developer.authorize.net developer.cybersource.com
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a question

Accept Customer Hosted Form Brute Force

We've received tens of thousands of $0 card authorization declines in the last couple of weeks. We've identified that someone is exploiting the Accept Customer Hosted Form (https://developer.authorize.net/api/reference/features/customer_profiles.html) which we're embedding in an iFrame on our application. Since card authorization happens when entering credit card data, it allows a malicious user to repeatedly test credit card data.

 

In order to combat this, we've set hostedProfileValidationMode=testMode. Is this the best solution, or is there another solution for having hostedProfileValidationMode=liveMode while still protecting against these kind of brute-force attacks?

 

Here are the settings we were using for the Accept Customer Hosted Form:

 

  • hostedProfileManageOptions=showPayment
  • hostedProfilePageBorderVisible=false
  • hostedProfileCardCodeRequired=true
  • hostedProfileBillingAddressRequired=true
  • hostedProfilePaymentOptions=showCreditCard
  • hostedProfileValidationMode=liveMode
ngagne7412
Contributor

‎02-12-2022 10:41 AM - edited ‎02-12-2022 10:41 AM

5 REPLIES 5

@ngagne7412

I am facing the same issue.

emmawilson
Contributor

‎02-13-2022 03:52 AM

I'm surprised that Authorize.net would offer a feature on their own hosted form which allows a malicious user to brute force credit card data without any kind of prevention, and the only solution is to disable that feature (hostedProfileValidationMode=testMode). I see that Authorize.net offers a "security code" feature on their checkout form to prevent this, but they haven't added anything simliar to the Accept Customer Hosted Form. If the Accept Customer Hosted Form is no longer a supported product they should announce it as deprecated so developers can make a more informed decision when developing a solution.

ngagne7412
Contributor

‎02-21-2022 07:52 AM

0 Kudos

Is there anyone available from the Authorize.net team who can speak to this, as (from what I can see) this is an issue which will affect all customers who are using the hosted form.

ngagne7412
Contributor
In response to ngagne7412

‎02-26-2022 10:01 AM

0 Kudos

Any update from the Authorize.net team?

ngagne7412
Contributor

‎03-27-2022 07:31 AM

0 Kudos

It's been a few years but I'm reviving this thread as the problem has again resurfaced. The Authorize.net documentation doesn't seem to offer any details on how to protect against this. Other products offer a validationMode=none setting, but not the CIM. What other options do we have to protect against card testing fraud? If the CIM is not a viable, supported option, please let the developer community know.

ngagne7412
Contributor

‎05-27-2025 08:52 PM

0 Kudos
Copyright © 2025 Khoros, LLC