aferrari Posted July 23, 2003 Posted July 23, 2003 I received this email from a "potential" customer I am not real happy about the fact that Im trying to get products from your site and your "so called" secure credit card system keeps falling over!!! Is it any wonder that people are STILL afraid to use their credit cards online? If I were you guys I'd seriously look at getting another secure transaction provider the one you have is DANGEROUS! I work in the industry and know of too many people that could hack your site in around 10 minutes and make off with the credit card numbers. NOT very good for public relations I would imagine?! I suppose I'll just shop somewhere else I have been happily running OSC for about 3months now and have taken well over 1000 orders. I'm running apache with openssl and have a 128bit SSL certificate installed. Is there any truth in what this guy is saying ? Alan Ferrari
wizardsandwars Posted July 23, 2003 Posted July 23, 2003 Odd that they didn't leave any more details that that. Are you storing cc numbers in your database? If not, it's not very likily that they could get someone elses credit card numbers from you. ------------------------------------------------------------------------------------------------------------------------- NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit. If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.
mattice Posted July 23, 2003 Posted July 23, 2003 I work in the industry I imagine there would have been some more reports on this issue if it was actually true what this guy is saying. It could be ordinary spam - you reply asking for more details and the guy ends up 'advising' you this real rock solid service. I would not classify this as a serious report - too shady, too pretentious. Nevertheless keep us posted on the outcome. Mattice "Politics is the art of preventing people from taking part in affairs which properly concern them"
wizardsandwars Posted July 23, 2003 Posted July 23, 2003 yeah, come to think of it though, you have to give the guy credit for a unique pitch. ------------------------------------------------------------------------------------------------------------------------- NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit. If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.
tswalling Posted July 23, 2003 Posted July 23, 2003 know of too many people that could hack your site in around 10 minutes and make off with the credit card numbers Well since osCommerce doesn't even store credit card numbers and just forwards people on to a gateway I'd reply and say that hacking your site and stealing numbers isn't even possible.
Kaiser Soze Posted August 5, 2003 Posted August 5, 2003 Actually, it seems that osCommerce does store credit card numbers. I've searched through the code & found references to cc_number & comments to indicate that this is in fact a credit card number & it has a field defined for it in the data base. If you know how to use mySQL you can navigate to the orders table and find it for yourself. If you're a php & sql expert (like me) it would be trivial to break into the database & start retrieving these numbers. However, given that the database is pw protected, you'd need full access to the php source code. So if you do not have a dedicated server, you may be open to cc number theft from your isp. (I'm not going to give more details on just how to hack the db, since the original poster may be a hack (a lazy hack who thinks himself pretty clever.) himself and could use the details to hack into an osCommerce site.) If you have a dedicated server or your own data center & can guarantee the security of your customer's cc numbers I'd think you'd want to give the customer the convenience of a one-click check-out -- ala Amazon.com and others. On the other hand if you run a small store (like me), and can't afford your own data center (it kind of eats into your profits), it would be nice to have a check box in the install.php to turn this off. -- The install sql would not even add the field. If the absent cc_number breaks any of the installed modules, you know you've got a suspicious module. Future modules are a whole different story. I came to the forum hopping to find some peace of mind... something to say those cc_xxxx fields were not used. Now I'm going to have to read the code in detail to see how I can manually remove the references without breaking anything. Wish me luck!
Kaiser Soze Posted August 6, 2003 Posted August 6, 2003 I still have hopes that someone will respond to this... I am reposting so that it will sort back to the top of the list. Actually, it seems that osCommerce does store credit card numbers. I've searched through the code & found references to cc_number & comments to indicate that this is in fact a credit card number & it has a field defined for it in the data base. If you know how to use mySQL you can navigate to the orders table and find it for yourself. If you're a php & sql expert (like me) it would be trivial to break into the database & start retrieving these numbers. However, given that the database is pw protected, you'd need full access to the php source code. So if you do not have a dedicated server, you may be open to cc number theft from your isp. (I'm not going to give more details on just how to hack the db, since the original poster may be a hack (a lazy hack who thinks himself pretty clever.) himself and could use the details to hack into an osCommerce site.) If you have a dedicated server or your own data center & can guarantee the security of your customer's cc numbers I'd think you'd want to give the customer the convenience of a one-click check-out -- ala Amazon.com and others. On the other hand if you run a small store (like me), and can't afford your own data center (it kind of eats into your profits), it would be nice to have a check box in the install.php to turn this off. -- The install sql would not even add the field. If the absent cc_number breaks any of the installed modules, you know you've got a suspicious module. Future modules are a whole different story. I came to the forum hopping to find some peace of mind... something to say those cc_xxxx fields were not used. Now I'm going to have to read the code in detail to see how I can manually remove the references without breaking anything. Wish me luck!
