nop ver: 3.1
This was posted in the security thread but got no response from nopcommerce.
Someone is running a script in a loop to process Authorize.net transactions. We have already changed those but after two days the script has been run again.
So no one from nopcommerce wants to address this???
There is only one way someone could run a loop program to attempt to post fraudulent transactions to our authorize.net gateway. They would need our Transaction Key and Login Id. Only the Global Administrators can access settings, payment methods and plugins in our admin back end and there are only three. The two owners and myself. Shipworks also needs an Administrators account to work.
Our global administrators have full access. Our administrators have full access except:
Allow Customer Impersonation
Manage ACL
Manage Customer Roles
Manage External Authorization Methods
Manage Payment Methods
Manage Plugins
Manage Settings
Manage Widgets
So unless a hacker has found a vulnerability to spoof the Global Administrators role that's not what is happening.
The second option is they have hacked our database to obtain the information. There are only three accounts with access to do that. The SQL sa account, my SQL administrators account and the nopcommerce database account. Each of these accounts have passwords that are at least 16 characters long containing upper and lower case, digits and special characters. In other words very strong passwords. Of course some one could have obtained one in another fashion. They are obviously written down and stored under lock and key but hey you never know.
Which leads us to this. Why is all of the important security information for PayPal, credit card processors and everything else stored in the database as clear text and not stored as encrypted data like customer passwords???
Storing all this information as encrypted data would ensure that NO ONE could obtain the information either from the website back end or by hacking the database under ANY circumstance!!!
Secondly why hasn't the captcha been modified so that it also can reside on the shopping cart 'Order Confirmation Page'???
Implementing both of these features should be a priority for the nopcommerce team and would literally prevent anyone from obtaining credit transaction security configuration settings. It would also prevent anyone from using a loop program to spoof the 'Order Confirmation' page which is what is happening to us.
Can some one give us the code to implement the captcha on the Order Confirmation page?? We have attempted but in all cases we get errors. This must be happening to a lot of other shopping cart providers as well because we are seeing captcha on more and more Order Confirmation pages from various website.
One of the solutions immediately proposed by Authorize.Net was to implement captcha on the order confirmation page and where as they didn't come right out and say it, it was quite clear to us that this is an issue they are seeing more and more of.
Thanks
Malicious Authorize.Net script being run to process transactions
Team Member
- 16611
- 155790
- 10/22/2008
- Armenia
Hi Greg,
Greg Smyth wrote:
What script do you mean? What exactly does it do? Please clarify. Does somebody place fake orders very often? But I don't think it can help somehow to get secret keys to Authorize.NET or PayPal. Furthermore, it's not possible using the same customer account because we have "ordersettings.minimumorderplacementinterval" setting. You can simply set it to 300 (5 minutes) or more. And in case of placing new orders using distinct customer accounts you can enable email confirmation during registration.
Greg Smyth wrote:
Thanks for suggestion. This work item already exists. Please find it here
Greg Smyth wrote:
I've never seen that some stores placed CAPTCHA to checkout. It can stop some customers from buying. Anyway please vote for this work item here.
Greg Smyth wrote:
nSomeone is running a script in a loop to process Authorize.net transactions. We have already changed those but after two days the script has been run again.
So no one from nopcommerce wants to address this???
So no one from nopcommerce wants to address this???
What script do you mean? What exactly does it do? Please clarify. Does somebody place fake orders very often? But I don't think it can help somehow to get secret keys to Authorize.NET or PayPal. Furthermore, it's not possible using the same customer account because we have "ordersettings.minimumorderplacementinterval" setting. You can simply set it to 300 (5 minutes) or more. And in case of placing new orders using distinct customer accounts you can enable email confirmation during registration.
Greg Smyth wrote:
Which leads us to this. Why is all of the important security information for PayPal, credit card processors and everything else stored in the database as clear text and not stored as encrypted data like customer passwords???
Storing all this information as encrypted data would ensure that NO ONE could obtain the information either from the website back end or by hacking the database under ANY circumstance!!!
Storing all this information as encrypted data would ensure that NO ONE could obtain the information either from the website back end or by hacking the database under ANY circumstance!!!
Thanks for suggestion. This work item already exists. Please find it here
Greg Smyth wrote:
Secondly why hasn't the captcha been modified so that it also can reside on the shopping cart 'Order Confirmation Page'???
I've never seen that some stores placed CAPTCHA to checkout. It can stop some customers from buying. Anyway please vote for this work item here.
- 162
- 1203
- 3/20/2011
- United States
Andrei, knew i could count on you, sorry for the late reply wanted to analyze fully.
