Fraud Prevention in FoxyCart

In addition to the options below, we have some systems in place to block more “obvious” fraud. We always recommend relying on your gateway's anti-fraud functionality, but you can rest easy knowing we'll prevent some of the more egregious abuse, before it even reaches your gateway.

Though we strongly recommend setting up any and all available anti-fraud prevention tools at the gateway level (and most gateways do have fraud controls available, though sometimes at an additional cost), FoxyCart does have integration with MaxMind's minFraud service. Click that link to get a feel for what minFraud is, or just understand that it looks at all the available data from the customer and transaction and provides a riskScore.

You can enable minFraud in the “payment” page of your FoxyCart admin. The integration currently only works with those payment options that are available within the “Let customers pay with a Credit or Debit Card” option on the payment page. Simply set the minFraud score threshold setting within the “Anti-Fraud Integrations” area to any number greater than 0 to enable it. Any transaction with a riskScore higher than the number you enter will be declined.

Though every store and customer base will have different riskScore averages, MaxMind's general recommendation is to definitely reject anything with a riskScore of 60 or higher, and to screen anything with a riskScore between 4-59. FoxyCart defaults to minFraud off, so our recommendation is:

1. Set it to 60 to start with.
2. Monitor your normal scores (you can see the score on completed transactions) and see what's in a “normal” range.
3. Adjust the score down to what's a comfortable upper-normal. For many of our users, that's as low as 4.

If you're already experiencing fraudulent orders, start at 15 or lower instead of 60, as above.

As a potential point of reference, MaxMind shares the following approximate distribution of riskScores across minFraud customers:

Source

You can change the language for the error message displayed to the blocked customer in your store's “language” page, under “minfraud”. For example, you could include a phone number at which they would be able to further verify their identities.

On any transaction that has a risk score of greater than 0, an entry for “Minfraud Score” will be shown within the transaction report within the administration.

There's no magic bullet to eliminate all fraud while allowing through all legitimate orders, but with your gateway's fraud filters and FoxyCart's minFraud integration you can get as close as possible.

Foxy's reCAPTCHA integration can be useful to preventing bots from aggressively scripting and pushing through transactions in an automated way. Note that reCAPTCHA is specifically to ensure that a human must be behind the request, but it has no opinion on whether that human is an honest person or a fraudster.

The setting is shown within the “Anti-Fraud Integrations” section, displayed within the “Let customers pay with a Credit or Debit Card” payment option when enabled.

Foxy defaults to reCAPTCHA being Enabled, Automatically as Needed, and is our recommended setting, but has 3 different options:

1. Disabled: turns off reCAPTCHA for your store
2. Enabled, Always: As it sounds, this will include reCAPTCHA on every checkout.
3. Enabled, Automatically as Needed: This will require reCAPTCHA only in specific situations when our systems have cause to believe your store needs extra protection. We do not reveal specific behavior here, but broadly: If we detect behavior that makes us think a bot (or botnet) is pushing transactions through without a real human behind it, we will enable reCAPTCHA either for specific IPs or for all checkout attempts. We attempt to set this so it would very rarely be shown to a legitimate customer, but would effectively make bot-based bulk fraud impossible.

Note that reCAPTCHA isn't required for API-based or UOE-based transactions.

If you're using a custom subdomain, you'll need to do a few extra steps to get your own reCAPTCHA keys. We STRONGLY RECOMMEND THIS, as without it a botnet-based card-testing attack could cost hundreds or thousands of dollars in authorization fees.

1. Go to the Google reCAPTCHA admin area. (You'll need to login with your Google Account if you aren't already.)
2. Enter a label that'll make it clear what these keys are for. Something like “My Example Store on FoxyCart”, perhaps. This is just for your own use.
3. Select the reCAPTCHA V2 option, and if given options, choose the “I'm not a robot” option
4. Enter the domain that your FoxyCart account's checkout is using. For example, if your domain was secure.example.tld, you'd enter example.tld. Check the checkbox(es) to agree to Google's terms, and submit.
5. It should be successful, and take you to a page with your Site Key and Secret Key.
6. Copy those two keys into the “payment” page in your FoxyCart admin. (Make sure to put the Site Key in the right input field. Put the “Secret key” into the Foxy admin input for “secret key”.
7. Save the payment settings in the FoxyCart admin.
8. Do some test transactions, if you'd like. (You can set the reCAPTCHA setting in your Foxy settings to “Enabled, Always”, then load up your checkout. You should see the reCAPTCHA display on the checkout. Set it back to “Enabled, Automatically…” once you're done, if you'd prefer.)

FraudLabs Pro has built an anti-fraud integration for Foxy. There's a little setup involved, but there are step-by-step instructions here:

• FraudLabs Pro

The pre-payment web hook can be used for custom anti-fraud integrations.

• FraudLabsPro has an integration available on our wiki.
• Some of our users have done custom Signifyd integrations using this functionality.