Help!. It is killing me. x x - Ecommerce forum at WebmasterWorld - WebmasterWorld

Forum Moderators: buckworks

Message Too Old, No Replies

Help!. It is killing me. x x

Au2103

8:57 pm on Jul 11, 2010 (gmt 0)

10+ Year Member

Hello Everyone,

I need some of your professional advises.

I have a small online shopping site, it has been running about 2 years or so. Recently, I have been having a lot of customers complaining on forums saying my site was compromised. They said their CC were stolen and used on small purchases after buying from my site.

So I have check with Paypal ( I use paypal pro and paypal express.) as well as my web development company. Both said there is nothing wrong with my account or my site. (he said there was no code changes on my site.)

Both companies suggested if the customers have some kind of virus or keylogger programs which stole their CC #. But with the power of the forum. Many of them are saying they do not scan any virus in their computers. and saying we need to do something :(

My site uses https as well. I dont know what else I can do to find out if my site was really the problem? or it is the customers. (Also, even if I am the one stealing information, I cant, because my server site does not store all credit card number , only the last 4.)

This is getting crazy and hurting my business so bad.. anyone has this kind of problem or solution to fix this?

Also, can I ask the forum admins to close down those threads because it is really misleading people.

I dont know what to do.. any help or suggestion would be very appreciate.

incrediBILL

10:11 pm on Jul 11, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

How are you using Paypal, are you collecting all the customer data and doing silent post transactions or are you only getting notification of the customer data from Paypal after the transaction?

You don't have to have make any code changes to steal credit card data.

Hackers could install a harder to detect script via .htaccess or http_conf files that processes all incoming POST data site-wide and sends the appropriate data elsewhere.

More than likely their CC's were stolen in the real world in a B&M establishment, like a restaurant which happened to me about 6 months ago.

Also, can I ask the forum admins to close down those threads because it is really misleading people.

Yes, unsubstantiated claims like that are called libel and you have some legal grounds but I'd probably engage them directly instead and prove it's not you.

Taking posts down sets off alarms as well and then the reputation management nightmare starts as they spread the news far and wide and you'll never contain the problem then.

IMO it's best if you deal with it directly and show you're a good guy, explain your process thoroughly and explain it's been tested and verified by the web designer and Paypal.

dpd1

10:18 pm on Jul 11, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

How many people are we talking here? If there's a considerable amount of people, then there must be a problem somewhere. If you can't figure it out, then look to hire someone. I would very politely explain in the same public forums, exactly what you have done... Show them anything you can to prove you have been looking into it. Tell them what PayPal told you. Explain that you personally can't steal anything from them. If that is indeed happening, then explain it is an outside source. But try to resist losing your temper. That will just make things worse. Have you confirmed that these people did in fact buy stuff from you? Are you sure it's not some sort of attack by competition?

piatkow

8:51 am on Jul 12, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Once a customer decides where the blame rests little things like facts don't seem to count for much.

Even if you can demonstrate that your complainant had three different key loggers installed on their PC I suspect that they will still blame you.

Rather off topic but as an expample of this attitude I once saw a post in another forum once from a user in south east Asia complaining about the poor download times suddenly provided by their Canadian hosting service. The fact, pointed out in responses, that an earthquake had just severed the main telecoms cable connecting their country to North America, was ignored and they continued to abuse the hosting company.

bwnbwn

12:51 pm on Jul 12, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

piathow is correct nothing you can say will change the fact they blame you.
Case point had a customer try the buy from my ecommerce store the card was declined. I called them and told them they either did a wrong input, they need to call the bank to get an authorization, or their card has been blocked by the bank. Well the customer said they had just used it x and it was fine so they gave me the info to redo the order. Card was declined so I called them back and said they had better call the bank as the card was being blocked at the bank.

Get an email and was told the card was indeed hacked and from my site. What it was declined on my site so how could your card have been hacked. I told them they were incorrect and went into all the security I have. I was still blamed.

RhinoFish

1:15 pm on Jul 12, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

i'm with incrediBILL, this question is very important to your "defense":

"How are you using Paypal, are you collecting all the customer data and doing silent post transactions or are you only getting notification of the customer data from Paypal after the transaction?"

enigma1

2:53 pm on Jul 12, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

...my server site does not store all credit card number , only the last 4.)

Only the last 4?

First with Paypal Express you have nothing from the cc as the customer makes the transaction exclusively within the paypal site (he can even use his paypal account not cc). Second, with paypal pro the form (in your site) that submits the customer data should point to paypal directly.

So how do you record the last 4 digits in your site? you must have an intermediate step somewhere to record cc info, which could make you liable to a number of things if you fail PCI etc.

From what you said, there could be a problem with your site's software.

incrediBILL

3:08 pm on Jul 12, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Second, with paypal pro the form (in your site) that submits the customer data should point to paypal directly.

It's obvious that the site is using the silent post method, not direct post, or there wouldn't be 4 digits available from the credit card unless it made a pass through his local server.

Also, if the site is on shared hosting and the server is hacked there are many ways to collect post data without even touching the local account.

enigma1

4:20 pm on Jul 12, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

If it's a problem with the server then the hosting type doesn't really matter.

But for cc info many are reckless, setting up jscripts or other fancy methods to submit and retrieve data to the payment processor.

I don't see any references in the paypal payflow spec for returning info for the cc number on the server. This info I think may appear on the paypal cpanel. And also I think depends on the checkout structure. If there is a payment page that collects cc info followed by a confirmation page that's an intermediate step and the application re-posts or stores the cc info which is not a good idea.

Of course there are authorization ids, used for all sort of things charge/refund a card etc, if the server is compromised but there isn't any partial cc number that gets back from paypal, as far I can see.

incrediBILL

4:30 pm on Jul 12, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

If it's a problem with the server then the hosting type doesn't really matter.

Hosting type matters because some global Apache hack to trap posted credit card data would be imperceptible to the jailed hosting account owner.

Therefore, his ability to ascertain and/or correct any problem is severely hobbled if it's outside the purview of his domain.

Your account may look just fine and as far as you know it's safe, yet people could still get their CC stolen with a server-wide hack and you would never know.

AFAIK Paypal, which I use as well, never exposes any CC details whatsoever, only the Transaction ID, so he must be capturing it locally and as you rightly pointed out, is exposing himself to PCI violations.

One simple way to test the process would be for the site owner to use a few of his own CCs, especially some that aren't used for anything else, and see if his get stolen as well.

enigma1

5:20 pm on Jul 12, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

I have been with good and bad hosts and was irrelevant of hosting type. See for example the discussions on virtual servers about PHP running as nobody which messes the requirements for attributes on files and folders just because it requires a bit of extra effort to setup the server.

Hosting types have their advantages and problems but is not that a dedicated server is going to be more secure than a shared one, assuming the same administrator to manage both cases. The outcome in terms of security is probably the same.

webdevfv

4:11 pm on Jul 15, 2010 (gmt 0)

10+ Year Member

are these real customers - it's not some sort of scam to get worried people to click on a dodgy link?

incrediBILL

4:45 pm on Jul 15, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

The outcome in terms of security is probably the same.

Not even close IMO.

Used to run a server farm and all our dedicated clients were very secure but thanks to shared server clients installing random stuff and not doing security updates the odds of the shared servers getting hacked were much better.

Again, a jailed account on a shared server can't see anything outside the account that could be stealing data and if the host isn't smart enough to see it, history just keeps repeating itself.

Here's a fun story related to the topic...

One of our largest dedicated clients had a ton of credit cards stolen, repeatedly, and we were positive the servers we locked down tight as a drum. We could see all access to the server where the hacker touched the files and that level of access only came from the client's IP address.

Turned out the hacker had infected one of the clients machines and was accessing their server from behind their own corporate firewall!

So never eliminate anything possible until all possibilities are eliminated.

enigma1

6:45 pm on Jul 15, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Well the case you mentioned shows how reckless a site owner can be, which is my point. You can have a super secure server and admin panel locked down and one of the admins gets an XSS because he clicks one of the phishing e-mails and/or runs the "dancing pigs" attachment. It doesn't need much to compromise even the most secure server and often happens from the inside. So you see it doesn't matter if it's shared hosting or dedicated.

I have mentioned many times. By default keep js off and flash off and active scripting-whatever off. Enable them only for a specific site that you trust.

Only the past couple of days I counted over 100 emails with attachments, jscripts, viruses, phishing you name coming through one of the servers I have.

jwolthuis

12:23 am on Jul 16, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Sometimes, it's as simple as a customer using a computer at the library. The next person walks the browser history, and comes across your payment information screen. Viewstate is restored, and everything is visible.

Are your customers logged-out after they place an order? Is the session terminated? Is viewstate disabled during checkout flow?