Can I block people using a VPN from a particular aspect of my site?


#1

I have a shopping cart for my business and would like the option to prevent people from using VPN’s when using it. I thought that this would be something the developer would do in the cart software, but they said I need to talk to my host.

I tried that, but live chat is only available until 9:30pm… nevermind that it is 8 pm there…

Can anyone tell me if that is possible?

Thanks

Craig


#2

Basically 2 ways to block, by User Agent or by IP range.

Visitors using a VPN will use a normal User Agent (a browser) so nothing unique to block.

VPNs use a vast amount of IP ranges, too many to effectively write rules to block.

So really no way to block visitors coming from VPNs unless…

Examine you raw server access logs to see if there’s anything unique about these VPN visitors that you can use that won’t affect normal visitors.


#3

As @keyplyr pointed out, it is probably impossible to manually block malicious visitors. For wide-spread attacks, Dreamhost provides some (optional) protection via web-firewall rules (WAF), and their network probably also blocks some malicious traffic (DDoS, abusive VPNs, etc).

For your more focused purpose, an on-the-fly/real-time check for individual visitors might work. There are a variety of “IP Blacklists” (or Blocklists) services, that can provide educated guesses about whether an IP address is malicious or not. At certain choke-points (shopping cart), your site could check with one of these services to decide whether to proceed.

You can find VPN IP blocklist services with the following search. I haven’t used any of these services, so I don’t know which to recommend:

https://www.google.com/search?q=vpn+ip+blacklist


#4

I can’t understand why you would care that the customer added another layer of data security to the transaction?

VPNs encrypt the user’s data to/from the VPNs servers. Thereby offering the customer protection from data miners on their local coffee shop WiFi. Or even the snoopy IT department knowing that Sandy from Sales just bought a pair of sandals on her phone.

VPNs are only going to grow in popularity. I don’t think blocking users is a particularly good idea.

However, I would be interesting in hearing why you want to block VPN users from your store?


#5

In this case, I am thinking about my security as a retailer more so than the security of my customers. We already use a secure merchant gateway for that. I have recently had a charge back for a digital product that I can prove the customer has downloaded. I have provided this to the bank and the extent of their “investigation” is to call the client, who says “nope, wasn’t me” and then bank refunds the money - leaving me up the creek.

I am just looking for further ways to provide evidence for when this happens in the future - and if I can at least stop people from masking their true location - then that might help -but it does not look like this can be done.

I have also looked at features like the 3D secure Visa and MasterCard options, but these are toothless tigers as the card holder has to register their card for such a service and if they don’t, then it does not matter if you have it activated with your bank and merchant services provider - if they are different to your bank like in my case - it will still go through and I am liable.

Very frustrating as a vendor that the banks just leave you swinging in the wind.

Thanks to the others that suggested ideas above.

Craig


#6

I also had the same question to ask. Thanks Craig for the great answer.


#7

Thanks for explaining. Personally, I think you should be looking to your card processing provider. I suspect most of them do this. But maybe not all will stiff the seller like this one did.

I can see your problem even if I disagree with your (hoped for) solution. My reasoning is simple really. I don’t see VPN use declining any time soon. Quite the opposite in fact. If Dreamhost prevents these people from even seeing your website. That an increasing amount of shoppers lost. Are you potentially losing far more revenue from those who can’t get to your site than the few trying to rip you off?


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.