Hey all,
I just wanted to give an update that I've had Tessitura apply a country block of India (since that is where the IP addresses for those accounts where originating) and have, so far (knock on wood), stopped the creation of those accounts. I'll update here in a while and let you all know if it's still working
- Chris
Thanks Chris,
We had a problem more than a year ago that they thought was coming from Brazil, we actually blocked everything except North America for a while. When we went to TMS last May we took the blocks off, but I'll definitely be on the lookout.
-Henry
Thank you both for the updates! Do you know, when setting up a country-level block like this, is it done within TNEW, the web API more generally, at the payment processor level, or somewhere else buried in the Tessitura config? We use TMS and a custom website, so just trying to ascertain whether we'd work with Tessitura support or our web developer (or coordinate both) as far as implementing something like this if we go down that road.
I think this would be a bit of a mixed bag. It will depend on if you are self-hosted or on Tessitura Hosting Services.
We block known "bad" regions (think Russia, Iran, etc.) for our internal network. Tessitura hosts the application for us so we rely on their security team to block out bad actors. Even with blocks set up, bad actors can get around them using VPNs.
If you're a TMS shop then Tessitura and Adyen have ways of blocking or limiting fraudulent transactions. Again here, we are relying on them to secure the card processing side of things.
Hi Evan
For member organizations who use TNEW we use Tessitura's web application firewall for country-level blocks. For a custom website, you'll either need to work with your web developer or your hosting provider (if you have direct access to your hosting provider). And there should be no need to coordinate with Tessitura's support team.
In Merchant Services we can put in place country-level blocks based on either issuing bank or the customer's apparent IP address. That won't help directly with this particular adversary because their usual behavior is to create junk accounts without a meaningful number of transactions (so they won't hit the Merchant Services hosted payment gateway to be blocked there).
Nic
Thanks Nic! Very helpful guidance, particularly your note that we are potentially talking about two different block points that can be configured (either at account creation or at payment).