topic Re: Accept Customer Hosted Form Brute Force in Integration and Testing

Accept Customer Hosted Form Brute Force

ngagne7412 — Sat, 12 Feb 2022 18:41:54 GMT

We've received tens of thousands of $0 card authorization declines in the last couple of weeks. We've identified that someone is exploiting the Accept Customer Hosted Form (https://developer.authorize.net/api/reference/features/customer_profiles.html) which we're embedding in an iFrame on our application. Since card authorization happens when entering credit card data, it allows a malicious user to repeatedly test credit card data.

In order to combat this, we've set hostedProfileValidationMode=testMode. Is this the best solution, or is there another solution for having hostedProfileValidationMode=liveMode while still protecting against these kind of brute-force attacks?

Here are the settings we were using for the Accept Customer Hosted Form:

hostedProfileManageOptions=showPayment
hostedProfilePageBorderVisible=false
hostedProfileCardCodeRequired=true
hostedProfileBillingAddressRequired=true
hostedProfilePaymentOptions=showCreditCard
hostedProfileValidationMode=liveMode

Re: Accept Customer Hosted Form Brute Force

emmawilson — Sun, 13 Feb 2022 11:52:18 GMT

@ngagne7412

I am facing the same issue.

Re: Accept Customer Hosted Form Brute Force

ngagne7412 — Mon, 21 Feb 2022 15:52:20 GMT

I'm surprised that Authorize.net would offer a feature on their own hosted form which allows a malicious user to brute force credit card data without any kind of prevention, and the only solution is to disable that feature (hostedProfileValidationMode=testMode). I see that Authorize.net offers a "security code" feature on their checkout form to prevent this, but they haven't added anything simliar to the Accept Customer Hosted Form. If the Accept Customer Hosted Form is no longer a supported product they should announce it as deprecated so developers can make a more informed decision when developing a solution.

Re: Accept Customer Hosted Form Brute Force

ngagne7412 — Sat, 26 Feb 2022 18:01:52 GMT

Is there anyone available from the Authorize.net team who can speak to this, as (from what I can see) this is an issue which will affect all customers who are using the hosted form.

Re: Accept Customer Hosted Form Brute Force

ngagne7412 — Sun, 27 Mar 2022 14:31:07 GMT

Any update from the Authorize.net team?

Re: Accept Customer Hosted Form Brute Force

ngagne7412 — Wed, 28 May 2025 03:52:12 GMT

It's been a few years but I'm reviving this thread as the problem has again resurfaced. The Authorize.net documentation doesn't seem to offer any details on how to protect against this. Other products offer a validationMode=none setting, but not the CIM. What other options do we have to protect against card testing fraud? If the CIM is not a viable, supported option, please let the developer community know.

Re: Accept Customer Hosted Form Brute Force

ngagne7412 — Fri, 22 Aug 2025 22:44:05 GMT

Anyone from Authoritze.net have any thoughts on how to address these issues?