Delete Mass Pending Invoices

[Phillyman]

How can I delete in mass, pending invoices. Someone was hitting my site creating invoices, made about 1500 pages worth of them, each page has like 20 of them. They used the same name on all of them, I just want to purge those pending invoices from my database records.

[JohnDar]

Similar issue here. 2000 pages of failed (blocked) card transactions.

[Phillyman]

yeah we need a pending cleanup, like a task to delete pending invoices after X days, or captcha on the invoice generation page.

[JohnDar]

My issue is a little more sinister. The site was being used for 'card testing' by fraudsters. They were firing thousands of £1 payments from different credit card numbers through the Stripe integration (about 10 per second) using the Donation Goals system.

This killed the site completely and I had to mitigate via the host's CP, blocking the offending IPs being used by the bots.

They were doing this in order to discover which of the cards weren't blocked. Of the 48,000 odd transactions, only 31 were accepted but I still have 48,000 blocked transactions in my log.

I have been advised by Stripe to refund the 31 good transactions to prevent any disputes, but that means I'm still out-of-pocket for the fees. Thank goodness most of them didn't get through.

IMHO we desperately need something adding in as friction to prevent this. Either captcha or the means to exclude Guests from accessing the Donation Goals block and subsequent form fields.

Even the ability to exclude Cards as a payment option for Donation Goals and any other public facing products/services would be a step forward.

Edited August 24, 2022 by JohnDar

[Phillyman]

Oh my god, that may have been what was happening to me!!!!!

The same day, I had like 41 guests that did $1 charges. I just figured I got mentioned somewhere, never put them together!

[JohnDar]

Good news.

This issue is being addressed in the next update (4.7.2). It will no longer be possible for non-members to Donate.

[Phillyman]

1 hour ago, JohnDar said:

Good news.

This issue is being addressed in the next update (4.7.2). It will no longer be possible for non-members to Donate.

Should be donate or buy, what if you have a cheap $5 product, and they just hammer that all day long

[SeNioR-]

Hi. You can use the following query:

DELETE FROM `nexus_invoices` WHERE `nexus_invoices`.`i_status` = 'expd' or 'canc';

ref: delete expired or canceled Invoices | Invision Community

[JohnDar]

On 8/24/2022 at 11:58 PM, Phillyman said:

Should be donate or buy, what if you have a cheap $5 product, and they just hammer that all day long

You could probably prevent this for purchases using Payments > Settings > Anti Fraud Rules.

Maybe set the value for the lower priced items and then a rule that rejects after one blocked payment. Another option would be to block payments from Guests altogether.

[Daniel F]

On 8/25/2022 at 12:58 AM, Phillyman said:

Should be donate or buy, what if you have a cheap $5 product, and they just hammer that all day long

Donations work different to purchases in IPS, which was the reason why it was so easy to abuse the system as guest, hence our change to allow it only for members 

[SeNioR-]

It seems to me that the biggest problem is that donations cannot be set only for logged in users and do not have any CAPTCHA security.

Through site.com/clients/donations/ you can create thousands of pending invoices as guest.

  Edit:

17 minutes ago, Daniel F said:

hence our change to allow it only for members 

very good decision 👍

Edited August 26, 2022 by SeNioR-

[AlexJ]

On 8/24/2022 at 5:52 PM, JohnDar said:

Good news.

This issue is being addressed in the next update (4.7.2). It will no longer be possible for non-members to Donate.

That's bad actually - why would you want to force donors to register. Then deal with forum account deletion request... 

Just don't save any pending invoice/transaction for guest. If transaction is not completed, it's not completed. 

 

Edited August 26, 2022 by AlexJ

[Phillyman]

23 minutes ago, AlexJ said:

That's bad actually - why would you want to force donors to register. Then deal with forum account deletion request... 

Just don't save any pending invoice/transaction for guest. If transaction is not completed, it's not completed. 

 

I am just going to have another button for Paypal for guest donations.

[AlexJ]

Just now, Phillyman said:

I am just going to have another button for Paypal for guest donations.

That's a problem right? To fix one problem, now you need to add another guest donation button.... 

 

[opentype]

It’s a quick “fix”, but a proper guest checkout should come anyway to comply with EU regulations. 

https://invisioncommunity.com/forums/topic/467795-commerce-app-requirement-for-guest-checkout/

 

[Phillyman]

24 minutes ago, AlexJ said:

That's a problem right? To fix one problem, now you need to add another guest donation button.... 

 

Somewhat, I mean if I want people to be able to donate crypto, I have to have something for that anyhow. So might as well give an option for account-less donations.

[AlexJ]

On 8/25/2022 at 10:13 PM, Daniel F said:

Donations work different to purchases in IPS, which was the reason why it was so easy to abuse the system as guest, hence our change to allow it only for members 

I saw a note in release notes. Can you please re-evaluate this fix? I don't want to FORCE users, just to donate on our site. 

I also host my site in Europe but I am from US and not fully aware of EU regulations .. but what opentype is saying is true, I will have another issue to deal with. Please review your changes. - Thanks

On 8/26/2022 at 2:20 PM, opentype said:

It’s a quick “fix”, but a proper guest checkout should come anyway to comply with EU regulations. 

https://invisioncommunity.com/forums/topic/467795-commerce-app-requirement-for-guest-checkout/

 

 

[SeNioR-]

5 hours ago, AlexJ said:

Can you please re-evaluate this fix? I don't want to FORCE users, just to donate on our site. 

The best option would be to select a group that would have access to the page

Edited September 9, 2022 by SeNioR-

[AlexJ]

On 9/9/2022 at 4:22 AM, SeNioR- said:

The best option would be to select a group that would have access to the page

Means? Can you please elaborate.