Fake Security

Anon

Hi, I'm trying to automate orders online & solve this out. I got really depressed in the last two weeks, & I just don't see a way out... & i just don't know what to do anymore. Our system works like this:
CLIENT --> BANK --> COURIER.
I do know that there are a lot of things to fake from referers,...

Some banks do not allow to enter & fill in the inputs if you do not have a javascript turned on? How can you check that with php? I presume that that could be cracked too.

How do those big guys do that? There must be a solution. If they can do it, you can do it too I guess. I'm so worried that I'm even not capable to think anymore. My brain blocked, if I still have it.

The thing I really need to protect is the page from the bank. The thank you referer button (with all those silly hidden inputs in it). If someone knows what that input & the refere is (including the bloody order code that has to be sent to the bank allong with the page to the cc form), can abuse the order & have it mailed to himself automaticly for FREE. Of corse that would work for Italian orders only, there's a court ecc. (makes no sece for 100 euros, & if you can get the cracker. Don't think so.), but the real fault would be only mine cause I wasn't capable to create a more efficent anti frodulant system.

Is there a solution for it? Otherwise I'll have to watch over the orders & process them manually. Any idea is greatly appritiated.
Please give me some ideas to solve this out. How do you protect orders.
Thanks in advance.

[deleted]

"can abuse the order & have it mailed to himself automaticly for FREE."

Well no, because the bank only accepts billings if there is valid creditcard data, so free orders are not possible, no matter how much you fake.

van__

Well, it seems you are way stressed on making an ultra-secure page.

So here's what I do...
start off with your vanilla HTTPS page
(you are using HTTPS right?)
All the links to that page should be ABSOLUTE URLS (would have to be anyway to transition from HTTP to HTTPS)
This will kill the session (if any)
so now ... Require the user to login again, over the HTTPS server and hand them a brand spankin new session.

Ok, now that they are off to a fresh start, any sniffer will have useless data now.

So, just collect your data and have them send it to your site, not the banks or anyone elses.

Your PHP script will collect the data and test it for completeness and then perform an HTTPS POST to the bank server via cUrl (http://curl.haxx.se) which can use cookies, GET/POST and login. I've been using cUrl to handle server-side HTTPS connections to remote hosts for awhile now, and it works great. And since a would be attacker never sees where you send the data, they sure as hell are going to have a hard time spoofing it. Additionally, you don't have to use any hidden form fields and can keep all your account data like account number and your sites user name safely tucked inside your scripts since your scripts will execute the transaction and not the users browser.

Anyway, hope that helps you some here.

Anon

Thank you Vincent for your kind reply. But...

You wrote:
Well no, because the bank only accepts billings if there is valid creditcard data, so free orders are not possible, no matter how much you fake.

Well that's the bug, that I trying to solve out. You see, if you order an article from us,... for only 10 Euros,...

Now you've got the page that is going to return back to https://mysite.it/thankyou.php (you get the thankyou.html (hidden field return link button) and as I was silly enough I made an agreement with a wholoesale grocer when ever they recive an order to ship it to a client - immeditaely. To become a serious company, as you're ultra small you have to provide better services to fight those big guys)
ftom the url (that is now the referer also) https://secure.bank.it/success/orderdone.exe

Now you know that my thankyoupage is:
https://mysite.it/thankyou.php & that the refer is https://secure.bank.it/success/orderdone.exe Now you can use snoopy or anything you like to get a free order really for FREE. ;-) Fortunately they do not know that I included in that page some select from... & mail($to);

I would like to retain this autoption, casue the customers are very happy with our orders, in two tree days they alredy have it at home.

Now,... can I use or include something else as a checkup to prevent the BUONA FEDE abuse. ;-) Now you see why I got depressed.

Anon

Hi, thanks for your naswer Van. I know that I'm getting a bit paranoid, but... All I wanna do is be honest, do an honest job & serve my customers the best I can, & hopping that I'll not have to deal with abusers.

Van wrote:

So, just collect your data and have them send it to your site, not the banks or anyone elses.

Thats interesting... But in case of a froudulant user,... you pay the ordered billes and not the bank. ;-( You see If a user usess here a nice cc that will expire in 2003 & it was cancelled from a user,... the php check will result VALID, since is only checking the corettness of the algoritems and not the bank real status validity, if it can be billed for sure or not. In that case the insurance is off,... & the fake IP submitter is you. If they're crazy enough they could even cut you off (the bank ofcourse).

Your PHP script will collect the data and test it for completeness and then perform an HTTPS POST to the bank server via cUrl (http://curl.haxx.se) which can use cookies, GET/POST and login. I've been using cUrl to handle server-side HTTPS connections to remote hosts for awhile now, and it works great. And since a would be attacker never sees where you send the data, they sure as hell ar....

That's a very good idea,... but collecting data from users is a too big responsability for me. I can not do that. The people will think who knows what,... I prefer to say LOOK WE DO NOT GET/COLLECT YOUR CC NUMBERS, ONLY THE BANK DOES SO THE BANK IS A SECURE GUARANTEE FOR IT.

van__

Well if you want the bank to be the only one liable in any way shape or form, then just have them post to the bank and not even touch your servers.

All my scripts go to mine first which then appends all the necessary data and posts securely from my server to the CC processor.
This has been very secure, is widely practiced (any site that has their own https gateway and takes CC info will auth it with a cc gateway provider)

The issue here I guess is that you can't have it both ways. If you want the CC provider to be the only one responsible here, then you'll have to have your forms post straight to them and let them deal with it. If you want your own custom setup, you'll have to set up something similar to what I described. But, you can't send the user straight to the bank AND control the transaction at the same time.

Anon

Hi Van,

I still belive that there might be an alternative. Thow the curl seems to be just great for that too. Thow my cert is 64 & theirs 128 bit. If the bank could execute the confirmation of the positive billing in the background (via the cron or what ever) that would be just great. I could try parsing the mail for that instead too. The php did think about everything unless on the pop3. If you don't have an imap support you can forget it. Why not pop3 support only, knowing that certain commands can not be applied on pop3 correctly. Crazy.

Thanks.