(714) 317-3591

Empello FraudStop

Empello's FraudStop solution for the VAS market prevents fraudulent charging by the following methods:

  • Detecting in-app malware
  • Blocking bot traffic
  • Prevention of iFrame masking
  • Prevention of charging without consent through backdoor methods
  • Monitoring of the market for new charge without consent methods

The protection consists of two parts. A script to be included on the the final payment page and a token system to ensure the protection has not been bypassed.


Register URLs

The first step is to inform us of the URLs you wish to protect, this is so we can ensure token interactions are secure. For now you will have to manually inform us of any URLs you wish to use, in the future it will be possible to enter them on our dashboard.

On Page Script Installation

To install the on page script protection add the following in the <head> section of the final payment page:

<script src="/antifraud.empello.net/clientid/pageid-live.js"></script>

The script must be run in the head section of your page and ideally be run before any other scripts. Your clientid and pageid will be provided by us when you register your URLs.

To test if changes made to a page have broken integration we provide a development script. The development script will output any errors in the javascript console, it can be implemented like this:

<script src="/antifraud.empello.net/clientid/pageid-dev.js"></script>
Token Retrieval

To retrieve the token on the payment page the function Empello.getToken(callback(token)), added by our on site script, must be called after the page has loaded. We suggest that the callback function adds the token to your subscription form or button. The example below adds the token to a hidden input on a form with the ID 'myForm', but you are free to choose how you call getToken(callback(token)):

var form = document.getElementById('myForm'); var submitFunction = function(submitEvent) { submitEvent.preventDefault(); Empello.getToken(function(token) { var hiddenInput = document.createElement('input'); hiddenInput.setAttribute("type", "hidden"); hiddenInput.setAttribute("name", "token"); hiddenInput.setAttribute("value", token); form.appendChild(hiddenInput); form.submit(); }); }; form.addEventListener('submit', submitFunction, false);

Warning: Do not attach Empello.getToken to window.onload as this will likely produce a ReferenceError. The first Empello script injects additional scripts that may not have finished loading when window.onload triggers.

Token Backend Integration

To ensure that all checks have been passed and not circumvented we assign a token to each user. This token must be checked before a payment is accepted. When the final confirmation has been clicked by a user Empello will pass a token either via a form or by placing a cookie. A call must be made to Empello's token api referencing this token and the api key provided. It will reply with a boolean variable is_valid, true for valid and false for invalid. If the token is invalid then the payment must not be accepted.

The POST request sent to /antifraud.empello.net/api/v1/token/validate/ should be sent as form-data. Here is an example cURL command:

curl -X POST \ /antifraud.empello.net/api/v1/token/validate/ \ -F api_key=JYAguvWE6Fn4wRmXPkY9kaAiD \ -F timestamp=2018-12-31T12:59:59.000Z \ -F user_ip=123.456.789.123 \ -F 'user_agent=Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G950F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.2 Chrome/51.0.2704.106 Mobile Safari/537.36' \ -F token=bQzBYxvHNguXHhLMWiikEUHkQhmt2fxpT8fkJqaB7ddMoGGpEY6Hm3c2avH9G4mc

The endpoint will reply with the token and it's verification status:

{"is_valid": true, "timestamp": "2018-12-31T12:59:59+00:00", "token": "bQzBYxvHNguXHhLMWiikEUHkQhmt2fxpT8fkJqaB7ddMoGGpEY6Hm3c2avH9G4mc", "status": 200}
Troubleshooting FAQ
  • HTTP 429 Error Too Many Requests - Your servers have hit our rate limit, please contact support to get your rate limit increased.
  • Cross Origin Resource Request Error - You are using the Empello script on an unregistered domain (include a local test domain). Please contact support to add a new domain to your account.
  • Content Security Policy Errors (CSP) - Please ensure you have the following directives in your CSP:
  • script-src *.empello.net; connect-src ws:/*.empello.net wss:/*.empello.net *.empello.net;
Ltd © 2018.
All Rights reserved.