URL: http://www.uburst.com/cgi-bin/dcforum/dcboard.cgi
Forum: ushop_place_order
Thread Number: 157
[ Go back to previous page ]

Original Message
"Authorize.net Security Issue. PW only mode?"

Posted by Gary Torello [gary@hometoyparty.com] on at 02:24 PM
Hi!

We use Authorize.net as our gateway and, due to some hacking attempts, would like to set our gateway to "password only" mode.

This means however, that the uShop cart would need to pass the Authorize.net Merchant password encrypted via ADC to Authorize.net

We don't see this as an option.. is it possible?

A little history regarding the latest Authorize.net scam:

Without Authorize.net in PW only mode, Hackers EASILY send "authorize only" reguests DIRECTLY to Authorize.net for small sums like $0.01, using your Authorize.net username (which is routinely kept non-encrypted by many shopping carts).

These "Authorize only" requests are purely to determine if the card/cardholder data is good.. and since no money is being withdrawn or charged to anyone, there are NO security checks by Authorize.net

The problem is the Merchant gets stuck with the small per transaction fee for every one of these. (around 35 cents and another .35 from the Merchant Account Provider). Unfortunately this seems to be BIG business.. we had over 500 of these pumped thru our Authorize.net gateway in the space of 1/2 hour! ..complete with Cardholder names, address, etc... (transaction costs were over $700!)

Well.. I don't want to scare anyone.. but after LENGTHY discussion with Authorize.net, the conclusion is if you use Authorize.net in anything but PW ONLY mode, you're vunerable... and they WON'T refund you any transaction fees, since the *have* provided a secure means: PW only.

OK.. RANTS OVER.. any help available on this??


Table of contents

Messages in this discussion
"RE: Authorize.net Security Issue. PW only mode?"
Posted by Bill Weiner on at 06:54 AM
Hmmm... that does sound like a flaw with Authorize.Net. They should just add some feature on their Authorize.Net control panel to disable "authorize only" requests from the web. Anyway, we'll look into it some more. By the way, do they have any additional documentation about that on their website?

"RE: Authorize.net Security Issue. PW only mode?"
Posted by Gary Torello [gary@hometoyparty.com] on at 06:22 PM
Sorry Bill, that's MUCH too easy a solution to expect Authorize.net to implement [sarcasm intended] besides.. might be admitting to a flaw!

I've checked their docs and couldn't find anything more specific about this. Although perhaps as a developer you might have some luck in discussing the issue with them... I've probably worn out my welcome screaming about refunds.

FWIW, I have used other carts in the past(MIVA in particular) that I beleive could pass the PW to A.N - but I DON'T want to change. I like the simplicity of uShop for what we're doing.

TIA!