k_budiarto Posted August 6, 2003 Posted August 6, 2003 This sounds really interesting. I wonder if any member of the osCommerce development team would have a say in this.
wizardsandwars Posted August 6, 2003 Posted August 6, 2003 As was mentioned earlier, OSC does not store the CC numbers in the database. It stores partial CC numbers if you use the regular CC payment method. If you use a gateway, such as authorize.net, paypal, or 2checkout, it does not store the CC numbers anywhere in the database. ------------------------------------------------------------------------------------------------------------------------- NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit. If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.
mreish Posted August 7, 2003 Posted August 7, 2003 It looks like it's storing CC numbers and exp dates to me. :?: Roadracing makes heroin addiction look like a vague wish for something salty.
Guest Posted August 7, 2003 Posted August 7, 2003 It stores partial CC numbers if you use the regular CC payment method. It does store the WHOLE number and the expiration date so if you lose it you can get it out of your database. It will also store the ccv number if you use that contribution.
k_budiarto Posted August 7, 2003 Posted August 7, 2003 Yes, I notice OSC does store the full credit card numbers and even their expiration dates when using regular CC processing.
Guest Posted August 7, 2003 Posted August 7, 2003 It stores partial CC numbers if you use the regular CC payment method. It will also store the ccv number if you use that contribution. Hm, is it possible to remove that from a CVV contribution I'm about to have written for me? :) I ask because it is against banking association rules to store the CVV number if you're a merchant.
Guest Posted August 7, 2003 Posted August 7, 2003 The default setting for OSC (when you specify payment by cc) is to store full cc numbers in the db. Perhaps it would be better if the default was set to removing the middle 8 digits, which is at the moment a rather unclear option form admin. However as the outer 8 are sent by a sparate email to the address which needs specifying in admin, this could be overlooked and not be sent, but lost forever. :cry:
XtremeCarAudio Posted August 8, 2003 Posted August 8, 2003 if you use a GATEWAY it will not store the Number, which is good and bad all at the same time (more later) if you use the standard credit card payment moduale, it HAS to store the FULL CC number Exp date etc, NO WAY AROUND THAT< if you dont you CAN NOT process the order, this is used by people that have offline processors, or there merchant account is not supported by any of the current gateways.... Now storing CC Numbers is both good and bad, it is bad for alot of security reasons, on the same token it is good for fraud prevention, and/or tracking.... Some processors will allow you to have access to the full card number on there processing servers so they store the info and take all of the secrutiy risks/preventions.. which is the best way for all invoved but some dont... but to put a end to the back and forth "yes it stores" "no it dont" it all depends on what payment module your using a gateway is probally the best Michael
Guest Posted August 8, 2003 Posted August 8, 2003 XtremeCarAudio I think you miss taht point when you edit the cc module Split Credit Card E-Mail Address If an e-mail address is entered, the middle digits of the credit card number will be sent to the e-mail address (the outside digits are stored in the database with the middle digits censored) So if somebody manage to hack your database he will see only the outside digits Regards The_Bear
stretchr Posted August 8, 2003 Posted August 8, 2003 if you use a GATEWAY it will not store the Number That's true. Our clients NEVER enter their credit card information on our site and our card processing agent doesn't even allow us to pass that information to our transaction URL. You don't mention how you are processing your cards so it's difficult to evaluate the accuracy of the author's comments without more information from either him or you. "It's a small world... But I wouldn't want to paint it!" Stephen Wright
XtremeCarAudio Posted August 8, 2003 Posted August 8, 2003 if you use a GATEWAY it will not store the Number That's true. Our clients NEVER enter their credit card information on our site and our card processing agent doesn't even allow us to pass that information to our transaction URL. You don't mention how you are processing your cards so it's difficult to evaluate the accuracy of the author's comments without more information from either him or you. IMO that is irrelavant, I have been working with OSC for a very long time, made many differant shops for myself and others, so how I process Credti Card (which if you must know I only use paypal) makes no differance XtremeCarAudio I think you miss taht point when you edit the cc module Split Credit Card E-Mail Address If an e-mail address is entered, the middle digits of the credit card number will be sent to the e-mail address (the outside digits are stored in the database with the middle digits censored) So if somebody manage to hack your database he will see only the outside digits Regards The_Bear Your Right I did miss that, great idea though, as long as a hacker does not intercept all email and then get in to the database Michael
