Authorize.Net - Accept Hosted

[JK1]

On 3/19/2024 at 2:21 PM, KirkM said:

Back again to this extension.  A new issue has popped up that isn't a problem with the extension per se, but some updates would help to mitigate the issue.  Card testing is a recent problem where a bad actor gets tens of thousands of stolen card numbers and uses the accept hosted window in CC to test them.  Once they get the window open, they can do over 10 submissions per second.  All of them are on a single order with the same order number and amount.  Technically, they are hammering on Authorize.net's site and not the server hosting the CC store.  However, this results in both Authorize.net and the merchant processor shutting down the gateway.  I use AFDS on authorize.net but we really need to try to stop the submissions in the first place.

To help mitigate this, I have modified the hard-coded parameters sent in the Accept Hosted extension gateway.class.php file to this:

 {
				  "settingName": "hostedPaymentPaymentOptions",
				  "settingValue": "{\"cardCodeRequired\": true, \"showCreditCard\": true, \"showBankAccount\": '.$showBankAccount.'}"
				}, {
				  "settingName": "hostedPaymentSecurityOptions",
				  "settingValue": "{\"captcha\": true}"
				}

Requiring the card code and ESPECIALLY showing captcha on the submission form seems to stop them in their tracks.  Unfortunately, I have to go in and redo this mod every time there is a new version of this extension since they are hard coded and not part of the variables stored in the config table.

I think it would be a really helpful mod to this extension to make these selectable in the extension admin, perhaps with a simple checkbox like with a couple of the other parameters there.

Thanks for considering this.

Hello Kirk, This extension works well for us too. In our case we turned off the settingValue to off for Addresses and PaymentOrderOptions. This made the iframe very clean. If the PaymentOrderOptions is On, then you see the orderid etc which is in a smaller font. Just the card number, exp date, cvv and captcha is very clean.

Whats stubborn is the iframe border in grey. The frameborder=0 is somehow ignored. Do you have this same issue? Have you managed to create a CSS for this iframe?

 

Thanks.

[KirkM]

I believe frameborder html attribute is not valid HTML5 and is obsolete.  If you try validating your css, you will get a message "The frameborder attribute is not supported in HTML5. Use CSS instead."  Try using pure css:  

style="border:none;"

That tells it to remove the border.  Or you can make the border width 0:

style="border:0;"

And also try adding the !important marker if it doesn't work in case there is upstream CSS creating it:

style="border: none !important;"
style="border: 0 !important;"

Don't know if this will work, but it is worth a try!  Good luck.

[JK1]

Just tried it. Its very stubborn with everything. Its seems to be inheriting it from the Accept Hosted results within the iframe. Do you also see the same in your installations?

[KirkM]

I don't tweak the look of the payment form very much.  Just a little bit of stuff to make it blend with the store, but I don't mind the basic formatting that gets sent from Authorize.net.  It would be nice to be able to easily blend it so it was visually seamless, but to be honest, I simply don't have the time to do any deep diving into it.  Besides, I think you are probably right that it is part of the formatting coming within the iframe from Authorize.net.

Have you tried using the developer tools in Chrome to look at the live css when the window is open?  If you can identify the classes that are formatting things you want to change inside of the iframe, you might be able to do an override of those classes with your own values using those class names if they load AFTER the payment window.

Edited May 18 by KirkM