nop ver: 3.1
This was posted in the security thread but got no response from nopcommerce.
Someone is running a script in a loop to process Authorize.net transactions. We have already changed those but after two days the script has been run again.
So no one from nopcommerce wants to address this???
There is only one way someone could run a loop program to attempt to post fraudulent transactions to our authorize.net gateway. They would need our Transaction Key and Login Id. Only the Global Administrators can access settings, payment methods and plugins in our admin back end and there are only three. The two owners and myself. Shipworks also needs an Administrators account to work.
Our global administrators have full access. Our administrators have full access except:
Allow Customer Impersonation
Manage ACL
Manage Customer Roles
Manage External Authorization Methods
Manage Payment Methods
Manage Plugins
Manage Settings
Manage Widgets
So unless a hacker has found a vulnerability to spoof the Global Administrators role that's not what is happening.
The second option is they have hacked our database to obtain the information. There are only three accounts with access to do that. The SQL sa account, my SQL administrators account and the nopcommerce database account. Each of these accounts have passwords that are at least 16 characters long containing upper and lower case, digits and special characters. In other words very strong passwords. Of course some one could have obtained one in another fashion. They are obviously written down and stored under lock and key but hey you never know.
Which leads us to this. Why is all of the important security information for PayPal, credit card processors and everything else stored in the database as clear text and not stored as encrypted data like customer passwords???
Storing all this information as encrypted data would ensure that NO ONE could obtain the information either from the website back end or by hacking the database under ANY circumstance!!!
Secondly why hasn't the captcha been modified so that it also can reside on the shopping cart 'Order Confirmation Page'???
Implementing both of these features should be a priority for the nopcommerce team and would literally prevent anyone from obtaining credit transaction security configuration settings. It would also prevent anyone from using a loop program to spoof the 'Order Confirmation' page which is what is happening to us.
Can some one give us the code to implement the captcha on the Order Confirmation page?? We have attempted but in all cases we get errors. This must be happening to a lot of other shopping cart providers as well because we are seeing captcha on more and more Order Confirmation pages from various website.
One of the solutions immediately proposed by Authorize.Net was to implement captcha on the order confirmation page and where as they didn't come right out and say it, it was quite clear to us that this is an issue they are seeing more and more of.
Thanks