It appears it's not coming from within our nop website. We believe they are just using the authorize.net api and inserting static data inside the api to run charges against our authorize.net (AN) account within a loop of the data. The only information they change is the last four digits of the credit card number. They have all originated from outside the USA but hey, they could have been bouncing it around from anywhere. We implemented AN fraud protection to catch it and stop it when it occurs. Works great. HIGHLY recommended to everyone.
That only leaves one issue. You MUST have the AN Transaction ID and Login Key. AN will drop the connection if these are not provided in the request, so they say anyway. Only 3 places to obtain that. AN, website back-end or the database itself. We've taken measures to hopefully prevent any unauthorized access. We're also upgrading to nop 3.6.
Thank you for the response,
Greg
It appears it's not coming from within our nop website. We believe they are just using the authorize.net api and inserting static data inside the api to run charges against our authorize.net (AN) account within a loop of the data. The only information they change is the last four digits of the credit card number. They have all originated from outside the USA but hey, they could have been bouncing it around from anywhere. We implemented AN fraud protection to catch it and stop it when it occurs. Works great. HIGHLY recommended to everyone.
That only leaves one issue. You MUST have the AN Transaction ID and Login Key. AN will drop the connection if these are not provided in the request, so they say anyway. Only 3 places to obtain that. AN, website back-end or the database itself. We've taken measures to hopefully prevent any unauthorized access. We're also upgrading to nop 3.6.
Thank you for the response,
Greg
Certified Developer
- 8
- 40
- 9/4/2015
- United States
So I've built a plugin to support this, however I had to hijack a route handled by the CheckoutController (which is probably not the best practice but it gets the job done). If anyone wants it, just PM me. Also, the plugin is dependent on one of the views being overridden (OnePageCheckout.cshtml) as opposed to adding a custom view engine since my solution already has several.
- 17
- 95
- 4/21/2010
- United States
We have been seeing this same behavior on one of out 3.70 stores, an customer account is created then it proceeds to run a series credit card numbers through the payment page and it is hitting authorize.net 400 - 500 times in a row. I think they are checking stolen credit card numbers through the stores to find good cards, because one actually made it past declined, which we voided quickly. I made a few tweaks to the registration page and billing address page to make it harder if it is a bot. We do need a way to block IP's automatically that attempt to run many transactions in a short period of time.
I am monitoring the store to see if it happens again or not after the changes and tweaks.
---
a.m. wrote:
I am monitoring the store to see if it happens again or not after the changes and tweaks.
---
a.m. wrote:
Hi Greg,
nSomeone is running a script in a loop to process Authorize.net transactions. We have already changed those but after two days the script has been run again.
So no one from nopcommerce wants to address this???
What script do you mean? What exactly does it do? Please clarify. Does somebody place fake orders very often? But I don't think it can help somehow to get secret keys to Authorize.NET or PayPal. Furthermore, it's not possible using the same customer account because we have "ordersettings.minimumorderplacementinterval" setting. You can simply set it to 300 (5 minutes) or more. And in case of placing new orders using distinct customer accounts you can enable email confirmation during registration.
Which leads us to this. Why is all of the important security information for PayPal, credit card processors and everything else stored in the database as clear text and not stored as encrypted data like customer passwords???
Storing all this information as encrypted data would ensure that NO ONE could obtain the information either from the website back end or by hacking the database under ANY circumstance!!!
Thanks for suggestion. This work item already exists. Please find it here
Secondly why hasn't the captcha been modified so that it also can reside on the shopping cart 'Order Confirmation Page'???
I've never seen that some stores placed CAPTCHA to checkout. It can stop some customers from buying. Anyway please vote for this work item here.
nSomeone is running a script in a loop to process Authorize.net transactions. We have already changed those but after two days the script has been run again.
So no one from nopcommerce wants to address this???
What script do you mean? What exactly does it do? Please clarify. Does somebody place fake orders very often? But I don't think it can help somehow to get secret keys to Authorize.NET or PayPal. Furthermore, it's not possible using the same customer account because we have "ordersettings.minimumorderplacementinterval" setting. You can simply set it to 300 (5 minutes) or more. And in case of placing new orders using distinct customer accounts you can enable email confirmation during registration.
Which leads us to this. Why is all of the important security information for PayPal, credit card processors and everything else stored in the database as clear text and not stored as encrypted data like customer passwords???
Storing all this information as encrypted data would ensure that NO ONE could obtain the information either from the website back end or by hacking the database under ANY circumstance!!!
Thanks for suggestion. This work item already exists. Please find it here
Secondly why hasn't the captcha been modified so that it also can reside on the shopping cart 'Order Confirmation Page'???
I've never seen that some stores placed CAPTCHA to checkout. It can stop some customers from buying. Anyway please vote for this work item here.