Oh and a flash guy I have outsourced some work to - really good guy - only worked with him a few times - had programmed and offers a payflow CF tag http://www.optimal-media.com I believe - slightly discouraging becuase his site is throwing a cf error - but I know he is actively alwasy working on his site.
may be worth a quick look. jay miller Chris Alvarado wrote: >Hmmmm here is a post I took from the bugtraq group on Google about >Linkpoint. > >NOTE: I AM NOT THE ONE THAT DID THIS INVESTIGATION. I just find it >interesting. > > > == Some Background == > LinkPoint is the name of the API that Card Service International > (one of the biggest online merchant account providers) uses for > communication between a merchant's servers and their credit-card > gateway. > > The LinkPoint client API communicates with the credit-card gateway > using an SSL-based protocol. Authentication and encryption is > facilitated with x509 digital certificates (the same ones that https > uses). > > You must provide the client with two pieces of information for it to > authenticate to the gateway server. The first is what CSI calls > "Store Name" -- it's actually a six digit number. The second is the > path to the certificate file they send you. > > > > == The Problem == > Although I have not discovered a technical (code) security problem, >I > believe there is a serious procedural security problem in they way > CSI initially sets up accounts. > > When you are approved for a CSI merchant account (or even when you > are approved for a test account), CSI sends you two emails. One of > the emails has the subject "Welcome to LinkPoint API" (the other is > unimportant). This email contains two pieces of information: > > The gateway server's hostname > Your "Store Name" (the six digit number) > > Plus, they attach your certificate AND _private key_ to the bottom >of > the message. The idea is that you copy and paste the cert + private > key into a file for the client API to use when it connects. > > I don't think I need to spell out the problem any further for >everyone > on this list. Basically, they are sending all of the information >you > need authenticate as a merchant through plain, unencrypted, email. > > You would need a few more things to exploit this potential security > hole. Namely, you would need the CSI API and some knowledge of how > to use it. This appears to be an attempt at security through >obscurity. > > Also, you would obviously need a way to get the plain email >(sniffing, etc) > > Notes: * The digital certificates do not have a passphrase. > * The LinkPoint API documentation is publicly available at: > http://www.cardservice.com/inetserv/lpapi.pdf > > > > == Card Service's Response == > My attempt to contact CSI lead to a phone call from the > "Lead Senior Tech" in the "API Support" department of CSI. > > Since I did not type this email while I was on the phone, all of the > quoted comments bellow are from memory and probably aren't exact. > They are, however, pretty close to what was said. > > I spoke with this person for about ten minutes and was not satisfied > with his response. This person's basic theme was "It's never >happened > before and there are security precautions on the back-end". > > I explained to him that using the information in their email, I >could > pose as the merchant -- and after a while, he reluctantly agreed. I > then asked him to clarify how that isn't a serious security problem, > and he quickly responded with something along the lines of "lets say > you can pose as the merchant, what are you going to do?". I >responded > by saying "I'd start posting refunds to my card" and he said "the > refund option has to be enabled per merchant". Next, I told him I > could charge cards. His response to this was that "well, then you >would > be giving money to the merchant". > > I suggested to him that if I was a malicious user, I could charge > random cards with random amounts to the merchant's account. His > response: "our backend would detect that". I asked for >clarification > and realized that the security he is talking about is their "Fraud > Protection" system. From my knowledge (and I've used the CSI API in > several projects) and according the the API documentation available > online, this system just blocks an end-user from attempting to >charge > credit cards if they've had repeated failures. The key here is that > it uses the _end user's_ (the person submitting a credit card to the > merchants site -- the web browser) IP. This IP is sent to the >gateway > server from the client API. It's very simple to write a program >which > charges a whole bunch of cards and makes the API think each one came > from a different IP (especially since the IP is just one of the >items > in the struct you pass to the client API). Obviously, the Fraud > Protection provided by the gateway server is