Re: basic Credit Card module, used for Offline CC order processing?
Quote:
Originally Posted by
schoolboy
I can't recall the case exactly, but a few years ago a webshop owner here in the UK was processing cards in this fashion and a fraudster hacked into their site, got a stack of card numbers, and the CVV numbers AND the customers' addresses... and then had a field day! With all that "required" info to hand, there was no stopping the rapid carnage that followed.
I'm sure schoolboy knows that Zen Cart does not make that scenario possible. The full CC number is not stored in ZC's database.
It's a good thing to be warned about issues and possible consequences, but the warnings should be relevant.
Rob
Re: basic Credit Card module, used for Offline CC order processing?
The news report never stated that it was a "zencart" site. No mention was made of the technology driving that webshop (I'll try to reference the case for you.) The point was that the merchant was collecting card info and this was against his T&C's. And it just about ruined him.
Last year I had TWO instances of hackers entering clients' sites and "installing" the c-card module, applying their email addresses for the middle 8 digits and blocking the clients' own admin logins, changing the order confirmation copy email to admin... etc.
In one instance the damage was quite serious... I got a call from the client after 5 days to say "we've had no orders for a week... what's going wrong?" They did have orders... about 120 of them... and the crooks had made off with 120 c-card details AND the personal data of the shoppers.
Fortunately we were able to technically demonstrate that the module was not active prior to the hacks (admin activity log and a few other forensics), and only a small amount of fraud had taken place, despite the relatively large number of card details collected.
So even in a scenario where that mod is not even installed... hackers know how to exploit the admin panel once they are in.
I immediately set about removing the php files for offline cc payments from over 100 client sites and via a clever bit of php which a colleague built, we formulated a hidden alarm system to warn if the module even became "active" again.
Good riddance to that module. It passed its sell-by date a long time ago.