Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Stealing Credit Card Information


cpruissen

Recommended Posts

Posted

Hi Everyone,

 

I am stumped here. I run an older vewsion of OSCommerce which I am working on upgrading. My problem is that someone is stealing my customer's credit card and personal information after or when they place their order and then charging the customer's credit card with additinal funds under my company name.

 

It's alot to digest.....a customer makes an order and it is processed through PSIGate or Paypal (it happend with both systems). The order is processed perfectly with only the original order charges showing on my processors and in my bank account.

 

I get a call a week or so later from the customers yelling at me because I charged her credit card for more money, sometimes numerious charges.....all under my company name. I have seen the credit card statements and indeed it is showing as if it were from my company.

 

As this is happening with both PayPal and PSIGate orders, it is apparents someone has hacked my files and imbedded some code or cookie to gather the customer's information on checkout and set up a company identical to mine, probably oversease.

 

I do not store any credit card information and use PSIGate remote so they handle this.

 

How on earth do I find out where the hacker is getting the info from? How can I stop this? My company reputation is at stake and I've worked so hard for so long.

 

Help...........please!

 

Catherine

http://childcare.net/catalog/catalog/index.php

Posted

The hacker's code is in your order process/payment modules.

 

You should close your site for a professional security audit - also contact law enforcement.

 

Matti

  • 2 weeks later...
Posted
Hi Everyone,

 

I am stumped here. I run an older vewsion of OSCommerce which I am working on upgrading. My problem is that someone is stealing my customer's credit card and personal information after or when they place their order and then charging the customer's credit card with additinal funds under my company name.

 

It's alot to digest.....a customer makes an order and it is processed through PSIGate or Paypal (it happend with both systems). The order is processed perfectly with only the original order charges showing on my processors and in my bank account.

 

I get a call a week or so later from the customers yelling at me because I charged her credit card for more money, sometimes numerious charges.....all under my company name. I have seen the credit card statements and indeed it is showing as if it were from my company.

 

As this is happening with both PayPal and PSIGate orders, it is apparents someone has hacked my files and imbedded some code or cookie to gather the customer's information on checkout and set up a company identical to mine, probably oversease.

 

I do not store any credit card information and use PSIGate remote so they handle this.

 

How on earth do I find out where the hacker is getting the info from? How can I stop this? My company reputation is at stake and I've worked so hard for so long.

 

Help...........please!

 

Catherine

http://childcare.net/catalog/catalog/index.php

 

I assume this is your server? If so, please ensure that you retain all logs as far back as possible

ftp

ssh

telnet

http access and error

 

there are several other vital key factors that may pinpoint the time frame of the breach.

 

I PM'd you, if you need additional help.

My Contributions

 

Henry Smith

Posted

I hate to say it, but I just signed up for an account

 

Account page NOT SECURE

 

I added products to my cart and began check out

Check out page asks me for my Credit Card Number.. Page is NOT SECURE

 

You've been asking everyone for their

 

Credit Card Holder Name

Credit Card Number

Credit Card Expiration

and CVV

 

ALL on a non secure page.

 

an SSL would have cost you $24 per year...

 

You basically gave it to whomever on a silverplater.

My Contributions

 

Henry Smith

Posted

The question is why it also happens with PayPal, as no credit card information is needed on the store for this payment method (all details are entered when forwarded to PayPal).

:heart:, osCommerce

Posted

More than two weeks later - and the site is still up and running and still no SSL in place - obviously not that worried about security.

 

Vger

Posted
More than two weeks later - and the site is still up and running and still no SSL in place - obviously not that worried about security.

 

I did not take a look, but it is fine to not have an SSL certificate in place if the billing information is not collected on site. PayPal is a good example here as the billing information is collected at PayPal's site where the data is passed through an encrypted SSL connection.

 

(That is why I questioned why she was also experiencing problems with PayPal)

 

I believe collecting credit card information on a non-SSL protected page is against the policies of the credit card companies involved (VISA, MasterCard, ..), where the store owner will be held liable for damages.

