Documentation for a newer release is available. View Latest

Request Blocking

Overview

The Request Blocking feature provides protection against potential phishing attempts by blocking requests after a certain number of no match responses for a given IBAN or IBAN+BIC combination. This helps prevent attackers from using the Verification of Payee service to gather information about valid account details.

Configuration

Configuration for request blocking is defined in 2 places due to the use of the IPF Cache. Firstly, to configure the ipf cache you can modify the below default values:

Property Grouping: ipf.caching.caffeine

Key Description Default Value

Key	Description	Default Value
ipf.caching.caffeine.settings.no-match-iban.timeout	Timeout value for when items will be removed from the cache, defaulting to 1 hour	`"1h"`
ipf.caching.caffeine.enabled	Enable caching for VoP block requests	`true`
ipf.caching.caffeine.settings.no-match-iban-and-bic.max-size	Number of items allowed into the cache, defaults to 10000 entries	`10000`
ipf.caching.caffeine.settings.no-match-iban.max-size	Number of items allowed into the cache, defaults to 10000 entries	`10000`
ipf.caching.caffeine.settings.no-match-iban-and-bic.timeout	Timeout value for when items will be removed from the cache, defaulting to 1 hour	`"1h"`

ipf.caching.caffeine.settings.no-match-iban.timeout

Timeout value for when items will be removed from the cache, defaulting to 1 hour

"1h"

ipf.caching.caffeine.enabled

Enable caching for VoP block requests

true

ipf.caching.caffeine.settings.no-match-iban-and-bic.max-size

Number of items allowed into the cache, defaults to 10000 entries

ipf.caching.caffeine.settings.no-match-iban.max-size

Number of items allowed into the cache, defaults to 10000 entries

ipf.caching.caffeine.settings.no-match-iban-and-bic.timeout

Timeout value for when items will be removed from the cache, defaulting to 1 hour

"1h"

To modify the corresponding max request limit allowed within the above timeout you can modify the below default values:

Property Grouping: ipf.verification-of-payee.responder.cache.no-match

Key Description Default Value

Key	Description	Default Value
ipf.verification-of-payee.responder.cache.no-match.iban-matching.max-requests	The maximum number of no match responses allowed for a given IBAN before blocking requests	`40`
ipf.verification-of-payee.responder.cache.no-match.iban-and-bic-matching.max-requests	The maximum number of no match responses allowed for a given IBAN and BIC before blocking requests	`40`

ipf.verification-of-payee.responder.cache.no-match.iban-matching.max-requests

The maximum number of no match responses allowed for a given IBAN before blocking requests

ipf.verification-of-payee.responder.cache.no-match.iban-and-bic-matching.max-requests

The maximum number of no match responses allowed for a given IBAN and BIC before blocking requests

Important Notes

The counters are reset when the cache entries expire (default: 1 hour).
The cache has a maximum size (default: 10,000 entries) to prevent memory issues.
Request blocking is applied independently for IBAN and IBAN+BIC thresholds - if either threshold is exceeded, the request will be blocked.
Blocked requests are counted in metrics for monitoring purposes.

Metrics

The Verification of Payee service also exposes a metric property that counts the number of blocked requests. The metrics is a counter with key of verification-of-payee.responder.blocked-requests. This gets pushed to Prometheus and can be used to create a dashboard to monitor the number of Phishing attempts for account details over a certain period of time.