We've received tens of thousands of $0 card authorization declines in the last couple of weeks. We've identified that someone is exploiting the Accept Customer Hosted Form (https://developer.authorize.net/api/reference/features/customer_profiles.html) which we're embedding in an iFrame on our application. Since card authorization happens when entering credit card data, it allows a malicious user to repeatedly test credit card data.
In order to combat this, we've set hostedProfileValidationMode=testMode. Is this the best solution, or is there another solution for having hostedProfileValidationMode=liveMode while still protecting against these kind of brute-force attacks?
Here are the settings we were using for the Accept Customer Hosted Form:
I'm surprised that Authorize.net would offer a feature on their own hosted form which allows a malicious user to brute force credit card data without any kind of prevention, and the only solution is to disable that feature (hostedProfileValidationMode=testMode). I see that Authorize.net offers a "security code" feature on their checkout form to prevent this, but they haven't added anything simliar to the Accept Customer Hosted Form. If the Accept Customer Hosted Form is no longer a supported product they should announce it as deprecated so developers can make a more informed decision when developing a solution.