:heart:, osCommerce

Posted
I did not take a look, but it is fine to not have an SSL certificate in place if the billing information is not collected on site. PayPal is a good example here as the billing information is collected at PayPal's site where the data is passed through an encrypted SSL connection.

 

(That is why I questioned why she was also experiencing problems with PayPal)

 

I believe collecting credit card information on a non-SSL protected page is against the policies of the credit card companies involved (VISA, MasterCard, ..), where the store owner will be held liable for damages.

 

 

Thanks to all of you for your help. I do not store credit card information on site as it is passed on to PayPal and PSIGate. I have worked with PSIGate (these guys are awesome), and my ISP to see where any issues lie and have replaced all my payment files. Henry has contact me in the last week and I am working on his suggestions, as well as a complete cart upgrade, so while it may look like nothing is being done, it is. As a small one person business, there is only so much time to get things done.

 

I discovered one issue was with PSIGate and their new system, but it was simply an issue on the order confirmation email total and not with what the customer was actually charged on their credit card. They have since corrected the error and I've had no further complaints.

 

Likewise, as some of the problems occured through the affiliate program with two affiliates from overseas using bad cards to place the orders, I have since shut it down. One customer admitted she had to close her PayPal account down because her information was stolen....this is the card used to place one of the orders after the fact, so I was not surprised.

 

I have taken the time also to contact the RCMP on all these issues and while it seemse so bad to me, I've yet to hear anything from them even though one affiliate made orders with two bad cards. That solved the two of 4 issues I had. PSIGate's error solved another one. The remaining issue is the PayPal order which was aparently double billed, but I've yet to hear anything back from the customer or receive any faxes showing me exactly what happened.

 

Sorry it took so long to get back to you with an update. I had two major article assignments last month which took up a huge chunk of my time.

 

Catherine

  • 3 weeks later...
Posted

I dont collect credit card numbers. Only customers adresses, names and their orders.

 

The money transfers goes by the banks' or credit card companys' (verified by visa) own sites.

 

Do I need SSL -certificate?

  • 3 weeks later...
Posted

I have the same question as Aapinen does but I will only be using Paypal for now.

So do we still need to have the "lock" and http"S" on when logging in or making an account?

Posted
I have the same question as Aapinen does but I will only be using Paypal for now.

So do we still need to have the "lock" and http"S" on when logging in or making an account?

 

No need to have but very good to have.

Many people consider their personal information besides CC numbers also as pretty sensitive.

Treasurer MFC

  • 3 weeks later...
Posted
Hi Everyone,

 

I am stumped here. I run an older vewsion of OSCommerce which I am working on upgrading. My problem is that someone is stealing my customer's credit card and personal information after or when they place their order and then charging the customer's credit card with additinal funds under my company name.

 

It's alot to digest.....a customer makes an order and it is processed through PSIGate or Paypal (it happend with both systems). The order is processed perfectly with only the original order charges showing on my processors and in my bank account.

 

I get a call a week or so later from the customers yelling at me because I charged her credit card for more money, sometimes numerious charges.....all under my company name. I have seen the credit card statements and indeed it is showing as if it were from my company.

 

As this is happening with both PayPal and PSIGate orders, it is apparents someone has hacked my files and imbedded some code or cookie to gather the customer's information on checkout and set up a company identical to mine, probably oversease.

 

I do not store any credit card information and use PSIGate remote so they handle this.

 

How on earth do I find out where the hacker is getting the info from? How can I stop this? My company reputation is at stake and I've worked so hard for so long.

 

Help...........please!

 

Catherine

http://childcare.net/catalog/catalog/index.php

Hello this topic is interesting, although I do not have any customers at the time being for my site. You sure made this awareness quite clear.

I'll be more careful on my behalf.

