www.uburst.com www.uburst.com

"Authorize.net Security Issue. PW only mode?"

Go back to the LobbyClick here to Go Back to Main ListingClick here to see helpClick here to Search the Forum

Problems with trying to place orders.
Forum Type: Public
Moderator: edmunds
Time Zone: EST
Printer Friendly Format
Original Message
 
"Authorize.net Security Issue. PW only mode?"
Posted by Gary Torello on Mar-27-02 at 02:24 PM (EST)
Hi!

We use Authorize.net as our gateway and, due to some hacking attempts, would like to set our gateway to "password only" mode.

This means however, that the uShop cart would need to pass the Authorize.net Merchant password encrypted via ADC to Authorize.net

We don't see this as an option.. is it possible?

A little history regarding the latest Authorize.net scam:

Without Authorize.net in PW only mode, Hackers EASILY send "authorize only" reguests DIRECTLY to Authorize.net for small sums like $0.01, using your Authorize.net username (which is routinely kept non-encrypted by many shopping carts).

These "Authorize only" requests are purely to determine if the card/cardholder data is good.. and since no money is being withdrawn or charged to anyone, there are NO security checks by Authorize.net

The problem is the Merchant gets stuck with the small per transaction fee for every one of these. (around 35 cents and another .35 from the Merchant Account Provider). Unfortunately this seems to be BIG business.. we had over 500 of these pumped thru our Authorize.net gateway in the space of 1/2 hour! ..complete with Cardholder names, address, etc... (transaction costs were over $700!)

Well.. I don't want to scare anyone.. but after LENGTHY discussion with Authorize.net, the conclusion is if you use Authorize.net in anything but PW ONLY mode, you're vunerable... and they WON'T refund you any transaction fees, since the *have* provided a secure means: PW only.

OK.. RANTS OVER.. any help available on this??

Click to Send Alert Message to the Administrator Click to edit this messageClick to EMail Click here to reply to this messageClick here to reply to this message with quotesClick to goto the Table of Contents

 Table of Contents

RE: Authorize.net Security Issue. P..., Bill Weiner, Mar-28-02, (1)
RE: Authorize.net Security Issue. P..., Gary Torello, Mar-29-02, (2)

 

 
Click here to goto Click here to goto the Lobby
Messages in this discussion
 
1 . "RE: Authorize.net Security Issue. PW only mode?"
Posted by Bill Weiner on Mar-28-02 at 06:54 AM (EST)
Hmmm... that does sound like a flaw with Authorize.Net. They should just add some feature on their Authorize.Net control panel to disable "authorize only" requests from the web. Anyway, we'll look into it some more. By the way, do they have any additional documentation about that on their website?
Remove this Message: Administrator and Moderator onlyClick to Send Alert Message to the Administrator Click to edit this messageClick here to reply to this messageClick here to reply to this message with quotesClick to goto the Table of Contents
 
2 . "RE: Authorize.net Security Issue. PW only mode?"
Posted by Gary Torello on Mar-29-02 at 06:22 PM (EST)
Sorry Bill, that's MUCH too easy a solution to expect Authorize.net to implement [sarcasm intended] besides.. might be admitting to a flaw!

I've checked their docs and couldn't find anything more specific about this. Although perhaps as a developer you might have some luck in discussing the issue with them... I've probably worn out my welcome screaming about refunds.

FWIW, I have used other carts in the past(MIVA in particular) that I beleive could pass the PW to A.N - but I DON'T want to change. I like the simplicity of uShop for what we're doing.

TIA!

Remove this Message: Administrator and Moderator onlyClick to Send Alert Message to the Administrator Click to edit this messageClick to EMail Click here to reply to this messageClick here to reply to this message with quotesClick to goto the Table of Contents


Archive This Thread: Admin and Moderator OnlyRemove This Thread: Admin and Moderator Only
Click here to goto Click here to goto the Lobby

 

 

 

 

 

 

 

 

 

 

 

 
Questions or problems regarding this bulletin board should be directed to Webmaster
©1997-1999 by DCScripts. All rights reserved.