stretchr Posted August 8, 2003 Posted August 8, 2003 IMO that is irrelavant, I have been working with OSC for a very long time, made many differant shops for myself and others, so how I process Credti Card (which if you must know I only use paypal) makes no differance Now that I know that you've built a lot of shops, been using osC for a long time and use Paypal, I see why my comment seemed irrelevant. Thanks for pointing that out. ;-) Have a nice day! Cheers, Stretchr "It's a small world... But I wouldn't want to paint it!" Stephen Wright
Guest Posted August 8, 2003 Posted August 8, 2003 It stores partial CC numbers if you use the regular CC payment method. It will also store the ccv number if you use that contribution. Hm, is it possible to remove that from a CVV contribution I'm about to have written for me? :) I ask because it is against banking association rules to store the CVV number if you're a merchant. That is why the contribution contains a "remove button" right next to the CVV number in the admin/orders page. As soon as you process the card you are supposed to hit "remove" to erase the number from the DB. That of course does not mean everyone will do so...but they should. ;)
Guest Posted August 8, 2003 Posted August 8, 2003 That is why the contribution contains a "remove button" right next to the CVV number in the admin/orders page. As soon as you process the card you are supposed to hit "remove" to erase the number from the DB. That of course does not mean everyone will do so...but they should. ;) He hasn't actually written it yet, or modified it, or whatever he is doing to charge me to have it available for me. I don't need to keep the CVV on file, I process manuallly, so customers know for the next order, they can simply email, say "the info is on file, please send me this or that" and my other machine (not on the Internet) can store the CVV without worries :) The only problem with manual processing is I can't use Verified By Visa, but I do scrub with my own methods and haven't done that badly in almost 8 years online :)
svepe Posted August 8, 2003 Posted August 8, 2003 Well, does anyone know of a shop that is non-hackable?? I belive any computer/ shop that is connected to internet is hackable..? I think more important is where the shop is located, is the server updated with all patches and bugfixes so not all old rootkits can get access to the server. If there is a problem with osCommerce I think it would be that a potentional hacker has access to the shopcode since it is opensource? Isn?t it possible to "shadow" the numbers somehow? Then it would be much harder allready.. And who knows what really happend to the guy who tried to buy with creditcard? Perhaps his internet connection jammed? Or maybe he is useing Windows..? :) So, there are security risks everywhere. What if he had a trojan on his computer that recorded every single word he typed and sent it out to all kinda scary people by mail? No matter what we?ll do, security, computers and internet is a hard combination. But as long as you are useing your head alitle bit one is quite safe ( I think ..and hope :) ). osCommerce is after one of the best shops I have ever seen!! And what is amazing is that it?s open source! Thank You all who has made this open source commerce possible! I would never had had possibility to buy a shop nor code one myselfe. Long live opensourceCommerce!!
Guest Posted August 8, 2003 Posted August 8, 2003 Well, does anyone know of a shop that is non-hackable?? I belive any computer/ shop that is connected to internet is hackable..? Nothing in the world is not hackable :) Some carts are more secure, however. I belong to a merchant anti-fraud group and we all share information, and osCommerce was *never* mentioned at any time as a cart with an exploit. Others have been listed (I won't list them here without moderator permission) and I steered clear of them. I'd suggest you get in touch with a security expert and let them check your setup, and when you are positive you're secure, post in one of the hacker forums and give them permission to find exploits. I can almost guarantee you'll be amazed :)
Daemonj Posted August 9, 2003 Posted August 9, 2003 Pam, what are you being charged for? There are already cvv contributions available that are easily installed in under an hour by even a novice. Absolutely nothing is unhackable unless it is not connected in any way to any form of communication. Once your system is connected it is simply a matter of finding the vulnerabilities that are opon on your server and taking advantage of them. That could be something as simply as guessing an easy password to overloading service stacks. "Great spirits have always found violent opposition from mediocre minds. The latter cannot understand it when a man does not thoughtlessly submit to hereditary prejudices but honestly and courageously uses his intelligence." - A. Einstein
Guest Posted August 9, 2003 Posted August 9, 2003 I'm being charged for someone to write a CVV contribution for me. I asked for 'something' that would ask the customer for a CVV code and support both the 3-digit Visa/Mastercard code and 4-digit American Express code, plus give me a paragraph or so to play with to give a brief explanation of where customers can find the code
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.