| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| v:2.0:fighting-fraud [2019/04/22 19:21] – [Pre-Payment Webhook] foxybrett | v:2.0:fighting-fraud [2021/06/09 08:47] (current) – [Extra Setup if you're using a Custom Subdomain] adam |
|---|
| |
| ==== What to do with it? ==== | ==== What to do with it? ==== |
| You can enable minFraud in the "payment" page of your [[https://admin.foxycart.com/|FoxyCart admin]]. Simply set it to any number greater than 0 to enable it. Any transaction with a riskScore higher than the number you enter will be declined. | You can enable minFraud in the "payment" page of your [[https://admin.foxycart.com/|FoxyCart admin]]. The integration currently only works with those payment options that are available within the "Let customers pay with a Credit or Debit Card" option on the payment page. Simply set the minFraud score threshold setting within the "Anti-Fraud Integrations" area to any number greater than 0 to enable it. Any transaction with a riskScore higher than the number you enter will be declined. |
| |
| Though every store and customer base will have different riskScore averages, MaxMind's general recommendation is to //definitely// reject anything with a riskScore of 60 or higher, and to screen anything with a riskScore between 4-59. FoxyCart defaults to minFraud //off//, so **our recommendation is**: | Though every store and customer base will have different riskScore averages, MaxMind's general recommendation is to //definitely// reject anything with a riskScore of 60 or higher, and to screen anything with a riskScore between 4-59. FoxyCart defaults to minFraud //off//, so **our recommendation is**: |
| |
| Foxy's [[https://www.google.com/recaptcha/intro/|reCAPTCHA]] integration can be useful to preventing bots from aggressively scripting and pushing through transactions in an automated way. Note that reCAPTCHA is specifically to ensure that a //human// must be behind the request, but it has no opinion on whether that human is an honest person or a fraudster. | Foxy's [[https://www.google.com/recaptcha/intro/|reCAPTCHA]] integration can be useful to preventing bots from aggressively scripting and pushing through transactions in an automated way. Note that reCAPTCHA is specifically to ensure that a //human// must be behind the request, but it has no opinion on whether that human is an honest person or a fraudster. |
| | |
| | The setting is shown within the “Anti-Fraud Integrations” section, displayed within the “Let customers pay with a Credit or Debit Card” payment option when enabled. |
| | |
| | <WRAP center round info 95%> |
| | If you're using a payment option which is configured outside of the "Let customers pay with a Credit or Debit Card" option, to enable Google reCAPTCHA you'll need to currently enable the "Let customers pay with a Credit or Debit Card" option, set your reCAPTCHA setting as needed, disable the "Let customers pay with a Credit or Debit Card" option again and save. This will be corrected soon so this extra step isn't needed. |
| | </WRAP> |
| |
| Foxy defaults to reCAPTCHA being ''Enabled, Automatically as Needed'', and is our recommended setting, but has 3 different options: | Foxy defaults to reCAPTCHA being ''Enabled, Automatically as Needed'', and is our recommended setting, but has 3 different options: |
| - **Disabled**: turns off reCAPTCHA for your store | - **Disabled**: turns off reCAPTCHA for your store |
| - **Enabled, Always**: As it sounds, this will include reCAPTCHA on every checkout. | - **Enabled, Always**: As it sounds, this will include reCAPTCHA on every checkout. |
| - **Enabled, Automatically as Needed**: This will require reCAPTCHA for checkouts loaded by IP addresses that have triggered multiple errors in a preceding window of time. We attempt to set this so it would //very// rarely be shown to a legitimate customer, but would effectively make bot-based bulk fraud impossible. We don't publicize the exact thresholds, and may change them as needed. | - **Enabled, Automatically as Needed**: This will require reCAPTCHA only in specific situations when our systems have cause to believe your store needs extra protection. We do not reveal specific behavior here, but broadly: If we detect behavior that makes us think a bot (or botnet) is pushing transactions through without a real human behind it, we will enable reCAPTCHA either for specific IPs or for //all checkout attempts//. We attempt to set this so it would //very// rarely be shown to a legitimate customer, but would effectively make bot-based bulk fraud impossible. |
| |
| Note that reCAPTCHA isn't required for API-based or [[.:unified_order_entry|UOE]]-based transactions. | Note that reCAPTCHA isn't required for API-based or [[.:unified_order_entry|UOE]]-based transactions. |
| ==== Extra Setup if you're using a Custom Subdomain ==== | ==== Extra Setup if you're using a Custom Subdomain ==== |
| |
| If you're using a [[.:custom_domain|custom subdomain]], you'll need to do a few extra steps to get your own reCAPTCHA keys. | If you're using a [[.:custom_domain|custom subdomain]], you'll need to do a few extra steps to get your own reCAPTCHA keys. We **STRONGLY RECOMMEND THIS**, as without it a botnet-based card-testing attack could cost hundreds or thousands of dollars in authorization fees. |
| |
| - Go to the [[https://www.google.com/recaptcha/admin|Google reCAPTCHA]] admin area. (You'll need to login with your Google Account if you aren't already.) | - Go to the [[https://www.google.com/recaptcha/admin|Google reCAPTCHA]] admin area. (You'll need to login with your Google Account if you aren't already.) |
| - Enter a label that'll make it clear what these keys are for. Something like "My Example Store on FoxyCart", perhaps. This is just for your own use. | - Enter a label that'll make it clear what these keys are for. Something like "My Example Store on FoxyCart", perhaps. This is just for your own use. |
| - Select the reCAPTCHA V2 option. | - Select the reCAPTCHA V2 option, and if given options, choose the "I'm not a robot" option |
| - Enter the domain that your FoxyCart account's checkout is using. For example, if your domain was ''secure.example.tld'', you'd enter ''example.tld''. Check the checkbox(es) to agree to Google's terms, and submit. | - Enter the domain that your FoxyCart account's checkout is using. For example, if your domain was ''secure.example.tld'', you'd enter ''example.tld''. Check the checkbox(es) to agree to Google's terms, and submit. |
| - It should be successful, and take you to a page with your Site Key and Secret Key. | - It should be successful, and take you to a page with your Site Key and Secret Key. |
