SECpay MD5 Security

[Guest]

Hiya, I've had someone come to me with an enquiry about their oscommerce shop - they currently use SECpay but a little while ago they got this email:

 

"We have noticed a recent increase in the number of merchants being targeted

by fraudsters who are exploiting some merchants' interface with SECPay to

verify stolen or generated card numbers.

 

We therefore strongly recommend all merchants who use a payment page hosted

by SECPay (SECPage or SECCard) to implement a digest in your website's

communication with SECPay if you do not already do so."

 

It refers you to section 9 of pdf - http://www.secpay.com/docs/SECCardIntegrationGuide.pdf

 

Has anyone done this and found it to be straight forward or a headache, does anyone know if oscommerce automatically does it, or does anyone just have any ideas?! Like telling the client to switch to paypal!

 

Thank you! Lisa x (PDF excerpt below)

 

From the PDF:

MD5 is a one-way encryption algorithm that takes as input a message of arbitrary length and

produces as output a 128-bit "fingerprint" or "message digest" of the input. What is used as

the “input” depends upon the context in which the algorithm is being used as you will see

below. There are many implementations of MD5 available for many different programming

languages.

Note: when calculating a hash using MD5 always ensure that you use UTF-8 encoding

and not Unicode.

9.2. Authentication from You to SECPay (using the remote password)

In order for SECPay to be able to be sure that a request to process a transaction actually

came from your web application, you need to authenticate yourselves to us.

This is done by POSTing the digest optional parameter to SECPay (along with the other

mandatory parameters). For example:

<input type=”hidden” name=”digest” value=”7cbe0b4606943c6a76b38ebefe74c237”>