| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| v:2.0:fighting-fraud [2018/03/12 21:16] – [Pre-Payment Webhook] foxyjosh | v:2.0:fighting-fraud [2021/06/09 08:47] (current) – [Extra Setup if you're using a Custom Subdomain] adam |
|---|
| |
| ==== What to do with it? ==== | ==== What to do with it? ==== |
| You can enable minFraud in the "payment" page of your [[https://admin.foxycart.com/|FoxyCart admin]]. Simply set it to any number greater than 0 to enable it. Any transaction with a riskScore higher than the number you enter will be declined. | You can enable minFraud in the "payment" page of your [[https://admin.foxycart.com/|FoxyCart admin]]. The integration currently only works with those payment options that are available within the "Let customers pay with a Credit or Debit Card" option on the payment page. Simply set the minFraud score threshold setting within the "Anti-Fraud Integrations" area to any number greater than 0 to enable it. Any transaction with a riskScore higher than the number you enter will be declined. |
| |
| Though every store and customer base will have different riskScore averages, MaxMind's general recommendation is to //definitely// reject anything with a riskScore of 60 or higher, and to screen anything with a riskScore between 4-59. FoxyCart defaults to minFraud //off//, so **our recommendation is**: | Though every store and customer base will have different riskScore averages, MaxMind's general recommendation is to //definitely// reject anything with a riskScore of 60 or higher, and to screen anything with a riskScore between 4-59. FoxyCart defaults to minFraud //off//, so **our recommendation is**: |
| |
| Foxy's [[https://www.google.com/recaptcha/intro/|reCAPTCHA]] integration can be useful to preventing bots from aggressively scripting and pushing through transactions in an automated way. Note that reCAPTCHA is specifically to ensure that a //human// must be behind the request, but it has no opinion on whether that human is an honest person or a fraudster. | Foxy's [[https://www.google.com/recaptcha/intro/|reCAPTCHA]] integration can be useful to preventing bots from aggressively scripting and pushing through transactions in an automated way. Note that reCAPTCHA is specifically to ensure that a //human// must be behind the request, but it has no opinion on whether that human is an honest person or a fraudster. |
| | |
| | The setting is shown within the “Anti-Fraud Integrations” section, displayed within the “Let customers pay with a Credit or Debit Card” payment option when enabled. |
| | |
| | <WRAP center round info 95%> |
| | If you're using a payment option which is configured outside of the "Let customers pay with a Credit or Debit Card" option, to enable Google reCAPTCHA you'll need to currently enable the "Let customers pay with a Credit or Debit Card" option, set your reCAPTCHA setting as needed, disable the "Let customers pay with a Credit or Debit Card" option again and save. This will be corrected soon so this extra step isn't needed. |
| | </WRAP> |
| |
| Foxy defaults to reCAPTCHA being ''Enabled, Automatically as Needed'', and is our recommended setting, but has 3 different options: | Foxy defaults to reCAPTCHA being ''Enabled, Automatically as Needed'', and is our recommended setting, but has 3 different options: |
| - **Disabled**: turns off reCAPTCHA for your store | - **Disabled**: turns off reCAPTCHA for your store |
| - **Enabled, Always**: As it sounds, this will include reCAPTCHA on every checkout. | - **Enabled, Always**: As it sounds, this will include reCAPTCHA on every checkout. |
| - **Enabled, Automatically as Needed**: This will require reCAPTCHA for checkouts loaded by IP addresses that have triggered multiple errors in a preceding window of time. We attempt to set this so it would //very// rarely be shown to a legitimate customer, but would effectively make bot-based bulk fraud impossible. We don't publicize the exact thresholds, and may change them as needed. | - **Enabled, Automatically as Needed**: This will require reCAPTCHA only in specific situations when our systems have cause to believe your store needs extra protection. We do not reveal specific behavior here, but broadly: If we detect behavior that makes us think a bot (or botnet) is pushing transactions through without a real human behind it, we will enable reCAPTCHA either for specific IPs or for //all checkout attempts//. We attempt to set this so it would //very// rarely be shown to a legitimate customer, but would effectively make bot-based bulk fraud impossible. |
