The only problem I have with that is the price for PayFlow. It's a bit pricey for the average little guy.
By the time they get done paying for their merchant account, and then PayFlow, they're at nearly $100 per month. Pretty amazing price level for little guys. | -----Original Message----- | From: Jason Miller [mailto:[EMAIL PROTECTED]] | Sent: Friday, November 22, 2002 3:44 PM | To: CF-Talk | Subject: Re: Payment Gateways? (Was: OPINIONS: PayFlow Pro | and CF Integration?) | | | Oh and a flash guy I have outsourced some work to - really good guy - | only worked with him a few times - had programmed and offers | a payflow | CF tag | http://www.optimal-media.com I believe - slightly | discouraging becuase | his site is throwing a cf error - but I know he is actively alwasy | working on his site. | | may be worth a quick look. | jay miller | | Chris Alvarado wrote: | | >Hmmmm here is a post I took from the bugtraq group on Google about | >Linkpoint. | > | >NOTE: I AM NOT THE ONE THAT DID THIS INVESTIGATION. I just find it | >interesting. | > | > | > == Some Background == | > LinkPoint is the name of the API that Card Service International | > (one of the biggest online merchant account providers) uses for | > communication between a merchant's servers and their credit-card | > gateway. | > | > The LinkPoint client API communicates with the | credit-card gateway | > using an SSL-based protocol. Authentication and encryption is | > facilitated with x509 digital certificates (the same | ones that https | > uses). | > | > You must provide the client with two pieces of | information for it to | > authenticate to the gateway server. The first is what CSI calls | > "Store Name" -- it's actually a six digit number. The | second is the | > path to the certificate file they send you. | > | > | > | > == The Problem == | > Although I have not discovered a technical (code) | security problem, | >I | > believe there is a serious procedural security problem | in they way | > CSI initially sets up accounts. | > | > When you are approved for a CSI merchant account (or | even when you | > are approved for a test account), CSI sends you two | emails. One of | > the emails has the subject "Welcome to LinkPoint API" | (the other is | > unimportant). This email contains two pieces of information: | > | > The gateway server's hostname | > Your "Store Name" (the six digit number) | > | > Plus, they attach your certificate AND _private key_ to | the bottom | >of | > the message. The idea is that you copy and paste the | cert + private | > key into a file for the client API to use when it connects. | > | > I don't think I need to spell out the problem any further for | >everyone | > on this list. Basically, they are sending all of the | information | >you | > need authenticate as a merchant through plain, | unencrypted, email. | > | > You would need a few more things to exploit this | potential security | > hole. Namely, you would need the CSI API and some | knowledge of how | > to use it. This appears to be an attempt at security through | >obscurity. | > | > Also, you would obviously need a way to get the plain email | >(sniffing, etc) | > | > Notes: * The digital certificates do not have a passphrase. | > * The LinkPoint API documentation is publicly | available at: | > http://www.cardservice.com/inetserv/lpapi.pdf | > | > | > | > == Card Service's Response == | > My attempt to contact CSI lead to a phone call from the | > "Lead Senior Tech" in the "API Support" department of CSI. | > | > Since I did not type this email while I was on the | phone, all of the | > quoted comments bellow are from memory and probably aren't exact. | > They are, however, pretty close to what was said. | > | > I spoke with this person for about ten minutes and was | not satisfied | > with his response. This person's basic theme was "It's never | >happened | > before and there are security precautions on the back-end". | > | > I explained to him that using the information in their email, I | >could | > pose as the merchant -- and after a while, he | reluctantly agreed. I | > then asked him to clarify how that isn't a serious | security problem, | > and he quickly responded with something along the lines | of "lets say | > you can pose as the merchant, what are you going to do?". I | >responded | > by saying "I'd start posting refunds to my card" and he said "the | > refund option has to be enabled per merchant". Next, I | told him I | > could charge cards. His response to this was that | "well, then you | >would | > be giving money to the merchant". | > | > I suggested to him that if I was a malicious user, I could charge | > random cards with random amounts to the merchant's account. His | > response: "our backend would detect that". I asked for | >clarification | > and realized that the security he is talking about is | their "Fraud | > Protection" system. From my knowledge (and I've used | the CSI API in | > several projects) and according the the API | documentation available | > online, this system just blocks an end-user from attempting to | >charge | > credit cards if they've had repeated failures. The key | here is that | > it uses the _end user's_ (the person submitting a credit | card to the | > merchants site -- the web browser) IP. This IP is sent to the | >gateway | > server from the client API. It's very simple to write a program | >which | > charges a whole bunch of cards and makes the