There are a few listed here: http://www.paypal.com/cgi-bin/webscr?cmd=p/pdn/3p-solutions-digital-goods-outside

[edited by: DaveAtIFG at 9:40 pm (utc) on Dec. 11, 2003]
[edit reason] DeLinked [/edit]

How can they steel money for your account with a link?

CompWorld

Not steal money, they can steal the product being offered. At least I'm not aware of any way to steal money. I switched to clickbank instead. Fees are higher though.

It's called "digital shoplifting" cause people can make up their own prices, etc on checkout by editing your links. It's like slapping on a different barcode on an item at the store to get a lower price.

The proper way to handle this is to use the reverse notification that PayPal gives you to check the sale and pricing before you even print or ship the item (or allow access for digital goods). There are also several easy ways to hide the code on your server using php, etc. to pass the data to PayPal from there instead of the shopper's browser.

All you have to do is not pass the item price in the form.

Just have the form pass back the SKU or item number, and have it pull the price from a database.

Simple as that.

-p

Panic, that sort of addresses the situation but there's still the possibility of tampering which is why it's important to review all orders received.

If there's room for tampering with my solution, I'd love to hear it.

If you are using the information from paypal for orders, everything works well. If you are selling an ebook or music, paypal has the flaw that you have to include the return URL in the calling code. Anyone who knows HTML can figure out your return URL...load that in their browser and get the book for free. You could simply check the HTTP referrer of on the final check out page. However, people often dink with the referrer. There really needs to be a server to server call to make the process secure.

You can use htaccess to prevent access to the return page unless the referal is from paypal.

I remember setting up this for a client before but honestly cant remember the htaccess syntax I used, I found it online. Perhaps someone here will have a beter idea.

Mack.

Yeah, that return page is not meant to give access to a product or service. It's meant to be a "thank you" page or "post-sales instructions".

To have your service instantly delivered, you should use PayPal IPN (instant payment notification). As far as I know, there is no way to trick this, since you verify the transaction directly via the PayPal server, meaning you can make sure the product and price match up. I don't think it's too awfully hard to work with.

What I am understanding is that there are two ways to get ripped off.

1. One is to have someone change the price of your product in the HTML from something like $10.00 to $0.00.

2. The other way is for them to simply bypass the paypal ordering system, copy the link and just go directly to the page where they can download my product.

I am wondering how effective encryption is.
Thanks for the advice everyone! I appreciate the input.
I did check out paypal IPN but I am hoping to find a solution a little easier to use.

How effective is encryption of the codes? Does anyone know anything about this? If I just take the paypal button code and encrypt it on my page...will that solve the problem?

Do I have to encrypt the entire page or can I just do a paragraph or two?

There is a site I just found called www.instantsiteprotection.com and he is supposedly offering free incryption protection. I don't know yet if it works or what is up with it...guess I will try it out.

I'm not entirely sure what you're after, but in terms of links, couldn't you just use a crypt and/or md5 function on links containing sensitive data to pass to PayPal?
This seems to be what most shopping cart systems do, when integrating with PSPs.

If you are using the information from paypal for orders, everything works well. If you are selling an ebook or music, paypal has the flaw that you have to include the return URL in the calling code. Anyone who knows HTML can figure out your return URL...load that in their browser and get the book for free. You could simply check the HTTP referrer of on the final check out page. However, people often dink with the referrer. There really needs to be a server to server call to make the process secure.

That's why they have authentication, to see if it was a legit transaction. You might want to read up on the PayPal API.

To have your service instantly delivered, you should use PayPal IPN (instant payment notification). As far as I know, there is no way to trick this, since you verify the transaction directly via the PayPal server, meaning you can make sure the product and price match up. I don't think it's too awfully hard to work with.

You don't set anything up on the PayPal side. You don't set any prices or anything like that... you do that using the method that I suggested earlier in this thread.

1. One is to have someone change the price of your product in the HTML from something like $10.00 to $0.00.

Again, they can't tamper with anything if you use a database as suggested earlier.

2. The other way is for them to simply bypass the paypal ordering system, copy the link and just go directly to the page where they can download my product.

If you use PayPal authentication, this shouldn't be a problem.

I am wondering how effective encryption is.

Encryption is always good, but it does nothing for you in this situation.

couldn't you just use a crypt and/or md5 function on links containing sensitive data to pass to PayPal?

What would he be decrypting?

This seems to be what most shopping cart systems do, when integrating with PSPs.

Only the shopping carts not run off of a database of some sort.

What would he be decrypting?

Well, nothing, I guess, but he seemed concerned that passing a price in a query string was occuring and that it would be easy to spoof any price. Using somesort of scramble code on the outgoing link would negate this possible effect. I'm not aware of any system that fails to do this though - the only prices I've seen in query strings are in ridiculous bespoke systems.

Only the shopping carts not run off of a database of some sort.

When passing the data to a PSP (for example, worldpay, or paypal) the querystring is always a jumbled mess, in every system I've used (x-cart, osCommerce, Actinic), and all of these use a DB of somesort. I've not bothered looking at the code lying behind these, but it would be logical to presume that they use a crypt() function or similar. Perhaps I'm not understanding the original problem clearly and I'm just talking about completely irrelevent things though.

Using somesort of scramble code on the outgoing link would negate this possible effect.

I'm sure if he MD5'ed or encrypted it somehow, someone would still find out how to decrypt it. It's still insecure.

the only prices I've seen in query strings are in ridiculous bespoke systems.

You'll never see a price in any of my querystrings, bud :)

When passing the data to a PSP (for example, worldpay, or paypal) the querystring is always a jumbled mess, in every system I've used (x-cart, osCommerce, Actinic), and all of these use a DB of somesort.

I'm talking about an INTERNAL database, not the PSP's database.

I've not bothered looking at the code lying behind these, but it would be logical to presume that they use a crypt() function or similar.

How can you determine what's logical and what's not if you've never looked at the code, nor know how the programs work?

I'm just talking about completely irrelevent things though.

Believe me... you are.

Validate that all variable values are what you originally assigned them to be:
[mals-e.com...]

I don't Paypal was designed with "digital" products in mind.