Page 2 of 2 FirstFirst 12
Results 11 to 12 of 12
  1. #11
    Join Date
    Nov 2006
    Dartmouth, NS Canada
    Plugin Contributions

    Default Re: basic Credit Card module, used for Offline CC order processing?

    Quote Originally Posted by schoolboy View Post
    I can't recall the case exactly, but a few years ago a webshop owner here in the UK was processing cards in this fashion and a fraudster hacked into their site, got a stack of card numbers, and the CVV numbers AND the customers' addresses... and then had a field day! With all that "required" info to hand, there was no stopping the rapid carnage that followed.
    I'm sure schoolboy knows that Zen Cart does not make that scenario possible. The full CC number is not stored in ZC's database.

    It's a good thing to be warned about issues and possible consequences, but the warnings should be relevant.

    Breakfast: the most important donut of the day.

  2. #12
    Join Date
    Jun 2005
    Hertfordshire, UK
    Plugin Contributions

    Default Re: basic Credit Card module, used for Offline CC order processing?

    The news report never stated that it was a "zencart" site. No mention was made of the technology driving that webshop (I'll try to reference the case for you.) The point was that the merchant was collecting card info and this was against his T&C's. And it just about ruined him.

    Last year I had TWO instances of hackers entering clients' sites and "installing" the c-card module, applying their email addresses for the middle 8 digits and blocking the clients' own admin logins, changing the order confirmation copy email to admin... etc.

    In one instance the damage was quite serious... I got a call from the client after 5 days to say "we've had no orders for a week... what's going wrong?" They did have orders... about 120 of them... and the crooks had made off with 120 c-card details AND the personal data of the shoppers.

    Fortunately we were able to technically demonstrate that the module was not active prior to the hacks (admin activity log and a few other forensics), and only a small amount of fraud had taken place, despite the relatively large number of card details collected.

    So even in a scenario where that mod is not even installed... hackers know how to exploit the admin panel once they are in.

    I immediately set about removing the php files for offline cc payments from over 100 client sites and via a clever bit of php which a colleague built, we formulated a hidden alarm system to warn if the module even became "active" again.

    Good riddance to that module. It passed its sell-by date a long time ago.
    We host with Terranetwork.


Page 2 of 2 FirstFirst 12

Similar Threads

  1. Isn't there supposed to be a Credit Card option for offline processing?
    By johnwoodman in forum Built-in Shipping and Payment Modules
    Replies: 10
    Last Post: 14 Aug 2010, 10:15 PM
  2. Basic Credit Card module used to display 3 payment details
    By jerbroo in forum Addon Payment Modules
    Replies: 1
    Last Post: 14 Jul 2009, 04:51 PM
  3. Replies: 0
    Last Post: 7 Jul 2009, 04:30 PM


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
Zen-Cart, Internet Selling Services, Klamath Falls, OR