API think | each one came | > from a different IP (especially since the IP is just one of the | >items | > in the struct you pass to the client API). Obviously, the Fraud | > Protection provided by the gateway server is not meant | to prevent a | > fraudulent merchant -- it is made to prevent fraudulent | customers | >from | > fooling legitimate merchants. In this scenario, you | _would be_ the | > merchant and therefore not subject to fraud checks. | > | > At this point, I had given up. I have a hard time | understanding how | > it's "not a security problem" for me to be able to pose as the | > merchant. Even if I can't refund my card, I can cause a lot of | > unwanted trouble by charging cards, etc. | > | > | > | > == Summary == | > Unprotected Digital Certificates (no passphrase) that | establish the | > identity of a merchant are sent via unencrypted email, | along with | >the | > merchants "Store Name". Someone with access to the | LinkPoint API | >could | > use this information to pose as the merchant and have | access to all | >of | > the same functions and information as the merchant | (charge a card, | > etc). | > | >-chris.alvarado | >[ application developer ] | >4 Guys Interactive, Inc. | >http://www.4guys.com | > | >"We create websites that make you a hero." | > | > | > | >-----Original Message----- | >From: Lee Fuller [mailto:[EMAIL PROTECTED]] | >Sent: Friday, November 22, 2002 2:25 PM | >To: CF-Talk | >Subject: RE: Payment Gateways? (Was: OPINIONS: PayFlow Pro and CF | >Integration?) | > | > | >Thanks for the info Jason. | > | >I've looked at Authorize.Net again. Have had it integrated | as part of | >our storefront software for some time. However, I've not dealt with | >them directly. The user experience is a big thing for me. So I'm | >wanting to make certain that the end-user's ability to manage their | >account/charges/voids, etc., is powerful and easy. | > | >How would you rate Authorize.net on these issues? | > | > Lee | > | >PS - I thought about moving this discussion.. But it seems | relevant to | >all of us here. Mike will tell us otherwise, I'm sure, if | I'm wrong. | >;) | > | > | > | >| -----Original Message----- | >| From: Jason Miller [mailto:[EMAIL PROTECTED]] | >| Sent: Friday, November 22, 2002 3:19 PM | >| To: CF-Talk | >| Subject: Re: Payment Gateways? (Was: OPINIONS: PayFlow Pro | >| and CF Integration?) | >| | >| | >| Is LinkPoint by Card Service International? I see their | >| little logo on | >| the page when I found linkPoint If so - don't let their promise of | >| service and talk of them being one of the largest sway you. | >| | >| I have a list of clients that are incredibly unhappy. | Although fairly | >| simple- roadblocks left and right. Customer Service | departments are | >| horrendous. And to top it off - being a business man - | reseller fees | >| happen to be a plus - Well they managed to scam me out of | >| about $1800 in | >| client referrals. | >| | >| So - horrible service, what I think as a non impressive | >| product. beware. | >| | >| Also - I had my own companies card processing go through them. They | >| conveintly had me lease the software - for $3500 for 3 | years.. then | >| proceed to tell me that fairmarket was $2800 on the software | >| for buyout | >| - or I had to pay a cancellation fee - of about $400 - all | >| very gray in | >| the contracts. | >| | >| I tried to convert a Link Point account to an upgraded | version - and | >| after 6 months of trying to get my account changed - I | >| finally gave up. | >| I mean - I was trying to UPGRADE .... | >| | >| On trying to cancel the service - they also were kind enough not | >| releasing my account for an additional 6 months - because I | >| did not send | >| the proper formated letter - When resolving it -they so | happened to | >| delay it for enough weeks - where I missed this ridicoulous | >| cancellation | >| date ( one of those- on the 3rd monday of the 16 month of | this year | >| prior to notifying us by this date" type date") | >| | >| All in all - 2 years of bad service! *grin | >| | >| I have used authorize.net on 4 clients - affordable - | >| coldfusion really | >| easy to integrate with. Worth checking out. | >| Good Luck, | >| jay miller | >| | >| Lee Fuller wrote: | >| | >| >Yeah.. I've noticed that it's fairly simple. | >| > | >| >Unfortunately, it tends to be expensive for the little guys | >| out there | >| >-- which we seem to be running into a lot, these days. I've | >| looked at | >| >SimplePay, and LinkPoint. They're much cheaper. But | >| question is.. Are | >| >they as reliable and workable? | >| > | >| >Anyone have experience with these or others that they | would like to | >| >share? | >| > | >| >| -----Original Message----- | >| >| From: Frank Mamone [mailto:[EMAIL PROTECTED]] | >| >| Sent: Friday, November 22, 2002 11:38 AM | >| >| To: CF-Talk | >| >| Subject: Re: OPINIONS: PayFlow Pro and CF Integration? | >| >| | >| >| | >| >| Excellent product. Easy to use and setup. | >| >| | >| >| | >| >| ----- Original Message ----- | >| >| From: "Lee Fuller" <[EMAIL PROTECTED]> | >| >| To: "CF-Talk" <[EMAIL PROTECTED]> | >| >| Sent: Friday, November 22, 2002 11:14 AM | >| >| Subject: OPINIONS: PayFlow Pro and CF Integration? | >| >| | >| >| | >| >| > Quick thoughts, pitfalls, opinions? | >| >| > | >| >| > TTAIA | >| >| > | >| >| > | >| >| > | >| >| | >| > | >| | > | > | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm
