Fraud management: Managed Challenge
On rare occasions, your pages could be subject to multiple submissions by a “bot”, most likely to a donation page. These are usually attempts to validate stolen data, such as card numbers.Â
We have several measures in place (please read the fraud management article) to combat these, such as Captchas. But sometimes further measures need to be implemented to mitigate the issue.
In these cases, we may place a “Managed Challenge” on your page which will validate the visit and determine whether it is legitimate or not.
Why would a Managed Challenge be added?
Our recent migration to the Cloudflare network allows us to enable new security protocols for our clients, and utilise closer monitoring of web traffic through the domains you use with Engaging Networks.
The accounts or support team will contact you should this happen, but we may have to act quickly and add this pre-emptively, for example if an issue occurs out of hours.
It may also happen if we find that you are using a JavaScript library (e.g. jQuery) that is outdated, even if we don’t see any attacks.
While any attacks should not get processed by your gateway (which has its own protections in place), it can mean the attempts are recorded in your account causing you data problems, and in addition our reputation with the gateway could be reduced if we appear to be letting this activity happen.
The Managed Challenge is a temporary measure and we will remove it once the attack has stopped.
What does a Managed Challenge do?
The challenge is placed on an individual page URL, or URLs, that are being subjected to the attack.
When the URL is visited, our Cloudflare technology will look at the visitor and determine whether it is valid or not. For example, it can look at the IP of the visit and compare it against problem IPs, or it can determine via the method of visit whether it is a bot or not.
The challenge adds a short (around 3 to 5 seconds) delay before your page is loaded. It may also require your supporters to tick a box.
Your legitimate supporters would not be blocked by this and can continue as normal.
What does a Managed Challenge look like?
The challenge shows a page that says “Checking your browser before accessing [your url]” with some animated dots below.
After a few seconds, the page is loaded: