Bad Actors Targeting WebTrac 3.1 sites without ReCAPTCHA for ETS and CardConnect
Default Subject
We cannot overstate the importance of acting on this alert. Please take this alert seriously. Failure to act may result in WebTtrac payments no longer working.
Please read the following and take action IMMEDIATELY if any of it applies to your current RecTrac set up. Contact Vermont Systems Support if you have any questions. We're happy to help!
What is the problem?
Bad Actors have found a way to access credit card processing functionality and test forged or stolen credit cards in WebTrac.
Why is this important?
Should hackers utilize the credit card processing capabilities of WebTrac at your Department, your credit card processor could be forced to Shut down your online credit card payment for a period of time.
Note your customer's data and card information are safe with your processor (ETS or CardConnect). The bad actors are using your system to test cards they have obtained somewhere else.
What has been done?
We added ReCAPTCHA v2/ I am not a robot to all screens where a credit card number can be applied/processed throughout WebTrac to prevent bad actors from easily utilizing your WebTrac credit card processing capabilities.
What do I need to do?
- If using CardConnect - Update to RecTrac 3.1.10.09.01 immediately. To get the update please log onto the sFTP site and download the patch files from the File Updates And Drivers\RecTrac\3.1\Updates\3.1.10\Builds\Setup_3.1.010.09.01.exe. Refer to the 3.1.10.09.01_documentation *If fully hosted with Vermont Systems you are already on the most current version of RecTrac.
- If using ETS/Elavon - reCAPTCHA logic was added in the 3.1.10.05.04 build. If you are running RecTrac 3.1.10.05.04 or higher, enable the reCAPTCHA if not already setup. Follow the Knowledge Base below and review steps 3,4,5.
- Implement new Public an Private reCAPTCHA v2 API keys from Google. Vermont Systems supports reCAPTCHA V2 /I am not a Robot. Refer toVermont Systems Knowledge Base KA-01399 - 3.1 Adding WebTrac reCAPTCHA Public and Private Keys in RecTrac. If you already have ReCAPTCHA in place skip to step 4. If you are fully hosted or WebTrac only hosted with Vermont Systems, we will provide you with the keys. Create a case with support or use the online chat and we will give you those keys. If you host your own Web Server, you will need to follow the KB article above to acquire keys.
- Update your WebTrac checkout screens. If you use custom web checkout screens, these need to be Deleted or recreated to accept the new ReCAPTCHA fields (When in doubt delete). Once complete process a test transaction all the way through. You should now see the ReCAPTCHA on the screen before being able to submit payment. If you do not use custom check out screens skip this step.
- * For ETS/Elavon Customer Only - Get a new API Key from ETS/Elavon and enter in in the eComm Request ID field on your WebTrac Credit Card Profile. Contact Marc Rakowski at ElavonMarc.Rakowski@elavon.com to request a new key. Have your merchant information (Client ID) available to provide to Marc. If ReCAPTCHA was already in place before the receipt of this message you can ignore (an email was sent to all ETS customers in December of 2020 for you to take action). If you have not gotten a new API Key from ETS/Elavon since implementing reCAPTCHA, then do this immediatelyAFTER Steps 1 - 3, else the bad guys will use the old key and test against your account directly to ETS/Elavon.This applies to Hosted and On-Premis customers.
- ReCAPTCHA will also be present on the following screens, so we encourage you to review these other areas of WebTrac if applicable.
- WebTrac screens to review under Processing: WebCheckout, ProcessingPrompts
-
WebTrac screens to review under Management:, WebBillingUpdate, WebAutoDebit, WebContactUs, TeeTimeProcessing & SAHouseholdAdd
We cannot overstate the importance of taking action if you take payments in WebTrac. Please take this alert seriously. Having reCAPTCHA setup may be a requirement to use Webtrac in a later 3.1.10.09.XX build so take steps now and avoid payment processing interruptions.