Blocking High Risk Countries From Using Your Website
A common problem in ecommerce is fraudulent orders from overseas customers. The risk is so high in fact that some merchant account providers will not allow their merchants to accept orders from foreign countries. Even if they did, and you wished to solicit foreign orders, some regions pose such a high risk for fraud that accepting any order from that region would be just bad business.
So how do you reduce your risk of fraud from there regions? The easiest way to mitigate your risk is to block users from these regions from reaching your site. The Apache webserver offer the ability to block these regions as a group from your website. To do this create a file called .htaccess and place it in the root directory of your website (or your store if you only want to block that part). Place this code inside of it:
<Limit GET POST>
order allow,deny
allow from all
deny from 195
deny from 218
deny from 219
deny from 220
deny from 201
deny from 221
deny from 222
deny from 202
deny from 80
deny from 223
deny from 211
deny from 60
deny from 210
deny from 57
deny from 58
deny from 59
deny from 60
deny from 77
deny from 78
deny from 79
deny from 80
deny from 81
</Limit>
That’s it! This should block users from high risk parts of the world from accessing your site. Keep in mind they can still use an open proxy to make their IP address appear to be different and this doesn’t mean that the users now able to visit your site is honest. You still need to scrub your orders for fraud. But this should reduce the opportunity for fraudulent users in high risk areas to attempt to commit fraud on your website.
July 21st, 2023 at 1:30 am
I think this is actually a fairly bad idea. Having run the ecommerce system behind an MMOG I’m VERY familar with the problem you’re describing and it IS a major problem. However, blocking them at the webserver creates a simple and very obvious block for the customer to work around by using TOR or an HTTP proxy to appear to be from a supported country.
You don’t want to warn them in such a way as to cue them to defeat your protection.
A better tactic would be to silently flag and block credit card charges from these IP ranges at the point of authing or charging the card and notify the customer that their card could not be processed and to contact customer service.
Dave
July 1st, 2023 at 6:37 pm
I’m just going through the numbers to see which countries I’m actually blocking and I came across the “Internet Assigned Numbers Authority” (located in California) which is listed under IP address 223.0.0.0. Can anyone tell me why this is set up to be blocked?