Documentation for a newer release is available. View Latest

Esta página no está disponible actualmente en Español. Si lo necesita, póngase en contacto con el servicio de asistencia de Icon (correo electrónico)

Request Blocking

Overview

The Request Blocking feature provides protection against potential phishing attempts by blocking requests after a certain number of no match responses for a given IBAN or IBAN+BIC combination. This helps prevent attackers from using the Verification of Payee service to gather information about valid account details.

Configuration

Configuration for request blocking is defined in 2 places due to the use of the IPF Cache. Firstly, to configure the ipf cache you can modify the below default values:

Property Grouping: ipf.caching.caffeine

Key Description Default Value

Key	Description	Default Value
ipf.caching.caffeine.settings.no-match-iban.timeout	Timeout value for when items will be removed from the cache, defaulting to 1 hour	`"1h"`
ipf.caching.caffeine.enabled	Enable caching for VoP block requests	`true`
ipf.caching.caffeine.settings.no-match-iban-and-bic.max-size	Number of items allowed into the cache, defaults to 10000 entries	`10000`
ipf.caching.caffeine.settings.no-match-iban.max-size	Number of items allowed into the cache, defaults to 10000 entries	`10000`
ipf.caching.caffeine.settings.no-match-iban-and-bic.timeout	Timeout value for when items will be removed from the cache, defaulting to 1 hour	`"1h"`

ipf.caching.caffeine.settings.no-match-iban.timeout

Timeout value for when items will be removed from the cache, defaulting to 1 hour

"1h"

ipf.caching.caffeine.enabled

Enable caching for VoP block requests

true

ipf.caching.caffeine.settings.no-match-iban-and-bic.max-size

Number of items allowed into the cache, defaults to 10000 entries

ipf.caching.caffeine.settings.no-match-iban.max-size

Number of items allowed into the cache, defaults to 10000 entries

ipf.caching.caffeine.settings.no-match-iban-and-bic.timeout

Timeout value for when items will be removed from the cache, defaulting to 1 hour

"1h"

To modify the corresponding max request limit allowed within the above timeout you can modify the below default values:

Property Grouping: ipf.verification-of-payee.responder.cache.no-match

Key Description Default Value

Key	Description	Default Value
ipf.verification-of-payee.responder.cache.no-match.iban-matching.max-requests	The maximum number of no match responses allowed for a given IBAN before blocking requests	`40`
ipf.verification-of-payee.responder.cache.no-match.iban-and-bic-matching.max-requests	The maximum number of no match responses allowed for a given IBAN and BIC before blocking requests	`40`

ipf.verification-of-payee.responder.cache.no-match.iban-matching.max-requests

The maximum number of no match responses allowed for a given IBAN before blocking requests

ipf.verification-of-payee.responder.cache.no-match.iban-and-bic-matching.max-requests

The maximum number of no match responses allowed for a given IBAN and BIC before blocking requests

Important Notes

The counters are reset when the cache entries expire (default: 1 hour).
The cache has a maximum size (default: 10,000 entries) to prevent memory issues.
Request blocking is applied independently for IBAN and IBAN+BIC thresholds - if either threshold is exceeded, the request will be blocked.
Blocked requests are counted in metrics for monitoring purposes.

Metrics

The Verification of Payee service also exposes a metric property that counts the number of blocked requests. The metrics is a counter with key of verification-of-payee.responder.blocked-requests. This gets pushed to Prometheus and can be used to create a dashboard to monitor the number of Phishing attempts for account details over a certain period of time.