Miva 9.00053 introduces a new suite of tools to help you fight credit card fraud. Specifically a practice called "carding" where attackers use bots and other automated tools to test credit cards against your gateway to see if they are valid or not. These new fraud prevention tools allow you to setup both manual and automated checks to help prevent your site from being used to test credit cards.
In Miva 9.00053 there is a new Tab for Authorize Failures. You can locate it under the "Order Processing" Menu. Any time a credit card fails to authorize, a log is now kept so you can view important information about the failures. It will list the Time, Order #, IP Address, Payment Module, Payment Method, the Amount and the Error Message or reason why the authorization failed.
This log can be used to help see patterns and identify attacks from automated tools.
If the customers card fails to go through it could be for a number of reasons:
When the authorization fails to go through the customer will get an error message like this which is now logged in the Failed Authorization Log.
These errors are not logged to give you visibility to what is happening on your Miva Store.
A new Authorization Blacklist feature now allows you to block specific IP addresses from performing credit card authorizations. IP addresses may be added to this list manually or automatically if more than the configured number of authorization failures occur in a specified period of time.
If you find that the same IP Address is showing up multiple times in your Authorize Failure area, you can "Blacklist" that IP from getting through the gateway again. Here's how:
On the Authorization Failures Tab, click on the IP Address you want to blacklist. Then select the "Blacklist" Button. As long as that IP is blacklisted, their card will be stopped by Miva Merchant and all future transactions will be prevented from being sent to the payment gateway.
A window will pop up giving you options of whether you want to blacklist them forever, for a period of hours, or days. The option defaults to never, but there may be an instance where you just want to be safe and block them for a shorter period of time.
When an IP address is blacklisted, if they try and place another order, they will get an error generic error message like this. This message is purposely vague to prevent an attacker from knowing they have been blocked.
In addition to manually blocking an IP address, you can configure Miva to automatically block an IP after a certain number of failed authorizations. This setting is located under Payment Settings -> Settings -> Fraud Tab Group
If set to automatic, when it reaches the threshold number of failures in the specified time period it will automatically block that IP for the duration you set.
You can review the addresses you have blacklisted by clicking on "Menu" then "Payment" and clicking on the "Authorization Blacklist" tab.
This will show you a list of all the IP addresses you have blacklisted and allow you to edit, add or delete them.
A new option allows an authorization token to be used during order placement. The token must be submitted with each AUTH action. The token will be unique to each basket and will change every time an AUTH action is performed, requiring bots or other attackers attempting to validate cards through automated means to view the OPAY page prior to submitting the AUTH action.
This feature is enabled by default on new stores. However on upgrade stores it needs to be turned on under Payment -> Settings -> Fraud
There are no page template changes required to implement this feature. Once it is enabled, a hidden input with the token will automatically be added to the OPAY page. This token will then be validated prior to sending the credit card to the gateway for an authorization.
Failed authorization attempts can now be rate limited by adding a delay after an authorization failure. This will prevent a bot from being able to submit 100's of attempts per second. The default authorization delay is 5000 milliseconds (.5 seconds) and can be adjusted up or down.
Miva can also be configured to require a shopper to restart the checkout process after a specified number of authorization failures. This will force the shopper back to the Basket screen and will require them to restart checkout.
The default value for this is 0 (never) but this can be adjusted higher as needed.
reCAPTCHA can now be added to the checkout process to force the customer to enter in a reCAPTCHA before being able to complete checkout. The reCAPTCHA may be turned on manually or enabled whenever a threshold number of authorization failures occur within a specified period of time.
Step #1 - You'll need to set up an account here:** [https://www.google.com/recaptcha](https://www.google.com/recaptcha)
Adding reCAPTCHA to your site
Step #2 - Once you set up your account, you'll need the Site Key and the Secret Key to set up your reCAPTCHA settings.
Copy and paste the keys into your Public and Private Key fields below:
There are 3 settings for reCAPTCHA
Off - (default) This means that no reCAPTCHA will be shown on on the website.On - reCAPTCHA will always be required for all shoppers to complete checkout Velocity - This allows Miva to automatically turn on reCAPTCHA for all shoppers when a certain amount of failed attempts is reached in a timeframe. Once the decline attempts falls below that threshold, the reCAPTCHA automatically turns off.
Here is an example of what the reCAPTCHA looks like on the website
ReCAPTCHA requires no template changes and works on both MMUI and CSSUI stores.