- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Accept Customer Hosted Form Brute Force
We've received tens of thousands of $0 card authorization declines in the last couple of weeks. We've identified that someone is exploiting the Accept Customer Hosted Form (https://developer.authorize.net/api/reference/features/customer_profiles.html) which we're embedding in an iFrame on our application. Since card authorization happens when entering credit card data, it allows a malicious user to repeatedly test credit card data.
In order to combat this, we've set hostedProfileValidationMode=testMode. Is this the best solution, or is there another solution for having hostedProfileValidationMode=liveMode while still protecting against these kind of brute-force attacks?
Here are the settings we were using for the Accept Customer Hosted Form:
- hostedProfileManageOptions=showPayment
- hostedProfilePageBorderVisible=false
- hostedProfileCardCodeRequired=true
- hostedProfileBillingAddressRequired=true
- hostedProfilePaymentOptions=showCreditCard
- hostedProfileValidationMode=liveMode
โ02-12-2022 10:41 AM - edited โ02-12-2022 10:41 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am facing the same issue.
โ02-13-2022 03:52 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm surprised that Authorize.net would offer a feature on their own hosted form which allows a malicious user to brute force credit card data without any kind of prevention, and the only solution is to disable that feature (hostedProfileValidationMode=testMode). I see that Authorize.net offers a "security code" feature on their checkout form to prevent this, but they haven't added anything simliar to the Accept Customer Hosted Form. If the Accept Customer Hosted Form is no longer a supported product they should announce it as deprecated so developers can make a more informed decision when developing a solution.
โ02-21-2022 07:52 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there anyone available from the Authorize.net team who can speak to this, as (from what I can see) this is an issue which will affect all customers who are using the hosted form.
โ02-26-2022 10:01 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any update from the Authorize.net team?
โ03-27-2022 07:31 AM

