uShop English (U.S.) for 179!

uStorekeeper English (U.S.) for 149!

 Products
       uTest
       uReserve
       uShop
       uStorekeeper
       uGolf
       uDirectory
       uSignIn
 Tech Support
       Support Policy
       Knowledge Base
            uTest
            uReserve
            uShop
            uStorekeeper
            uGolf
            uDirectory
            uSignIn
       Documentation
       Reference Sites
 Legal
       Software Piracy
       Legal Notices
       Privacy Policy
       Licensing
 Miscellaneous
       Reseller Info
       Contact Us
       Site Map
Authorize.net Security Issue. PW only mode?

Knowledge Base Lobby : uShop Support Conference : Problems with trying to Place Orders
Dec-17-17 12:48 PM EST
Original Message
Authorize.net Security Issue. PW only mode?
Author Gary Torello on 03-27-2002 at 14:24 (EST)
Hi!

We use Authorize.net as our gateway and, due to some hacking attempts, would like to set our gateway to "password only" mode.

This means however, that the uShop cart would need to pass the Authorize.net Merchant password encrypted via ADC to Authorize.net

We don't see this as an option.. is it possible?

A little history regarding the latest Authorize.net scam:

Without Authorize.net in PW only mode, Hackers EASILY send "authorize only" reguests DIRECTLY to Authorize.net for small sums like $0.01, using your Authorize.net username (which is routinely kept non-encrypted by many shopping carts).

These "Authorize only" requests are purely to determine if the card/cardholder data is good.. and since no money is being withdrawn or charged to anyone, there are NO security checks by Authorize.net

The problem is the Merchant gets stuck with the small per transaction fee for every one of these. (around 35 cents and another .35 from the Merchant Account Provider). Unfortunately this seems to be BIG business.. we had over 500 of these pumped thru our Authorize.net gateway in the space of 1/2 hour! ..complete with Cardholder names, address, etc... (transaction costs were over $700!)

Well.. I don't want to scare anyone.. but after LENGTHY discussion with Authorize.net, the conclusion is if you use Authorize.net in anything but PW ONLY mode, you're vunerable... and they WON'T refund you any transaction fees, since the *have* provided a secure means: PW only.

OK.. RANTS OVER.. any help available on this??

E-MAIL AUTHOR | TABLE OF CONTENTS

Table Of Contents
  RE: Authorize.net Security Issue. PW only mode? Bill Weiner, 2002-03-28 06:54:54 (1)
            RE: Authorize.net Security Issue. PW only mode? Gary Torello, 2002-03-29 18:22:17 (2)

Messages In This Discussion
         1. RE: Authorize.net Security Issue. PW only mode?
        Author Bill Weiner on 03-28-2002 at 06:54 (EST)
Hmmm... that does sound like a flaw with Authorize.Net. They should just add some feature on their Authorize.Net control panel to disable "authorize only" requests from the web. Anyway, we'll look into it some more. By the way, do they have any additional documentation about that on their website?
TABLE OF CONTENTS
                 2. RE: Authorize.net Security Issue. PW only mode?
                Author Gary Torello on 03-29-2002 at 18:22 (EST)
Sorry Bill, that's MUCH too easy a solution to expect Authorize.net to implement [sarcasm intended] besides.. might be admitting to a flaw!

I've checked their docs and couldn't find anything more specific about this. Although perhaps as a developer you might have some luck in discussing the issue with them... I've probably worn out my welcome screaming about refunds.

FWIW, I have used other carts in the past(MIVA in particular) that I beleive could pass the PW to A.N - but I DON'T want to change. I like the simplicity of uShop for what we're doing.

TIA!
TABLE OF CONTENTS

© 2003 Microburst Technologies, Inc.