Community discussions

MUM Europe 2020
 
Ehman
Member
Member
Topic Author
Posts: 363
Joined: Mon Nov 15, 2010 10:49 pm

3D Secure + hotspot = no sale

Thu Jun 19, 2014 2:31 am

Hi, I've got a issue with my hotspots, the payment gateway uses 3D Secure to be able to purchase a voucher, but to make that work, you need to add all the 3D Secure servers/banks in the world in the walled garden, each bank got their own 3d secure hostname, its very annoying, is there any method to fix this major issue..right now, if you use your credit card and the thing wants to do the 3D Secure OTP process... u get a page cannot be displayed, because its a hotspot and all access is denied :lol:
 
Ehman
Member
Member
Topic Author
Posts: 363
Joined: Mon Nov 15, 2010 10:49 pm

Re: 3D Secure + hotspot = no sale

Sat Jun 21, 2014 2:37 am

Did I post in the wrong section... anyone?

I seriously need help!


walled garden aint sufficient anymore, the client needs internet access to be able to buy internet access, that's the moral of the story.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2946
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: 3D Secure + hotspot = no sale

Sat Jun 21, 2014 4:29 am

Did I post in the wrong section... anyone?

I seriously need help!


walled garden aint sufficient anymore, the client needs internet access to be able to buy internet access, that's the moral of the story.
Give 10 min free internet access to buy...
I'm Italian, not English. Sorry for my imperfect grammar.
 
Ehman
Member
Member
Topic Author
Posts: 363
Joined: Mon Nov 15, 2010 10:49 pm

Re: 3D Secure + hotspot = no sale

Sat Jun 21, 2014 1:54 pm

Did I post in the wrong section... anyone?

I seriously need help!


walled garden aint sufficient anymore, the client needs internet access to be able to buy internet access, that's the moral of the story.
Give 10 min free internet access to buy...
How can I implement such a feature?
I need some trigger for when a user clicks on buy
*user then needs to be put on timer for 10min, with fool proof system, so that he cant come back every 10min for free access, some might figure this loophole out in a hearbeat if not covered
*queue needs to be created for that specific user
*users needs to be added to walled garden and blocked from normal www access

I think I need help with a script or something
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2946
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: 3D Secure + hotspot = no sale

Sat Jun 21, 2014 2:15 pm

How is possible the DNS namee of bank site never have one distingushible word inside?
I'm Italian, not English. Sorry for my imperfect grammar.
 
Ehman
Member
Member
Topic Author
Posts: 363
Joined: Mon Nov 15, 2010 10:49 pm

Re: 3D Secure + hotspot = no sale

Sat Jun 21, 2014 3:18 pm

How is possible the DNS namee of bank site never have one distingushible word inside?
all the 3d secure hostnames I've seen is : example: secure.bankname.com
they never start with www so far to my knowledge... but I might be wrong.

...or I don't understand your question
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2946
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: 3D Secure + hotspot = no sale

Sat Jun 21, 2014 5:16 pm

not have dns or url like "www.mybank.it/verifiedbyvisa" or like "visa.mybank.it"?
I'm Italian, not English. Sorry for my imperfect grammar.
 
Ehman
Member
Member
Topic Author
Posts: 363
Joined: Mon Nov 15, 2010 10:49 pm

Re: 3D Secure + hotspot = no sale

Sat Jun 21, 2014 5:34 pm

not have dns or url like "www.mybank.it/verifiedbyvisa" or like "visa.mybank.it"?

I don't know for sure, I think its just better to allow everything 443 and 80 port related for 10min with queue 128k/192k for the user so that he can buy a voucher, I'm sure that will help, but I've got no idea how to make such a script with a trigger, let say the trigger url is www.mikrotik.com in this case
 
User avatar
TheWiFiGuy
Member
Member
Posts: 351
Joined: Thu Nov 24, 2011 7:26 pm
Location: UK

Re: 3D Secure + hotspot = no sale

Sat Jun 21, 2014 9:51 pm

Use a payment processor that deals with the 3DS side of the transaction - they do exist and they host all the pages including the 3DS secure site of things on a single domain name.
----------------------
Mikrotik Consultant.
MTCNA, MTWCE, MTCTCE, MTCRE, MTCINE
 
User avatar
dohmniq
Frequent Visitor
Frequent Visitor
Posts: 78
Joined: Sat Nov 17, 2012 12:17 pm

Re: 3D Secure + hotspot = no sale

Sat Jun 21, 2014 10:28 pm

Use a payment processor that deals with the 3DS side of the transaction - they do exist and they host all the pages including the 3DS secure site of things on a single domain name.
I've never seen that and I can't imagine how that could be true as each customer-bank has their own 3DS form. If a payment processor hosted a customer's bank's 3DS page then surely that would allow man-in-the-middle attacks across all possible customer banks by any dodgy staff member within the payment processor. Even payments I have handled by a payment processor still invoke the customer's bank's 3DS form via an <iframe>

My vote would be for the short window for ports 80/443 and a bandwidth queue. If you're really going for it, you could put a layer7 filter on that only allows HTTP requests with a referer[sic] header of the payment processor. You might not even need the temporary port opening in that case. The other bonus is that you're still free to pick and choose from payment processors.

