Community News

 View Only
  • 1.  [Security Announcement] Enforcement of Hosted Page Security Measures

    Posted 09-15-2022 13:31
    Edited by Lana Lee 09-19-2022 11:21

    What is changing

    In an effort to combat the global rise in bot attacks and its impacts to Zuora's customer base, we have launched several mitigating tools and will enforce some that we deem necessary while deprecating those that we feel are outdated.


    Limit the number of submission before blocking Submission

    This setting will be updated with a value of 3 if the current value lies outside of the accepted range of 1-10.

    Google reCAPTCHA v2 Classic
    This setting is being deprecated. All customers who have not migrated from this setting on the effective date will have their settings changed to Disable reCAPTCHA.

    Submit hosted page requests via DirectPOST
    This setting is being deprecated. There is no impact to DirectPOST pages by this change. This setting was meant to bypass reCAPTCHA Enterprise for Hosted Page submissions, but that functionality is now logically handled without the required opt-in. All customers who have not migrated from this setting on the effective date will have their settings changed to Disable reCAPTCHA.


    Effective Date: November 8, 2022

    What to do

    Limit the number of submission before blocking Submission 

    1. If you previously had a value of 0 for this setting, you must implement a token refresh to your hosted page configuration.
    2. If you previously had a value greater than 10, there is no action required as it as assumed that you already have a token refresh process in place.


    Google reCAPTCHA v2 Classic
    No action is required.

    If you wish to maintain a CAPTCHA solution on your hosted page, we recommend you migrate to either Google reCAPTCHA Enterprise - Interactive Test or Google reCAPTCHA Enterprise - AI Assessment before November 8th to maintain complete coverage of your hosted pages. If this is not done prior to November 8th, Zuora will move your hosted page configurations to Disable reCAPTCHA = 'true' and you risk a gap of coverage for CAPTCHA during that time.

    Submit hosted page requests via DirectPOST

    No action is required.

    Smart Bot Attack Prevention Tool

    Zuora has designed an opt-in tool called the Smart Bot Attack Prevention Tool that can automatically detect an ongoing bot attack, assess the security settings you have on your page, and make the determination of whether to enable Google reCAPTCHA Enterprise - Interactive Test to halt the attack. Once the attack is determined to be over by the tool, it will scale down, disable Google reCAPTCHA Enterprise, and revert the settings to what they were prior to the attack.

    Frequently Asked Questions (FAQs)

    Q: Why has your stance on mandating reCAPTCHA shifted to an opt-in strategy?
    A: Since our first announcement, we've heard quite a lot of feedback from customers ranging from understanding and interested to different reasons why this wasn't the right fit for the business. We recognized that our approach was a bit heavy handed and that this is not a one-size-fits-all solution to the problem.

    Q: If we don't implement a CAPTCHA solution on our sign up flow, are we at risk for bot attacks?
    A: Yes. There are numerous tools to combat bot attacks and many must work together to fend them off. Of those tools, implementing a CAPTCHA solution is one of the most effective mechanisms available. We strongly suggest that you implement a CAPTCHA solution, either in our hosted pages or somewhere in your sign up flow that works best for your organization. 

    Q: How do I opt into the Smart Bot Attack Prevention Tool?
    A: For now, you must contact Zuora Support to get it enabled. We intend to expose this option to customers to self-enable in the very near future.

    Q: Can I just implement the Smart Bot Attack Prevention Tool without testing?
    A: You can, but we understand that every business is unique and may have its own requirements and flows that need to be accounted for. We highly encourage you to test this functionality prior to enabling in a production environment. In some cases, for instance if your 'Submit' button is outside of your hosted page, the Smart Bot Attack Prevention Tool may attempt to enable a CAPTCHA that is incompatible with your process flow so please exercise caution and test first.

    Q: Why is Google reCAPTCHA v2 Classic being deprecated?
    A: Google's non-enterprise versions are intended for small-scale use and are not built to handle enterprise level volumes.


    ------------------------------
    Tyler Schemmel
    Zuora
    ------------------------------


  • 2.  RE: [Security Announcement] Enforcement of Hosted Page Security Measures

    ZUORA
    Posted 09-19-2022 11:21
    9/16/22:  Added more information "Submit hosted page requests via DirectPOST" for more clarification.

    ------------------------------
    Lana Lee
    Zuora Community Senior Community Manager and Strategist
    ------------------------------