The reCAPTCHA v3 module is available to provide added protection against carding attacks and other potentially malicious activities aimed at your Miva store website. This guide will help you understand why we are moving to the new module and help you install it on your site.
The tactics used by hackers and bots is ever-evolving. To protect our store owners’ businesses, stronger security measures are needed. Attackers have found ways to circumvent existing protections, making them ineffective. The reCAPTCHA v3 module is a seamless, easy-to-implement solution that can protect a business’ entire website, not just checkout pages.
For a quick explanation of reCAPTCHA v3, view this Google reCAPTCHA v3 video.
With reCAPTCHA v2, shoppers were required to interact with a website in ways that were aimed to determine if they were human or not. For example, a shopper may be shown several pictures and be asked to click on all the pictures that had a bicycle in them.
In addition, its scope was limited to only certain pages, such as the payment (OPAY) screen.
Now, with reCAPTCHA v3, the experience is transparent to your shoppers, and it is present on every page of the store, including pages for account creation or forms submission. It observes the shopper’s interaction with the pages of your store and creates a score for that shopper, indicating its relative humanity. By using this score, a store owner can adjust the threshold for rejecting or allowing actions as needed to best protect their site.
1. Download the module from the app store here: reCAPTCHA v3. Upload it to your Miva store under Domain Settings > Modules.
2. In the Miva admin, click Settings>Modules>Search and search for “reCAPTCHA v3.” In the app’s box, click Install.
3. If you haven’t already, you will need to sign up for an API key pair for your site. You can begin that process with the Google reCAPTCHA create page.
4. Once signed up for reCAPTCHA, copy both the Site Key and the Secret Key from the reCAPTCHA page, and paste into the corresponding field at Settings>Utilities>reCAPTCHA v3 Settings. The keys are validated by the Miva admin.
5. Select the actions you want to protect. Settings>Utilities>reCAPTCHA v3 Action Configuration. Actions are selected by clicking the slider adjacent to it.
6. Optionally, you can choose to alter the Score Threshold the module will use to score interactions. Google suggests a default value of .5 on a 1.0 scale. A lower score threshold means less scrutiny, while a higher value means more scrutiny of the action. For example, if an action is given a Score Threshold value of 0.0, the module will validate the reCAPTCHA, but with very little scrutiny, every action is ultimately approved.
As a best practice, it may be a good idea to set the threshold to .0 initially for a few days which would approve all actions. This allows Google time to collect data, and let you see the average threshold scores to determine if you need to adjust the 0.5 default score up or down.
Miva logs and compiles all the rejections from a given time period, with the default time period being seven days. The logs are found at Settings>Utilities>reCAPTCHA v3 Rejections. You may have to adjust the score threshold based on the data in the log, and in the reCAPTCHA data from Google.
If, for example, you are seeing a high number of rejections and you fear those rejections may have been incorrect, you may want to lower the threshold. On the other hand, if you are seeing higher than usual traffic, you may want to increase the score threshold to protect against, for example, a bot attack.
The reCAPTCHA v3 module comes pre-configured to protect several common actions, including things like password reset, payment authorization and customer account creation. It does so by identifying the forms that require selection and then automatically generating the necessary reCAPTCHA for them.
Other actions can be added as well through the use of a code snippet shown below:
Likewise, actions can be excluded from reCAPTCHA v3. For example, if you have the module set up for the Payment Authorization page, but a shopper is going to check out through Bread, which has its own security system, you can tell the module to exclude any payment actions being made through Bread. In addition, the module automatically detects modules that indicate they have off site checkouts, like PayPal, and those are automatically excluded from verification.
What actions should I use reCAPTCHA v3 to verify at the outset?
Miva recommends using the module on the AUTH action at the very least, and possibly other customer-actions as desired, like the Create Account action, which is another frequent bot target.
How can I be sure that legitimate traffic is not being blocked?
While the default threshold setting is typically recommended as 0.5, you can if you wish, set it to 0.0. This allows all traffic, and will help Google create a behavioral model for your website. Wait a few days, then review the log for data trends and reset the threshold accordingly.
Can I use reCAPTCHA v3 with reCAPTCHA v2?
You can use both if you desire. Using the older version will not interfere with the new, and vice versa.