[Gllug] OT: Online Payment Processing

[Jason Clifford]

On Tue, 20 Jan 2004, Tim Gray wrote:

> SecPay used to 'let' site operators submit the callback location in 
> clear text as a part of the pay form submission (you could submit 
> directly to their processing script). To run the exploit all a user 
> would have to do is save a copy of the final payment page locally and 
> edit the total price field then submit the form directly.

All transactions are automated here. Anyone trying that one would get 
nothing for it except an accusation of attempting credit card fraud.

I use callbacks to authorise delivery of goods/services so pointing the 
callback to another server just wont work for anyone trying this on.

> Agreed. I also use crypted call back strings, referrer and price 
> checking to catch folks doing this but a lazy admins may not.

That's why I write all this into the perl modules I have written for these 
things. I'll be releasing modules for several services in addition to the 
WorldPay one I've already released. I've already submitted updates to the 
author of Business::PayPal to introduce similar checks etc in that one.

> Ditto. I know a friend who used a form exploit to get a room at the 
> Hilton for half price. Apparently they didn't bother to check the 
> transaction, and he only changed the price to half cos he felt guilty at 
> getting the room for £1.

More fool them and I can only say your friend was very brave (foolish 
perhaps) as this kind of thing leaves an audit trail that is trivial to 
chase and they definitely know who he is.

Jason Clifford
-- 
UKFSN.ORG		Finance Free Software while you surf the 'net
http://www.ukfsn.org/	   ADSL Broadband from just £23.75 / month 

-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug