I'm having trouble figuring out how to prevent people from editing the amount in my shopping cart with tools such as firebug. How do I make sure users can't edit the hidden field? Can I encode the amount before sending it to paypal?
Thanks!
Francois
Okay, turning comment into answer...
Don't encode the hidden file! When a customer makes a payment, PayPal will handle the transaction and tell your automated system that it has received the payment. It should also tell you how much the customer paid you! You then compare the amount paid with the original invoice and if there's a difference, you just tell the user that the payment is incomplete. (Unless they paid too much, of course.)
As Chris Lively tells you, don't trust the customer! Always check the amount that has been paid. Once you do this, it doesn't matter if the user hacks into any hidden fields, since you check it afterwards.
If your security depends on keeping your users away from hidden fields, your security will fail! Your security should depend on your contact with PayPal directly. Only when PayPal confirms the payment, you should send the product.
I'm sorry to say, but you can not prevent people from fiddling with the html / post variables. One common security mantra is "Don't trust the client".
The process should be to have the client post back to your server. It recomputes the totals or whatever, then send that to paypal. Obviously there should be some sanity checks like preventing zero or negative quantities; however, the client itself should NOT have control of the totals.
Related
On the Paypal Basic Integration tutorial it is possible to capture an order client-side which essentially submits the payment to paypal. Once the order is captured, the tutorials shows you how to verify the transaction which would ensure you do not provide a service or product unless the paypal order is verified. However, someone could maliciously capture a payment using the client id and while verification would fail paypal would withdraw the funds from the customer. How can you prevent this? Is this secure?
[UPDATE]
This questions comes mostly out of curiosity and lack of experience with paypal. To put more context into this and hopefully help others; the Paypal basic integration is simply an HTML form and so it doesn't stop anyone from modifying the HTML form and send a different amount for authorization/capture; lets say that the original amount for an order is 100, it is possible that someone changes that amount and submit the authorization with the different amount; at the minimum it would initiate an authorization/capture of this different amount that perhaps is higher. Good practice dictates that the amount and orders should be verified before finalizing the transaction on the backend, but even if the transaction is found to be invalid the funds would have already been put on a "hold" by paypal and possibly on the customers credit card.
This is probably not an issue since, like mentioned, transactions should be verified on the backend; it is also not too obvious( maybe with some social engineering) how someone would benefit from this and most likely would just be an inconvenience.
This may sound odd, but should I check if the amount sent via IPN is correct?
In my IPN listeneer, I send the post values back to Paypal to vertify them, so I assume all values are the same as on PayPal. (Amount paid etc, item name, etc.)
And the next thing is, people can't find my IPN URL, because I generate an link and redirect them to it, which is encrypted.
The reason I'm asking if I dont have to check the amount is because i run my site with coupons, and checking if the amount is correct, would be hard.
And also, my IPN URL is dynamic.
The reason people check the amount is to make sure somebody didn't copy your HTML button code, change the amount of the product, and then submit a payment using that adjusted code. This would go through PayPal and your IPN would indeed come from them, so it would verify, but if somebody changed the amount like that and you shipped the product without realizing it that could be a bad deal.
This isn't required if you're using hosted buttons or encrypted buttons. That stuff gets hidden so people can't do that. Same goes with API requests. It's really only a potential problem if you're using standard HTML buttons or checkout code that isn't hidden in any way.
I have a VoIP calling company for a Russian market with a Russian website where people can sign up for an account, buy credit and make calls. My service is not even popular and I have only ~100 customers. Recently, I had around 10 fraudulent users who used stolen credit/debit card or PayPal accounts to make payments. Even though my website is in Russian, I had fraudulent customers from Somalia who purchased $50 worth of credit with stolen information. Two days later after fraudulent user signed up & used up their credit, I received email from PayPal saying that those transactions were "unauthorized (transactions)." PayPal gave me 10 days to resolve this dispute and make refunds by talking to people whose financial information was compromised. After hours of arguing and debate, I had to make refund and accept the loss. But, is this how it works? What if I had 100 fraudulent customers who purchased $1000.00 worth of credit? How can I insure myself against this? Note that my service was in Russian, what if I had English website for everyone to sign up? How do you protect your service against such things?
Some of the measures I can think of are:
Customer must activate their account via verification email (Already implemented)
Accounts are by default aren't activated, I have to manually
activate them (Customers may not like this)
Calling the new customer at provided phone # to make sure if he
really signed up (I hate this one)
All of your advises and opinions are appreciated!
