Whisk Posted July 30, 2003 Posted July 30, 2003 Hi, I've been having a look at OSC & the various payment modules included with a view to choosing a payment gateway. One of the things that concerns me is how easy it is for a hacker to intercept the payment and change e.g. total price/quantity for the order. Some of the modules (e.g. ipayment?) seem to simply give the user a form with hidden fields for the total price etc, whereas others (e.g. authorize.net) calculate some kind of hash of the price as verification. In the first scenario wouldn't it be fairly trivial to intercept the post request, change the value of the hidden field, and manually submit it to the payment gateway, faking the referrer if necessary? This seems to me to be highly unsatisfactory, especially for a fully automated system providing e.g. downloadable software, where there's no human checking element involved - or am I missing something altogether? Are there any systems where the whole transaction/communication with payment gateway is done server side, eliminating all client involvement in sending the order to the gateway? Many thanks Ed
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.