Page 2 of 2 FirstFirst 12
Results 11 to 12 of 12
  1. #11
    Join Date
    Nov 2006
    Location
    Dartmouth, NS Canada
    Posts
    2,369
    Plugin Contributions
    0

    Default Re: basic Credit Card module, used for Offline CC order processing?

    Quote Originally Posted by schoolboy View Post
    I can't recall the case exactly, but a few years ago a webshop owner here in the UK was processing cards in this fashion and a fraudster hacked into their site, got a stack of card numbers, and the CVV numbers AND the customers' addresses... and then had a field day! With all that "required" info to hand, there was no stopping the rapid carnage that followed.
    I'm sure schoolboy knows that Zen Cart does not make that scenario possible. The full CC number is not stored in ZC's database.

    It's a good thing to be warned about issues and possible consequences, but the warnings should be relevant.

    Rob
    Breakfast: the most important donut of the day.

  2. #12
    Join Date
    Jun 2005
    Location
    Hertfordshire, UK
    Posts
    9,955
    Plugin Contributions
    3

    Default Re: basic Credit Card module, used for Offline CC order processing?

    The news report never stated that it was a "zencart" site. No mention was made of the technology driving that webshop (I'll try to reference the case for you.) The point was that the merchant was collecting card info and this was against his T&C's. And it just about ruined him.

    Last year I had TWO instances of hackers entering clients' sites and "installing" the c-card module, applying their email addresses for the middle 8 digits and blocking the clients' own admin logins, changing the order confirmation copy email to admin... etc.

    In one instance the damage was quite serious... I got a call from the client after 5 days to say "we've had no orders for a week... what's going wrong?" They did have orders... about 120 of them... and the crooks had made off with 120 c-card details AND the personal data of the shoppers.

    Fortunately we were able to technically demonstrate that the module was not active prior to the hacks (admin activity log and a few other forensics), and only a small amount of fraud had taken place, despite the relatively large number of card details collected.

    So even in a scenario where that mod is not even installed... hackers know how to exploit the admin panel once they are in.

    I immediately set about removing the php files for offline cc payments from over 100 client sites and via a clever bit of php which a colleague built, we formulated a hidden alarm system to warn if the module even became "active" again.

    Good riddance to that module. It passed its sell-by date a long time ago.
    Our latest project is Pet Tags.

 

 
Page 2 of 2 FirstFirst 12

Similar Threads

  1. Offline Credit Card Processing
    By JTheed in forum Upgrading from 1.3.x to 1.3.9
    Replies: 7
    Last Post: 19 Apr 2010, 05:58 PM
  2. Offline Credit Card Processing
    By andy86 in forum Built-in Shipping and Payment Modules
    Replies: 3
    Last Post: 22 Oct 2009, 10:07 AM
  3. Offline Credit Card Processing
    By czone in forum Built-in Shipping and Payment Modules
    Replies: 2
    Last Post: 13 Dec 2006, 04:40 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •