the necessary parts of the system are in working order and not working too slowly.
For example, it is possible to monitor whether…
- system database queries are fast enough
- different API connections work
- log/database connections are working
If the monitoring system finds that some part of the system does not meet the set criteria or some external interface does not work, the system will send an e-mail to the necessary parties.
It is also an excellent way to ensure everything in the system is in order and that the most critical parts of the system are working correctly. In the future, a completely separate monitoring server will also be added, where you can begin to monitor the system's operation even more precisely.
3. Page security
In order for the sale of products to work successfully and for both products and user information to be protected, it is crucial that the page is secure and that only authorized persons have access to the information.
Because of this, the following has been implemented on the Punktid.com page:
- IP restrictions to the administration environment and servers
- two-step verification for all accounts + servers associated with the page
- roles and rights for users in the administration environment of the page according to their needs
- great emphasis is placed on possible security updates.
Here are some ways that Punktid.com implements on its site so that the e-shop can deliver and grow sustainably. It is essential to ensure page speed, security and efficient operation of systems.
In addition, it is important to have an overview of what is happening in your system because then you do not have to constantly worry about outsiders accessing your systems and confidential information.