| |
| Note that reCAPTCHA isn't required for API-based or [[.:unified_order_entry|UOE]]-based transactions. | Note that reCAPTCHA isn't required for API-based or [[.:unified_order_entry|UOE]]-based transactions. |
| ==== Extra Setup if you're using a Custom Subdomain ==== | ==== Extra Setup if you're using a Custom Subdomain ==== |
| |
| If you're using a [[.:custom_domain|custom subdomain]], you'll need to do a few extra steps to get your own reCAPTCHA keys. | If you're using a [[.:custom_domain|custom subdomain]], you'll need to do a few extra steps to get your own reCAPTCHA keys. We **STRONGLY RECOMMEND THIS**, as without it a botnet-based card-testing attack could cost hundreds or thousands of dollars in authorization fees. |
| |
| - Go to the [[https://www.google.com/recaptcha/admin|Google reCAPTCHA]] admin area. (You'll need to login with your Google Account if you aren't already.) | - Go to the [[https://www.google.com/recaptcha/admin|Google reCAPTCHA]] admin area. (You'll need to login with your Google Account if you aren't already.) |
| - Enter a label that'll make it clear what these keys are for. Something like "My Example Store on FoxyCart", perhaps. This is just for your own use. | - Enter a label that'll make it clear what these keys are for. Something like "My Example Store on FoxyCart", perhaps. This is just for your own use. |
| - Select the reCAPTCHA V2 option. | - Select the reCAPTCHA V2 option, and if given options, choose the "I'm not a robot" option |
| - Enter the domain that your FoxyCart account's checkout is using. For example, if your domain was ''secure.example.tld'', you'd enter ''example.tld''. Check the checkbox(es) to agree to Google's terms, and submit. | - Enter the domain that your FoxyCart account's checkout is using. For example, if your domain was ''secure.example.tld'', you'd enter ''example.tld''. Check the checkbox(es) to agree to Google's terms, and submit. |
| - It should be successful, and take you to a page with your Site Key and Secret Key. | - It should be successful, and take you to a page with your Site Key and Secret Key. |
| - Save the payment settings in the FoxyCart admin. | - Save the payment settings in the FoxyCart admin. |
| - Do some test transactions, if you'd like. (You can set the reCAPTCHA setting in your Foxy settings to "Enabled, Always", then load up your checkout. You should see the reCAPTCHA display on the checkout. Set it back to "Enabled, Automatically…" once you're done, if you'd prefer.) | - Do some test transactions, if you'd like. (You can set the reCAPTCHA setting in your Foxy settings to "Enabled, Always", then load up your checkout. You should see the reCAPTCHA display on the checkout. Set it back to "Enabled, Automatically…" once you're done, if you'd prefer.) |
| ===== Pre-Payment Webhook ===== | |
| |
| The [[pre_payment_webhook|pre-payment web hook]] can be used for custom anti-fraud integrations. Feel free to take advantage of the following pre-built integrations: | ===== FraudLabs Pro ===== |
| | |
| | [[https://www.fraudlabspro.com/|FraudLabs Pro]] has built an anti-fraud integration for Foxy. There's a little setup involved, but there are step-by-step instructions here: |
| * [[https://wiki.foxycart.com/integration/fraudlabspro|FraudLabs Pro]] | * [[https://wiki.foxycart.com/integration/fraudlabspro|FraudLabs Pro]] |
| | |
| | ===== Pre-Payment Webhook ===== |
| | |
| | The [[pre_payment_webhook|pre-payment web hook]] can be used for custom anti-fraud integrations. |
| | |
| | * [[https://wiki.foxycart.com/integration/fraudlabspro|FraudLabsPro]] has an integration available on our wiki. |
| | * Some of our users have done custom [[https://www.signifyd.com/|Signifyd]] integrations using this functionality. |
| | |
