I have a major client whose Authorize.net gateway account gets hit sometimes hundreds of times a day with charge attempts. Most are posted by an automated script from IPs coming out of Indonesia or Eastern Europe in an attempt to find a valid credit card number and security code. Fortunately, it hasn’t cost the client any money directly yet. Out of the thousands of attempts in the last few months only a couple of charges actually captured funds from the stolen card information. All of these were promptly cancelled after review.
In discussions with this client, we came up with the following options. They are listed in order of ease to implement and least impact on legitimate customers.
- Require only a billing address and plainly state all orders are only shipped to billing address
- Require card billing address and shipping address to be in same country or deny the order before going to authorize
- Require all international orders to be Paypal so they can’t automate the whole process (or maybe allow orders from countries with low fraud percentage to use a credit card directly and all others Paypal)
- Automatically log user out after X failed attempts
- Automatically block the IP address after X failed attempts for a time period between a few hours to a day or two
- Match customer’s IP address to billing / shipping country before going to authorize
My thinking is the better methods would include ways of slowing down the requests so that automated script kiddie tools would constantly fail while legitimate users that are just having problems would not be completely prevented from checking out. I also think a more robust system would utilize several layers of protection (same as a multi-layered approach to server security is better in the long run than putting all of your eggs in the single proverbial basket).
Over the course of the next few weeks I will implement some of these options and dream up more if necessary. Stay tuned for updates.
Should your site be experiencing similar issues, contact me to discuss options.
Note
Maxmind supplies a free IP to country database in CSV format along with their commercial IP database products.
Popularity: 1%
Most Popular Posts
{ 1 trackback }