stevie0027 Posted August 2, 2010 Posted August 2, 2010 I've had a merchant account fraud issue for a while now. I believe it is one individual or single organization due to similar fake accounts created in OSC. I believe the perp is in Malaysia. Two months ago, he would create a fake customer account (using our OSCommerce platform), then create a trial order with a real credit card number, then intercept it (or SNOOP) our merchant id and PIN info while our transaction page submits an HTTP POST to our merchant provider. He then used that info to make hundreds of automated stolen credit card number transactions of $1 or $0.01 each to determine if he can later use those numbers for fraud orders. It didn't matter that we changed the merchant id, PIN combo frequently as he would just create another online order and plug in those values in his routine. He would continue to do this on his own app since once he has the acct/PIN combo, no need to be on our site. I actually caught him in the act in real time I then decided to block all of Malaysia using DENY FROM statements in the .htaccess file. That worked for a couple of months. Now he has come back with a vengeance, with some sort of Spoofing tool to disguise the real IP address he is coming from with USA IP addresses. Everytime we add the address to .htaccess, he would instantly spoof to another IP address. Some friends suggested we look into Zen Cart as a possible remedy, but I'm not sure if that will solve the Snooping problem because Elavon (merchant processor) requires the following post url in every transaction: https://www.myvirtualmerchant.com/VirtualMerchant/process.do I have used Viaklix in the past and simply changed the post url to https://www.myvirtualmerchant.com/VirtualMerchant/process.do and it has worked. I was not able to successfully integrate ChargeIt. Would ChargeIt do a better job of hiding merchant info? Doesn't it also have the same post url that can be snooped? I have slowed him down by occasional changes to the Terminal PIN, deleting his OSC accts, etc but that doesn't help much. Has anyone experienced anything like this, and what was the resolution? I am considering having the customer go to myvirtualmerchant.com website to fill out credit card info but I'd rather keep them on my site. Advanced thanks for any help with this issue. Quote
Guest Posted August 2, 2010 Posted August 2, 2010 Steve, If you have an SSL, then the 'snoop' would not be able to see the data in transit. You did not mention an SSL in your post, so if you do not have one, get one. The ability to 'snoop' for credit card information is not inherent to osCommerce. I believe that the hacker has made his way into your site or you do not have an SSL. Make sure you have completed all of the security updates and look for any malicious code within the site. Chris Quote
stevie0027 Posted August 3, 2010 Author Posted August 3, 2010 Thanks Chris for your reply. Wow, that would be great if all we had to do is add SSL. We already have the standard 256 bit SSL cert installed in the webhosting server. The secure lock comes up on all of the sensitive pages (e.g. login, credit card entry, etc.). Is this the SSL you are talking about? Is there ANOTHER SSL that I need to look at that may block POST method data? Basically, the fraudulent person is creating a normal customer account in our system. He goes through the normal order checkout process and enters a credit card number. But instead of purchasing, he just grabs the critical merchant account info and then uses it in his own automated app to make repeated POST calls to Elavon website ( Virtual Merchant ). In fact, I just did a mock order and I am embarrassed to say that all sensitive data is there in the HTML source code even without having to make an order. Here is part of the code: <form name="checkout_confirmation" action="https://www.myvirtualmerchant.com/VirtualMerchant/process.do" method="post"><input type="hidden" name="ssl_merchant_id" value="987654"><input type="hidden" name="ssl_user_id" value="myuserid"><input type="hidden" name="ssl_pin" value="123456"><input type="hidden" name="ssl_amount" value="10.54"><input type="hidden" name="ssl_salestax" value="0.15"><input type="hidden" name="ssl_show_form" value="FALSE"><input type="hidden" name="ssl_card_number" value="4266000000000000"><input type="hidden" name="ssl_transaction_type" value="ccsale"><input type="hidden" name="ssl_exp_date" value="0216"><input type="hidden" name="ssl_invoice_number" value="29132"><input type="hidden" name="ssl_cvv2cvc2_indicator" value="Present"><input type="hidden" name="ssl_cvv2cvc2" value="000"> ....</form> I of course modified some of the data for this posting. So the three bolded parameters is all a perp needs to programatically make calls to the merchant processor server and see if the credit card numbers are valid or not. It just doesn't seem right that all of this data is made available in the html code. There has to be another way to hide this data. Of course the API docs from the merchant processor only mentions making this Post call. Aaargh! Steve Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.