Hi, I've got a issue with my hotspots, the payment gateway uses 3D Secure to be able to purchase a voucher, but to make that work, you need to add all the 3D Secure servers/banks in the world in the walled garden, each bank got their own 3d secure hostname, its very annoying, is there any method to fix this major issue..right now, if you use your credit card and the thing wants to do the 3D Secure OTP process... u get a page cannot be displayed, because its a hotspot and all access is denied

Did I post in the wrong section... anyone?

I seriously need help!


walled garden aint sufficient anymore, the client needs internet access to be able to buy internet access, that's the moral of the story.

Did I post in the wrong section... anyone?

I seriously need help!


walled garden aint sufficient anymore, the client needs internet access to be able to buy internet access, that's the moral of the story.

Give 10 min free internet access to buy...

Did I post in the wrong section... anyone?

I seriously need help!


walled garden aint sufficient anymore, the client needs internet access to be able to buy internet access, that's the moral of the story.

Give 10 min free internet access to buy...

How can I implement such a feature?
I need some trigger for when a user clicks on buy
*user then needs to be put on timer for 10min, with fool proof system, so that he cant come back every 10min for free access, some might figure this loophole out in a hearbeat if not covered
*queue needs to be created for that specific user
*users needs to be added to walled garden and blocked from normal www access

I think I need help with a script or something

How is possible the DNS namee of bank site never have one distingushible word inside?

How is possible the DNS namee of bank site never have one distingushible word inside?

all the 3d secure hostnames I've seen is : example: secure.bankname.com
they never start with www so far to my knowledge... but I might be wrong.

...or I don't understand your question

not have dns or url like "www.mybank.it/verifiedbyvisa" or like "visa.mybank.it"?

not have dns or url like "www.mybank.it/verifiedbyvisa" or like "visa.mybank.it"?

I don't know for sure, I think its just better to allow everything 443 and 80 port related for 10min with queue 128k/192k for the user so that he can buy a voucher, I'm sure that will help, but I've got no idea how to make such a script with a trigger, let say the trigger url is www.mikrotik.com in this case

Use a payment processor that deals with the 3DS side of the transaction - they do exist and they host all the pages including the 3DS secure site of things on a single domain name.

Use a payment processor that deals with the 3DS side of the transaction - they do exist and they host all the pages including the 3DS secure site of things on a single domain name.

I've never seen that and I can't imagine how that could be true as each customer-bank has their own 3DS form. If a payment processor hosted a customer's bank's 3DS page then surely that would allow man-in-the-middle attacks across all possible customer banks by any dodgy staff member within the payment processor. Even payments I have handled by a payment processor still invoke the customer's bank's 3DS form via an <iframe>

My vote would be for the short window for ports 80/443 and a bandwidth queue. If you're really going for it, you could put a layer7 filter on that only allows HTTP requests with a referer[sic] header of the payment processor. You might not even need the temporary port opening in that case. The other bonus is that you're still free to pick and choose from payment processors.

Regarding 3DS URLs, one of my banks uses an outsourced company Arcot LLC so URLs are typically: https://secure2.arcot.com/acspage/cap.cgi

Use a payment processor that deals with the 3DS side of the transaction - they do exist and they host all the pages including the 3DS secure site of things on a single domain name.

I've never seen that and I can't imagine how that could be true as each customer-bank has their own 3DS form. If a payment processor hosted a customer's bank's 3DS page then surely that would allow man-in-the-middle attacks across all possible customer banks by any dodgy staff member within the payment processor. Even payments I have handled by a payment processor still invoke the customer's bank's 3DS form via an <iframe>

My vote would be for the short window for ports 80/443 and a bandwidth queue. If you're really going for it, you could put a layer7 filter on that only allows HTTP requests with a referer[sic] header of the payment processor. You might not even need the temporary port opening in that case. The other bonus is that you're still free to pick and choose from payment processors.

Regarding 3DS URLs, one of my banks uses an outsourced company Arcot LLC so URLs are typically: https://secure2.arcot.com/acspage/cap.cgi

Check out some example of me testing, I've been struggling with this issue for almost 1 year now, so they disabled 3DS for me, but next year, its the LAW for all payment gateways to have it permanently on. ..that iframe is client side here, no access = no sale.. can you help me out dohmniq with your method, I'm open to anything oh BTW.. I'm not using that gateway anymore... I've got to refund all the time due to broken transactions, when the client is getting billed but doesn't receive their voucher

Ugh - I'm such an idiot Of course you can't use layer 7 filtering on encrypted connections - d'oh!

I'll try to come up with a better idea. Ideally you'd whitelist the 3DS servers but as there's no known whitelist it does look like limits are the way to do.

Limit to destination port 443 (as far as I can remember browsers display an error if they load http traffic within an https-served page).
Limit time to 15 minutes as payment processors usually time out a transaction after this.
Limit speed.
Limit total bytes transferred because it doesn't really take much more than a few MB of traffic to do 3DS.

I've never used hotspot so not sure what you'd trigger the temporary hole with. One idea that springs to mind (assuming hotspot web pages are HTTP-only) is looking for a 30x HTTP redirect to the payment processor?

With commands it'd be something like: (TOTALLY UNTESTED)
This isn't perfect - for example the connection-bytes parameter probably only limits one TCP connection, not all TCP connections to remote 3DS servers. One connection might be to retrieve the 3DS iframe form, another might be to a different server to grab JQuery, etc.

Doesn't really fix the issue of someone getting redirected to your payment processor and then having 15 minutes of wild HTTPS fun (in 20MB blocks) then repeat.

Use paypal, I have checked, there do not use 3dsecure on my credit card with verified by visa....

Use paypal, I have checked, there do not use 3dsecure on my credit card with verified by visa....

Paypal doesn't support my currency..

I also have problems with 3dsecure.net wen using iceweasel (firefox) , when i use chrome it works fine ... .
Maybe the problems are releated ?

great idea you've had dohmniq, but hotspot enabled, change the entire system to something else. forward only applies to logged in users, and unauthenticated users change to pre-hs-input.

the layer7 is a good trigger, but this one is a difficult one, I've just tested your method on my dev unit, it didnt work on the hotspot, when you enable hotspot it really complicates stuff.

the easiest way to give a user access is to add them to the walled garden for hotspot and you can also deny websites from that user and when he tries to access them, he will be re-direct to the login page, this is where things get severely complex .. 3DSecure is a killer.

I think this problem can only be solved with a massive intelligent transaction beginning and end sensing complex script