I worked at a similar company (no names) and the only thing we could do that actually solved the problem was to have the users sign up with a credit card, billing the minimum amount from their card while generating a code that was included in their statement (a'la "VoipMaster (4711)")
They then had to look up their credit card bill (many banks let you do it pretty much immediately online) and enter that code at our site. In other words, the user had to have access to the credit card bill to sign up, not just the credit card information.
I think that pretty much stopped fraud cold, but it's hard without marketing research to tell how many valid users didn't sign up because of it.
Its just the pitfall of accepting online payments. You do not lose $1000 worth of money when you have to refund though. Paypal should not charge you any fee's for reversing the money and therefore you have not lost anything apart from a small amount of time.
There are some things you could do to try and prevent this happening in the first place. The biggest thing would be to chose one or more vectors and then detect any changes on those vectors. A change would then need to have a secondary authorisation.
For example you could say that if you try and use a different paypal account to the last one you used, then you must go through confirmation stage.
Another one could be that if you purchase more than a certain limit then you go through the confirmation stage.
If your IP address changes you go through the confirmation stage (not so good, but its an idea nonetheless).
The confirmation process/stage could be anything you deem suitable to ensure to the best of your ability that they are legitimate. For example you may require email confirmation from them or require them to wait 24 hours for the credit to be given (provide a phone number they can call you on to fast track maybe).
Theres no sure fire way, but the harder you make it the less it will happen. Theres hundreds of things you could do based on the simple theory i posted above. Nevermind more complex things you could possible use. At $50 a time i would assume they are using your site as a test site to ensure the details all work ok, before going on to using them for larger payments elsewhere or transferring money to there own accounts. So if you make it harder for them to do that,, they will find somewhere else to test them.
I'm using paypal website standard and passing my order id that is generated on my site via item_number field. I was wondering, how does paypal know that the content in the form has not been altered by user? For example, someone could just change the amount of $10 to $5 and paypal would not not have any way of knowing. I've doe this before with other payment processor, and they make me send them md5 hash of amount and some other data + secret key, but I am not sure if paypal has this?
Based on this article, I believe it depends on whether or not you are using "Payment Data Transfer". If you're just using a button, then you'll need to manually verify the payment amount before shipping. If you're using PDT, you should be able to verify the payment_gross amount sent back in the response from PayPal.
Your right -- in general you can't keep someone from altering your data. If you must use PayPal (yeah, I know, no monthly fee) so far as I know you have three options:
Let PayPal host your button data. But this gives you little control over the process.
Manually verify each transaction, checking price etc before shipping item.
Using their API to receive completed transaction to automatically check data.
Another thing to watch out for is calculation of sales tax. PayPal's approach was too simplistic for our needs, which forced me to take control of the checkout process.
See this link.
you should try to implement it using ipn, pdt is prone to not passing the variables from paypal to your website if the user does not press the "go to store" button. as what others had answered hosting your button would make it secure at the cost of flexibility. Here is a link on the variables that could be altered on hosted buttons https://www.x.com/people/PP_MTS_Haack/blog/2009/11/11/override-variables-for-hosted-and-encrypted-buttons , as you would look into the variables, you cant really change the important ones.
I'm trying to integrate a payment mechanism to my site. The scenario that I need is not trivial and can be explained by the following example:
User pays upfront for a subscription program (i.e. receiving Netflix). User is able to make changes to the subscription (i.e. change number of movies checked out each time from 4 to 2)
User is able to buy additional one time purchases via the provider's site (Netflix) supplied by 3rd parties. These items (i.e. popcorn, snacks) get billed to the same credit card as the subscription without having to go through the process of resubmitting the credit card information.
Of course, my site takes also a small fee for the transactions :-)
I was wondering if this is supported by PayPal, Google Checkout or someone else.
Thanks.
The Paypal api can handle all of those processes.
I seem to have dropped the ball on what kind of answer you wanted so I'll leave it at that.
If you have some feedback, more direct questions I will try to answer as much as I can
--
The money would best go through you first, unless somehow you can convince your customers its normal to bill them per item. Also if they pay by credit card you should only bill them once as you would incur fees on every payment. I don't know of anyway to bill once but distribute the payments.
As for the paypal docs..
Very good resource, there is also some sample code for most major web languages
Also this will get you started if you don't have a developer login
Their developer support is also pretty good. One thing a lot of people seem to screw up when starting out with the paypal api is not setting the latest version in the configs so don't forget to update that to the latest release. :)
Disclaimer..
Yea I know there is a lot of bad press about paypal and crazy stuff happening, but they do get the job done most of the time, its not my fault the customers love to use it.