 

I just recently received an e-mail from some people that show interest in my products. But these people choose to pay by cashier cheque. They want to send a check that was more than the total cost and ask me to cash it at my bank. I felt that it was some kind of scam because one cheque was for $3800 and the other for $3500. These two people wanted me to cash the cheque and deduct what ever they owe me and send they rest of the amount back to them using Western Union. No way I thought. I never heard of any business would do something like that for there clients. Luckly I talk to this friendly lady name Cathi, she explain to me the concept and advise me to not deal with these people.

 

It's always good to have a second opinion from others and to find out what other scams are out there. For our business protection it's always good to find more information.

 

trang

Posted
Hello this topic is interesting, although I do not have any customers at the time being for my site. You sure made this awareness quite clear.

I'll be more careful on my behalf.

 

I just recently received an e-mail from some people that show interest in my products. But these people choose to pay by cashier cheque. They want to send a check that was more than the total cost and ask me to cash it at my bank. I felt that it was some kind of scam because one cheque was for $3800 and the other for $3500. These two people wanted me to cash the cheque and deduct what ever they owe me and send they rest of the amount back to them using Western Union. No way I thought. I never heard of any business would do something like that for there clients. Luckly I talk to this friendly lady name Cathi, she explain to me the concept and advise me to not deal with these people.

 

It's always good to have a second opinion from others and to find out what other scams are out there. For our business protection it's always good to find more information.

 

trang

 

Trang,

 

Your friend is right. And after you deposit the fake cashier's check and refund any money, they'll tell you they want to cancel the order and ask for a refund. All of this will take place before your bank even detects the check is fake, leaving you to deal with the loss and the bank. Not a pretty picture.

 

This trick is so wide spread. I recently had someone email a number of Members from our child care registry. Basically the scam was the same only he wanted these people to provide child care for his family on a trip to town for business. He said he would pay in advance through a supposed sponsor in the US. Then as soon as the fake check would be deposited, he would cancel and ask for a refund. This seems to be a big business these days.

 

Be careful.....sell by your policies only and do not deviate for anyone. It's your money and reputation.

 

Catherine

  • 1 month later...
Posted

I'm not sure what am i doing is good or not. I hack the oscomemrce checkout step again.

 

Go to my site and have a look *** There is the My Store Forum for community review***

You could try to registered an account and make purchase and checkout.

 

You would noticed my sites doesn't enquire any credit card informatoin from customer. It just ignore it, so the customer just need to input their confidential credit card information is https://www.2checkout.com

 

I think it might secure, but i'm not sure is't good or not. Any suggesstion?

 

smithveg

****

Hello World! ^.^ I'm a Internet naive. Browse my working profile

Malaysia Web Services - OPerion Website Marketing System

  • 4 weeks later...
Posted

Thanks trang and catherine you have just saved me from a huge loss.

 

cause one of my client just asked me to do the same thing. I generally do not take cheques but as the client requested was gonna consider.

 

No way that i am going to accept payments by this mode.

 

Thanks

 

:D :thumbsup:

Posted

Beefing up security is always a good idea. Many of you are using apache servers, and probably don't even realize it, but you can limit certain files, like configure, etc.. with your .htaccess file to make it so only ONE IP address can get access to those files. I think it is worth while to also change the names of vulnerable files. Change configure to ghyausto.php, etc...

 

I have personally purchased a HTTPS certificate from godaddy.com for only $19/year, beat that. Cheap, it builds customer confidence. I would never submit to a store with out it.

 

PHP also has easy to use built in encrypting functions. You can encrypt all vulnerable data that you store in your database. That way it looks like junk if anyone is able to do a brute force hack on your MySQl database.

 

Lots you can do, you just have to invest the time or the money.

Posted
No need to have but very good to have.

Many people consider their personal information besides CC numbers also as pretty sensitive.

 

 

I have SSL so it's not of issue, but why people consider their name and address sensitive is beyond me. It's a matter of public record just about everywhere you go. A co-worker showed me this site: http://www.zabasearch.com/ When I typed in my name it gave me my phone and address for the past 15 years! Not saying it's right, but that's how it is.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...