Page MenuHomePhabricator

rate of GC50 errors from 3DS in Sweden
Closed, ResolvedPublic

Description

We've seen 3800 Swedish card donation attempts result in Status 50 3DSecure errors today (from the GC console, not Zendesk!). Overall 5800 card donations in SEK have reached Civi, so the rate of status 50 errors seems high.

Donors are reporting a new error in the iFrame, where they receive the message You will be redirected, but then nothing happens.

571026 - GC50.jpg (1×818 px, 102 KB)

One donor confirmed that they may be using a script-blocker of some sort, and we've asked for technical/browser specs from many more.

Is it possible to check whether there is an error in the 3DS process? Perhaps one affecting mobile more intensively?

Even if there is not a bug, could we ask Ingenico to improve the message in the iFrame? Something like You will be redirected. If you are not, please turn off browser add-ons, or email donate@wikimedia.org for more information.

Event Timeline

#571071 got the same error as above. They write:

After I enter my VISA information, I get stuck on the screen shown in the attachment. I've left it for over 10 minutes and nothing happens. I am using Firefox 65. I had the same result in Chrome 73. I am using Windows 7. My full user agent string on Firefox:
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0

My card is a Swedish VISA debit card from Nordea with "two-factor" authentication, meaning that when I use the card online I usually get redirected to a page where I need to use an app to sign the transaction. I think it's sometimes referred to as "3D secure" or something like that. I also tried opening up the card to all internet transactions, which disables the two-factor check, but I had the same result.//

This donor also added:

I do use uBlock origin, but the problem persists even with it completely disabled. In Chrome I have no ad blocker at all, and the problem is the same there. I tried again now (in Firefox, with uBlock disabled), and the javascript console logs the following error:

Content Security Policy: The page’s settings blocked the loading of a resource at https://secure5.arcot.com/vpas/admin/CAPServlet?RID=8523&VAA=B (“default-src”).

I recognize the arcot.com domain as something that the 3DSecure two-factor authentication normally uses, so if I had to guess it would be an issue with the CSP headers in the server response.

Im checking with Ingenico right now, but thanks fr-tech for checking if its something internal.

Also, can we change the iframe message, as we have previously done?

OK, FR-tech is pretty sure this is caused by the new access-control header that we added with the payments-wiki upgrade. That header tells the browser to only load frames, images, and scripts from certain domains. We've allowed the payment processor domains, but we didn't include any of the potential places a user might be sent to do a 3ds authentication.

We have one workaround for now - add variant=redirect to the URL for the countries where 3DS is turned on. This is currently just NO, SE, and PL (not IN as I originally though).
That variant will always do a full redirect to the payment processor page, so our access control headers won't interfere with any 3DS authentication.

We can work on a more robust fix that will automatically do the redirection when 3DS is on.
(copied from email)

@MBeat33 yep, that donor had it right on the money! Man, do we have some smart ppl giving us money :)

srsly @Ejegg we might have to give them some Wikistore credit for swag as a thank-you

Change 499800 had a related patch set uploaded (by Ejegg; owner: Ejegg):
[mediawiki/extensions/DonationInterface@master] Ingenico connect: Always redirect when using 3DS

https://gerrit.wikimedia.org/r/499800

Change 499800 merged by jenkins-bot:
[mediawiki/extensions/DonationInterface@master] Ingenico connect: Always redirect when using 3DS

https://gerrit.wikimedia.org/r/499800