Tick Tock Tick Tock

It's a bomb.

Quote Originally Posted by Bigenuf View Post
I've thrown this together.....
And helped invent the perfect way that enables RBSworldpay to help you con people out of money (what a great banking organisation, no wonder there's cockney rhyming slang for Merchant banker)!

If one takes your code and swaps the pages, so that the cancel page is the success page...

then generates a random shopping cart number and post the shopping cart information back (with a click to continue button), RBSworldpay will charge again.

The RBSworldpay system makes the assumption that the shopping cart will be submitted once and that it's unique, so randomise the cart Id and con away. This way you could set up a loop.

Customer buys something, RBSworldpay says it's cancelled, customer pays again, it won't stop till the customer is bored. Of course the cunning fraudster could do all kinds of things too, like "add a bit" to the invoice, or change the address to a random one. (to stop worldpay immediately querying six duplicate transactions for each customer). Loop only once, and then show the completed transaction. Time it right and "the con" could go on for about 30 days before doing a runner with the money.

Naturally you send out the client's first order so that they think everything worked, and your client is going to complain to "you" first of all. With a little randomisation it would be possible to only refund the people that "complained", some people wouldn't notice, and keep "the con" running much longer, "of course you don't know why worldpay keeps on charging your customers twice".

For the ones you "said" you refunded would have to wait for their next CC statement anyway, so in the majority that's almost 60 days of conning.

Hold on. Weren't these XSS measures supposed to make it more difficult to carry out fraud ? Not Easier

Anyway, great stuff Bigenuf, if RBSworldpay continues to be stupid, I'll include it as compulsory in the module, probably with a shop logo, since the current default's going to fall to pieces anyway.

Philip.