| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| v:2.0:fighting-fraud [2017/07/21 01:19] – foxybrett | v:2.0:fighting-fraud [2021/06/09 08:47] (current) – [Extra Setup if you're using a Custom Subdomain] adam |
|---|
| ====== Fraud Prevention in FoxyCart ====== | ====== Fraud Prevention in FoxyCart ====== |
| | |
| | ===== Foxy's Internal Abuse Prevention ===== |
| | |
| | In addition to the options below, we have some systems in place to block more "obvious" fraud. We always recommend relying on your gateway's anti-fraud functionality, but you can rest easy knowing we'll prevent some of the more egregious abuse, before it even reaches your gateway. |
| |
| ===== minFraud in Foxy ===== | ===== minFraud in Foxy ===== |
| |
| ==== What to do with it? ==== | ==== What to do with it? ==== |
| You can enable minFraud in the "payment" page of your [[https://admin.foxycart.com/|FoxyCart admin]]. Simply set it to any number greater than 0 to enable it. Any transaction with a riskScore higher than the number you enter will be declined. | You can enable minFraud in the "payment" page of your [[https://admin.foxycart.com/|FoxyCart admin]]. The integration currently only works with those payment options that are available within the "Let customers pay with a Credit or Debit Card" option on the payment page. Simply set the minFraud score threshold setting within the "Anti-Fraud Integrations" area to any number greater than 0 to enable it. Any transaction with a riskScore higher than the number you enter will be declined. |
| |
| Though every store and customer base will have different riskScore averages, MaxMind's general recommendation is to //definitely// reject anything with a riskScore of 60 or higher, and to screen anything with a riskScore between 4-59. FoxyCart defaults to minFraud //off//, so **our recommendation is**: | Though every store and customer base will have different riskScore averages, MaxMind's general recommendation is to //definitely// reject anything with a riskScore of 60 or higher, and to screen anything with a riskScore between 4-59. FoxyCart defaults to minFraud //off//, so **our recommendation is**: |
| Foxy's [[https://www.google.com/recaptcha/intro/|reCAPTCHA]] integration can be useful to preventing bots from aggressively scripting and pushing through transactions in an automated way. Note that reCAPTCHA is specifically to ensure that a //human// must be behind the request, but it has no opinion on whether that human is an honest person or a fraudster. | Foxy's [[https://www.google.com/recaptcha/intro/|reCAPTCHA]] integration can be useful to preventing bots from aggressively scripting and pushing through transactions in an automated way. Note that reCAPTCHA is specifically to ensure that a //human// must be behind the request, but it has no opinion on whether that human is an honest person or a fraudster. |
| |
| Foxy defaults to reCAPTCHA being off, but has 2 different options: | The setting is shown within the “Anti-Fraud Integrations” section, displayed within the “Let customers pay with a Credit or Debit Card” payment option when enabled. |
| |
| - **Enabled, Always.** As it sounds, this will include reCAPTCHA on every checkout. | <WRAP center round info 95%> |
| - **Enabled, Automatically as Needed.** This will require reCAPTCHA for checkouts loaded by IP addresses that have triggered multiple errors in a preceding window of time. We attempt to set this so it would //very// rarely be shown to a legitimate customer, but would effectively make bot-based bulk fraud impossible. We don't publicize the exact thresholds, and may change them as needed. | If you're using a payment option which is configured outside of the "Let customers pay with a Credit or Debit Card" option, to enable Google reCAPTCHA you'll need to currently enable the "Let customers pay with a Credit or Debit Card" option, set your reCAPTCHA setting as needed, disable the "Let customers pay with a Credit or Debit Card" option again and save. This will be corrected soon so this extra step isn't needed. |
| | </WRAP> |
| | |
| | Foxy defaults to reCAPTCHA being ''Enabled, Automatically as Needed'', and is our recommended setting, but has 3 different options: |
| | |
| | - **Disabled**: turns off reCAPTCHA for your store |
| | - **Enabled, Always**: As it sounds, this will include reCAPTCHA on every checkout. |
| | - **Enabled, Automatically as Needed**: This will require reCAPTCHA only in specific situations when our systems have cause to believe your store needs extra protection. We do not reveal specific behavior here, but broadly: If we detect behavior that makes us think a bot (or botnet) is pushing transactions through without a real human behind it, we will enable reCAPTCHA either for specific IPs or for //all checkout attempts//. We attempt to set this so it would //very// rarely be shown to a legitimate customer, but would effectively make bot-based bulk fraud impossible. |
| |
| Note that reCAPTCHA isn't required for API-based or [[.:unified_order_entry|UOE]]-based transactions. | Note that reCAPTCHA isn't required for API-based or [[.:unified_order_entry|UOE]]-based transactions. |
| | |
| | ==== Extra Setup if you're using a Custom Subdomain ==== |
| | |
| | If you're using a [[.:custom_domain|custom subdomain]], you'll need to do a few extra steps to get your own reCAPTCHA keys. We **STRONGLY RECOMMEND THIS**, as without it a botnet-based card-testing attack could cost hundreds or thousands of dollars in authorization fees. |
| | |
| | - Go to the [[https://www.google.com/recaptcha/admin|Google reCAPTCHA]] admin area. (You'll need to login with your Google Account if you aren't already.) |
| | - Enter a label that'll make it clear what these keys are for. Something like "My Example Store on FoxyCart", perhaps. This is just for your own use. |
| | - Select the reCAPTCHA V2 option, and if given options, choose the "I'm not a robot" option |
| | - Enter the domain that your FoxyCart account's checkout is using. For example, if your domain was ''secure.example.tld'', you'd enter ''example.tld''. Check the checkbox(es) to agree to Google's terms, and submit. |
| | - It should be successful, and take you to a page with your Site Key and Secret Key. |
| | - Copy those two keys into the "payment" page in your FoxyCart admin. (Make sure to put the Site Key in the right input field. Put the "Secret key" into the Foxy admin input for "secret key". |
| | - Save the payment settings in the FoxyCart admin. |
| | - Do some test transactions, if you'd like. (You can set the reCAPTCHA setting in your Foxy settings to "Enabled, Always", then load up your checkout. You should see the reCAPTCHA display on the checkout. Set it back to "Enabled, Automatically…" once you're done, if you'd prefer.) |
| | |
| | ===== FraudLabs Pro ===== |
| | |
| | [[https://www.fraudlabspro.com/|FraudLabs Pro]] has built an anti-fraud integration for Foxy. There's a little setup involved, but there are step-by-step instructions here: |
| | * [[https://wiki.foxycart.com/integration/fraudlabspro|FraudLabs Pro]] |
| |
| ===== Pre-Payment Webhook ===== | ===== Pre-Payment Webhook ===== |
| |
| The [[.:pre_gateway_webhook|pre-payment web hook]] can be used for custom anti-fraud integrations. | The [[pre_payment_webhook|pre-payment web hook]] can be used for custom anti-fraud integrations. |
| | |
| | * [[https://wiki.foxycart.com/integration/fraudlabspro|FraudLabsPro]] has an integration available on our wiki. |
| | * Some of our users have done custom [[https://www.signifyd.com/|Signifyd]] integrations using this functionality. |