not meant to prevent a > fraudulent merchant -- it is made to prevent fraudulent customers >from > fooling legitimate merchants. In this scenario, you _would be_ the > merchant and therefore not subject to fraud checks. > > At this point, I had given up. I have a hard time understanding how > it's "not a security problem" for me to be able to pose as the > merchant. Even if I can't refund my card, I can cause a lot of > unwanted trouble by charging cards, etc. > > > > == Summary == > Unprotected Digital Certificates (no passphrase) that establish the > identity of a merchant are sent via unencrypted email, along with >the > merchants "Store Name". Someone with access to the LinkPoint API >could > use this information to pose as the merchant and have access to all >of > the same functions and information as the merchant (charge a card, > etc). > >-chris.alvarado >[ application developer ] >4 Guys Interactive, Inc. >http://www.4guys.com > >"We create websites that make you a hero." > > > >-----Original Message----- >From: Lee Fuller [mailto:[EMAIL PROTECTED]] >Sent: Friday, November 22, 2002 2:25 PM >To: CF-Talk >Subject: RE: Payment Gateways? (Was: OPINIONS: PayFlow Pro and CF >Integration?) > > >Thanks for the info Jason. > >I've looked at Authorize.Net again. Have had it integrated as part of >our storefront software for some time. However, I've not dealt with >them directly. The user experience is a big thing for me. So I'm >wanting to make certain that the end-user's ability to manage their >account/charges/voids, etc., is powerful and easy. > >How would you rate Authorize.net on these issues? > > Lee > >PS - I thought about moving this discussion.. But it seems relevant to >all of us here. Mike will tell us otherwise, I'm sure, if I'm wrong. ;) > > > >| -----Original Message----- >| From: Jason Miller [mailto:[EMAIL PROTECTED]] >| Sent: Friday, November 22, 2002 3:19 PM >| To: CF-Talk >| Subject: Re: Payment Gateways? (Was: OPINIONS: PayFlow Pro >| and CF Integration?) >| >| >| Is LinkPoint by Card Service International? I see their >| little logo on >| the page when I found linkPoint If so - don't let their promise of >| service and talk of them being one of the largest sway you. >| >| I have a list of clients that are incredibly unhappy. Although fairly >| simple- roadblocks left and right. Customer Service departments are >| horrendous. And to top it off - being a business man - reseller fees >| happen to be a plus - Well they managed to scam me out of >| about $1800 in >| client referrals. >| >| So - horrible service, what I think as a non impressive >| product. beware. >| >| Also - I had my own companies card processing go through them. They >| conveintly had me lease the software - for $3500 for 3 years.. then >| proceed to tell me that fairmarket was $2800 on the software >| for buyout >| - or I had to pay a cancellation fee - of about $400 - all >| very gray in >| the contracts. >| >| I tried to convert a Link Point account to an upgraded version - and >| after 6 months of trying to get my account changed - I >| finally gave up. >| I mean - I was trying to UPGRADE .... >| >| On trying to cancel the service - they also were kind enough not >| releasing my account for an additional 6 months - because I >| did not send >| the proper formated letter - When resolving it -they so happened to >| delay it for enough weeks - where I missed this ridicoulous >| cancellation >| date ( one of those- on the 3rd monday of the 16 month of this year >| prior to notifying us by this date" type date") >| >| All in all - 2 years of bad service! *grin >| >| I have used authorize.net on 4 clients - affordable - >| coldfusion really >| easy to integrate with. Worth checking out. >| Good Luck, >| jay miller >| >| Lee Fuller wrote: >| >| >Yeah.. I've noticed that it's fairly simple. >| > >| >Unfortunately, it tends to be expensive for the little guys >| out there >| >-- which we seem to be running into a lot, these days. I've >| looked at >| >SimplePay, and LinkPoint. They're much cheaper. But >| question is.. Are >| >they as reliable and workable? >| > >| >Anyone have experience with these or others that they would like to >| >share? >| > >| >| -----Original Message----- >| >| From: Frank Mamone [mailto:[EMAIL PROTECTED]] >| >| Sent: Friday, November 22, 2002 11:38 AM >| >| To: CF-Talk >| >| Subject: Re: OPINIONS: PayFlow Pro and CF Integration? >| >| >| >| >| >| Excellent product. Easy to use and setup. >| >| >| >| >| >| ----- Original Message ----- >| >| From: "Lee Fuller" <[EMAIL PROTECTED]> >| >| To: "CF-Talk" <[EMAIL PROTECTED]> >| >| Sent: Friday, November 22, 2002 11:14 AM >| >| Subject: OPINIONS: PayFlow Pro and CF Integration? >| >| >| >| >| >| > Quick thoughts, pitfalls, opinions? >| >| > >| >| > TTAIA >| >| > >| >| > >| >| > >| >| >| > >| > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm
