cpruissen Posted March 17, 2006 Posted March 17, 2006 Hi Everyone, I am stumped here. I run an older vewsion of OSCommerce which I am working on upgrading. My problem is that someone is stealing my customer's credit card and personal information after or when they place their order and then charging the customer's credit card with additinal funds under my company name. It's alot to digest.....a customer makes an order and it is processed through PSIGate or Paypal (it happend with both systems). The order is processed perfectly with only the original order charges showing on my processors and in my bank account. I get a call a week or so later from the customers yelling at me because I charged her credit card for more money, sometimes numerious charges.....all under my company name. I have seen the credit card statements and indeed it is showing as if it were from my company. As this is happening with both PayPal and PSIGate orders, it is apparents someone has hacked my files and imbedded some code or cookie to gather the customer's information on checkout and set up a company identical to mine, probably oversease. I do not store any credit card information and use PSIGate remote so they handle this. How on earth do I find out where the hacker is getting the info from? How can I stop this? My company reputation is at stake and I've worked so hard for so long. Help...........please! Catherine http://childcare.net/catalog/catalog/index.php
Guest Posted March 17, 2006 Posted March 17, 2006 The hacker's code is in your order process/payment modules. You should close your site for a professional security audit - also contact law enforcement. Matti
custodian Posted March 30, 2006 Posted March 30, 2006 Hi Everyone, I am stumped here. I run an older vewsion of OSCommerce which I am working on upgrading. My problem is that someone is stealing my customer's credit card and personal information after or when they place their order and then charging the customer's credit card with additinal funds under my company name. It's alot to digest.....a customer makes an order and it is processed through PSIGate or Paypal (it happend with both systems). The order is processed perfectly with only the original order charges showing on my processors and in my bank account. I get a call a week or so later from the customers yelling at me because I charged her credit card for more money, sometimes numerious charges.....all under my company name. I have seen the credit card statements and indeed it is showing as if it were from my company. As this is happening with both PayPal and PSIGate orders, it is apparents someone has hacked my files and imbedded some code or cookie to gather the customer's information on checkout and set up a company identical to mine, probably oversease. I do not store any credit card information and use PSIGate remote so they handle this. How on earth do I find out where the hacker is getting the info from? How can I stop this? My company reputation is at stake and I've worked so hard for so long. Help...........please! Catherine http://childcare.net/catalog/catalog/index.php I assume this is your server? If so, please ensure that you retain all logs as far back as possible ftp ssh telnet http access and error there are several other vital key factors that may pinpoint the time frame of the breach. I PM'd you, if you need additional help. My Contributions Henry Smith
custodian Posted March 30, 2006 Posted March 30, 2006 I hate to say it, but I just signed up for an account Account page NOT SECURE I added products to my cart and began check out Check out page asks me for my Credit Card Number.. Page is NOT SECURE You've been asking everyone for their Credit Card Holder Name Credit Card Number Credit Card Expiration and CVV ALL on a non secure page. an SSL would have cost you $24 per year... You basically gave it to whomever on a silverplater. My Contributions Henry Smith
Harald Ponce de Leon Posted March 30, 2006 Posted March 30, 2006 The question is why it also happens with PayPal, as no credit card information is needed on the store for this payment method (all details are entered when forwarded to PayPal). , osCommerce
♥Vger Posted April 3, 2006 Posted April 3, 2006 More than two weeks later - and the site is still up and running and still no SSL in place - obviously not that worried about security. Vger
Harald Ponce de Leon Posted April 3, 2006 Posted April 3, 2006 More than two weeks later - and the site is still up and running and still no SSL in place - obviously not that worried about security. I did not take a look, but it is fine to not have an SSL certificate in place if the billing information is not collected on site. PayPal is a good example here as the billing information is collected at PayPal's site where the data is passed through an encrypted SSL connection. (That is why I questioned why she was also experiencing problems with PayPal) I believe collecting credit card information on a non-SSL protected page is against the policies of the credit card companies involved (VISA, MasterCard, ..), where the store owner will be held liable for damages. , osCommerce
cpruissen Posted April 4, 2006 Author Posted April 4, 2006 I did not take a look, but it is fine to not have an SSL certificate in place if the billing information is not collected on site. PayPal is a good example here as the billing information is collected at PayPal's site where the data is passed through an encrypted SSL connection. (That is why I questioned why she was also experiencing problems with PayPal) I believe collecting credit card information on a non-SSL protected page is against the policies of the credit card companies involved (VISA, MasterCard, ..), where the store owner will be held liable for damages. Thanks to all of you for your help. I do not store credit card information on site as it is passed on to PayPal and PSIGate. I have worked with PSIGate (these guys are awesome), and my ISP to see where any issues lie and have replaced all my payment files. Henry has contact me in the last week and I am working on his suggestions, as well as a complete cart upgrade, so while it may look like nothing is being done, it is. As a small one person business, there is only so much time to get things done. I discovered one issue was with PSIGate and their new system, but it was simply an issue on the order confirmation email total and not with what the customer was actually charged on their credit card. They have since corrected the error and I've had no further complaints. Likewise, as some of the problems occured through the affiliate program with two affiliates from overseas using bad cards to place the orders, I have since shut it down. One customer admitted she had to close her PayPal account down because her information was stolen....this is the card used to place one of the orders after the fact, so I was not surprised. I have taken the time also to contact the RCMP on all these issues and while it seemse so bad to me, I've yet to hear anything from them even though one affiliate made orders with two bad cards. That solved the two of 4 issues I had. PSIGate's error solved another one. The remaining issue is the PayPal order which was aparently double billed, but I've yet to hear anything back from the customer or receive any faxes showing me exactly what happened. Sorry it took so long to get back to you with an update. I had two major article assignments last month which took up a huge chunk of my time. Catherine
aapinen Posted April 21, 2006 Posted April 21, 2006 I dont collect credit card numbers. Only customers adresses, names and their orders. The money transfers goes by the banks' or credit card companys' (verified by visa) own sites. Do I need SSL -certificate?
WebRat Posted May 10, 2006 Posted May 10, 2006 I have the same question as Aapinen does but I will only be using Paypal for now. So do we still need to have the "lock" and http"S" on when logging in or making an account?
boxtel Posted May 11, 2006 Posted May 11, 2006 I have the same question as Aapinen does but I will only be using Paypal for now. So do we still need to have the "lock" and http"S" on when logging in or making an account? No need to have but very good to have. Many people consider their personal information besides CC numbers also as pretty sensitive. Treasurer MFC
happyday Posted May 27, 2006 Posted May 27, 2006 Hi Everyone, I am stumped here. I run an older vewsion of OSCommerce which I am working on upgrading. My problem is that someone is stealing my customer's credit card and personal information after or when they place their order and then charging the customer's credit card with additinal funds under my company name. It's alot to digest.....a customer makes an order and it is processed through PSIGate or Paypal (it happend with both systems). The order is processed perfectly with only the original order charges showing on my processors and in my bank account. I get a call a week or so later from the customers yelling at me because I charged her credit card for more money, sometimes numerious charges.....all under my company name. I have seen the credit card statements and indeed it is showing as if it were from my company. As this is happening with both PayPal and PSIGate orders, it is apparents someone has hacked my files and imbedded some code or cookie to gather the customer's information on checkout and set up a company identical to mine, probably oversease. I do not store any credit card information and use PSIGate remote so they handle this. How on earth do I find out where the hacker is getting the info from? How can I stop this? My company reputation is at stake and I've worked so hard for so long. Help...........please! Catherine http://childcare.net/catalog/catalog/index.php Hello this topic is interesting, although I do not have any customers at the time being for my site. You sure made this awareness quite clear. I'll be more careful on my behalf. I just recently received an e-mail from some people that show interest in my products. But these people choose to pay by cashier cheque. They want to send a check that was more than the total cost and ask me to cash it at my bank. I felt that it was some kind of scam because one cheque was for $3800 and the other for $3500. These two people wanted me to cash the cheque and deduct what ever they owe me and send they rest of the amount back to them using Western Union. No way I thought. I never heard of any business would do something like that for there clients. Luckly I talk to this friendly lady name Cathi, she explain to me the concept and advise me to not deal with these people. It's always good to have a second opinion from others and to find out what other scams are out there. For our business protection it's always good to find more information. trang
cpruissen Posted May 28, 2006 Author Posted May 28, 2006 Hello this topic is interesting, although I do not have any customers at the time being for my site. You sure made this awareness quite clear.I'll be more careful on my behalf. I just recently received an e-mail from some people that show interest in my products. But these people choose to pay by cashier cheque. They want to send a check that was more than the total cost and ask me to cash it at my bank. I felt that it was some kind of scam because one cheque was for $3800 and the other for $3500. These two people wanted me to cash the cheque and deduct what ever they owe me and send they rest of the amount back to them using Western Union. No way I thought. I never heard of any business would do something like that for there clients. Luckly I talk to this friendly lady name Cathi, she explain to me the concept and advise me to not deal with these people. It's always good to have a second opinion from others and to find out what other scams are out there. For our business protection it's always good to find more information. trang Trang, Your friend is right. And after you deposit the fake cashier's check and refund any money, they'll tell you they want to cancel the order and ask for a refund. All of this will take place before your bank even detects the check is fake, leaving you to deal with the loss and the bank. Not a pretty picture. This trick is so wide spread. I recently had someone email a number of Members from our child care registry. Basically the scam was the same only he wanted these people to provide child care for his family on a trip to town for business. He said he would pay in advance through a supposed sponsor in the US. Then as soon as the fake check would be deposited, he would cancel and ask for a refund. This seems to be a big business these days. Be careful.....sell by your policies only and do not deviate for anyone. It's your money and reputation. Catherine
smithveg Posted July 27, 2006 Posted July 27, 2006 I'm not sure what am i doing is good or not. I hack the oscomemrce checkout step again. Go to my site and have a look *** There is the My Store Forum for community review*** You could try to registered an account and make purchase and checkout. You would noticed my sites doesn't enquire any credit card informatoin from customer. It just ignore it, so the customer just need to input their confidential credit card information is https://www.2checkout.com I think it might secure, but i'm not sure is't good or not. Any suggesstion? smithveg **** Hello World! ^.^ I'm a Internet naive. Browse my working profile Malaysia Web Services - OPerion Website Marketing System
radnam Posted August 18, 2006 Posted August 18, 2006 Thanks trang and catherine you have just saved me from a huge loss. cause one of my client just asked me to do the same thing. I generally do not take cheques but as the client requested was gonna consider. No way that i am going to accept payments by this mode. Thanks :D :thumbsup:
Guest Posted August 24, 2006 Posted August 24, 2006 Beefing up security is always a good idea. Many of you are using apache servers, and probably don't even realize it, but you can limit certain files, like configure, etc.. with your .htaccess file to make it so only ONE IP address can get access to those files. I think it is worth while to also change the names of vulnerable files. Change configure to ghyausto.php, etc... I have personally purchased a HTTPS certificate from godaddy.com for only $19/year, beat that. Cheap, it builds customer confidence. I would never submit to a store with out it. PHP also has easy to use built in encrypting functions. You can encrypt all vulnerable data that you store in your database. That way it looks like junk if anyone is able to do a brute force hack on your MySQl database. Lots you can do, you just have to invest the time or the money.
HSMagic Posted August 31, 2006 Posted August 31, 2006 No need to have but very good to have.Many people consider their personal information besides CC numbers also as pretty sensitive. I have SSL so it's not of issue, but why people consider their name and address sensitive is beyond me. It's a matter of public record just about everywhere you go. A co-worker showed me this site: http://www.zabasearch.com/ When I typed in my name it gave me my phone and address for the past 15 years! Not saying it's right, but that's how it is.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.