Recent Searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Carding Attacks - Throttling

            Modified on Mon, 09 May 2022 at 11:59 AM

            A new Fraud Prevention measure has been built-in for all payment pages containing credit card forms (checkout rentals and "Ae" payment pages) in order to mitigate "Carding" attacks:


            This is when a fraud source attempts to use your website credit card input form to test thousands of stolen credit card numbers. Although typically not aimed at injuring your site itself, these attacks can cause your payment processor to lock your account, cause difficulty or failure for others to use the form page, and can create invalid card transactions which you may be charged a fee from your processor.

            • "Throttling" performs a "velocity check" when a customer account submits a credit card form and blocks them from submitting one again on an escalating time basis, when the number of submits exceeds the maximum number allowed within a time frame, such as 3 per minute.
            • Customer ID and/or Email are checked for performing the actions.

            This configuration applies to ALL credit card forms, and there is additional protection for the AeRntFinalize page specifically.

            • All credit card formsThese Configuration - Settings affect the following pages with credit card forms:
              • AeApgFinalize
              • AeAppFinalize
              • AeApproveEstimate
              • AeManageCc
              • AePostPayment
              • AeRntFinalize
              • AeServiceTicket
              • AeTeeFinalize
              • AeUpdateCc
              • TSheet
              • Checkout
                • Edition.CardProcessing.Throttling.Delay : Defaults to 60 (seconds). This is the time increment in which throttling is checked for a given customer. The value of seconds here is the range of time in which Throttling.Limitgets checked.
                • Edition.CardProcessing.Throttling.Limit : Defaults to 3 (submissions). This is the number of submissions made by a customer account that will trigger throttling within the time frame defined by Throttling.Delay.


            • AeRntFinalize page These Configuration - Settings affect the AeRntFinalize page:
              • Edition.Rentals.Throttling.Delay : Defaults to 60 (seconds). This is the time increment in which throttling is checked for a given customer. The value of seconds here is the range of time in which Throttling.Limitgets checked.
              • Edition.Rentals.Throttling.Limit : Defaults to 1 (submissions). This is the number of submissions made by a customer account that will trigger throttling within the time frame defined by Throttling.Delay. On the AeRntFinalize page, we throttle attempts to rapidly submit a new rental contract from the same account. The throttling here is different from the general throttling above, see Example 2 below.


            • Example 1 (general credit card throttling): johh.doe@aol.com attempts to process four credit cards on the AeApgFinalize page within 20 seconds. Because Edition.CardProcessing.Throttling.Limit is "3" and Edition.CardProcessing.Throttling.Delayis "60", he gets throttled. He starts receiving a notification warning him that he needs to wait before making new payments. John continues trying to place new payments and his throttling time extends longer and longer (+60 seconds each time he tries). John is throttled and can no longer enter new credit cards until his throttling time runs out.
            • Example 2 (AeRntFinalize throttling): johh.doe@aol.com attempts to process two credit cards on the AeRntFinalize page within 20 seconds. Edition.CardProcessing.Throttling.Limit is "3", Edition.CardProcessing.Throttling.Delay is "60", Edition.CardProcessing.Throttling.Delay is "60" and Edition.Rentals.Throttling.Limit is "1". He does not get throttled by the general credit card throttling. But, because he tried to submit a second rental contract very soon after the first, even with a valid credit card number, he is throttled by the AeRntFinalize-specific throttling and sees a notification about it.


            NOTES and UPDATES:

            • Due to "real-world" testing, we recommend a default setting for the throttling limits to be 4 ( Edition.CardProcessing.Throttling.Limit and Edition.Rentals.Throttling.Limit ) Please check your Configuration - Settings and update appropriately.
            • For stores performing "rental events", you may want to raise the throttling limits temporarily to avoid unintentional throttling due to the increased rental page activity above normal daily considerations. We recommend a value of 10 for the Edition.Rentals.Throttling.Limit  setting. Once the event is over, we highly recommend resetting the value to 4, which will provide a higher security level for daily activity levels. Don't forget to click Refresh Store after making settings changes!
            • For emergency use only: If your store witnesses unintentional throttling for a client (such as during a rental event), causing loss of rental page functionality in general, raise the limit per the above Note, click Refresh Store, then perform the following:
              • Configuration - Run SQL - enter the following and SUBMIT:

            TRUNCATE TABLE THROTTLING


            This will stop current throttling events.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select atleast one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0