Regarding 3DS URLs, one of my banks uses an outsourced company Arcot LLC so URLs are typically: https://secure2.arcot.com/acspage/cap.cgi
 
Ehman
Member
Member
Topic Author
Posts: 363
Joined: Mon Nov 15, 2010 10:49 pm

Re: 3D Secure + hotspot = no sale

Sat Jun 21, 2014 10:56 pm

Use a payment processor that deals with the 3DS side of the transaction - they do exist and they host all the pages including the 3DS secure site of things on a single domain name.
I've never seen that and I can't imagine how that could be true as each customer-bank has their own 3DS form. If a payment processor hosted a customer's bank's 3DS page then surely that would allow man-in-the-middle attacks across all possible customer banks by any dodgy staff member within the payment processor. Even payments I have handled by a payment processor still invoke the customer's bank's 3DS form via an <iframe>

My vote would be for the short window for ports 80/443 and a bandwidth queue. If you're really going for it, you could put a layer7 filter on that only allows HTTP requests with a referer[sic] header of the payment processor. You might not even need the temporary port opening in that case. The other bonus is that you're still free to pick and choose from payment processors.

Regarding 3DS URLs, one of my banks uses an outsourced company Arcot LLC so URLs are typically: https://secure2.arcot.com/acspage/cap.cgi
Check out some example of me testing, I've been struggling with this issue for almost 1 year now, so they disabled 3DS for me, but next year, its the LAW for all payment gateways to have it permanently on. ..that iframe is client side here, no access = no sale.. can you help me out dohmniq with your method, I'm open to anything oh BTW.. I'm not using that gateway anymore... I've got to refund all the time due to broken transactions, when the client is getting billed but doesn't receive their voucher
europeanbank.jpg
localbank.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
dohmniq
Frequent Visitor
Frequent Visitor
Posts: 78
Joined: Sat Nov 17, 2012 12:17 pm

Re: 3D Secure + hotspot = no sale

Sun Jun 22, 2014 12:08 am

Ugh - I'm such an idiot :( Of course you can't use layer 7 filtering on encrypted connections - d'oh!

I'll try to come up with a better idea. Ideally you'd whitelist the 3DS servers but as there's no known whitelist it does look like limits are the way to do.

Limit to destination port 443 (as far as I can remember browsers display an error if they load http traffic within an https-served page).
Limit time to 15 minutes as payment processors usually time out a transaction after this.
Limit speed.
Limit total bytes transferred because it doesn't really take much more than a few MB of traffic to do 3DS.

I've never used hotspot so not sure what you'd trigger the temporary hole with. One idea that springs to mind (assuming hotspot web pages are HTTP-only) is looking for a 30x HTTP redirect to the payment processor?

With commands it'd be something like: (TOTALLY UNTESTED)
/ip firewall layer7-protocol add name=HTTP-payment-redirect regexp="^HTTP/1.1 30.*Location: https://MY-CHOSEN-PAYMENT-PROCESSOR.COM"

/ip firewall address add list=payment-traffic

/ip firewall mangle add chain=prerouting action=mark-packet protocol=tcp src-port=80 new-packet-mark=possible-HTTP-response comment="reduce matching load for next rule"
/ip firewall mangle add chain=prerouting action=add-src-to-address-list address-list=payment-traffic address-list-timeout=15m layer7-protocol=HTTP-payment-redirect packet-mark=possible-HTTP-response comment="add to temporary payment whitelist for 15m"

/ip firewall filter add chain=forward action=drop src-address-list=payment-traffic connection-bytes=20000000-0 comment="drop payment packets if more than 20MB transferred"
/ip firewall filter add chain=forward action=accept src-address-list=payment-traffic protocol=tcp dst-port=443 comment="only allow outgoing HTTPS if in payment whitelist"
This isn't perfect - for example the connection-bytes parameter probably only limits one TCP connection, not all TCP connections to remote 3DS servers. One connection might be to retrieve the 3DS iframe form, another might be to a different server to grab JQuery, etc.

Doesn't really fix the issue of someone getting redirected to your payment processor and then having 15 minutes of wild HTTPS fun (in 20MB blocks) then repeat.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2946
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: 3D Secure + hotspot = no sale

Sun Jun 22, 2014 12:11 am

Use paypal, I have checked, there do not use 3dsecure on my credit card with verified by visa....
I'm Italian, not English. Sorry for my imperfect grammar.
 
Ehman
Member
Member
Topic Author
Posts: 363
Joined: Mon Nov 15, 2010 10:49 pm

Re: 3D Secure + hotspot = no sale

Sun Jun 22, 2014 12:45 am

Use paypal, I have checked, there do not use 3dsecure on my credit card with verified by visa....
Paypal doesn't support my currency.. :(
 
Petzl
Member Candidate
Member Candidate
Posts: 207
Joined: Sun Jun 30, 2013 12:14 pm

Re: 3D Secure + hotspot = no sale

Sun Jun 22, 2014 12:50 am

I also have problems with 3dsecure.net wen using iceweasel (firefox) , when i use chrome it works fine ... .
Maybe the problems are releated ?
 
Ehman
Member
Member
Topic Author
Posts: 363
Joined: Mon Nov 15, 2010 10:49 pm

Re: 3D Secure + hotspot = no sale

Sun Jun 22, 2014 12:56 am

great idea you've had dohmniq, but hotspot enabled, change the entire system to something else. forward only applies to logged in users, and unauthenticated users change to pre-hs-input.

the layer7 is a good trigger, but this one is a difficult one, I've just tested your method on my dev unit, it didnt work on the hotspot, when you enable hotspot it really complicates stuff.

the easiest way to give a user access is to add them to the walled garden for hotspot and you can also deny websites from that user and when he tries to access them, he will be re-direct to the login page, this is where things get severely complex :( .. 3DSecure is a killer.

I think this problem can only be solved with a massive intelligent transaction beginning and end sensing complex script

Who is online

Users browsing this forum: No registered users and 80 guests