VP-ASP :: Shopping Cart Software

Shopping Cart Software Solutions for anywhere in the World

US/Canada(Toll Free): +1 888 587 2278
Europe/UK: +44 (020) 7193 9408
Australia/New Zealand: +61 3 9016 4497

VP-ASP Shopping Cart Customer Forum

Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 VPCart Forum
 Credit card fraud and hackers
 Possible PayPal hack?
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

Modrnlifer
Starting Member

12 Posts

Posted - December 05 2006 :  06:57:17  Show Profile  Visit Modrnlifer's Homepage  Reply with Quote
We've had a order made through PayPal but there's no record of it in the PayPal account.

The order shows as completed in the the cart admin area and an email has been triggered from the site which we've recieved but absolutely nothing from PayPal - no email or record of the transaction.

PayPal say they had no problems on the date of the order and the email of person who ordered is not registered to a PayPal account so it looks as if it's been a credit card payment.

We suspect they're hackers as they've not replied to our emails and the telephone isn't being answered but we'd like to be sure that it isn't a technical glitch.

Is bypassing PayPal possible? Could they have just entered the order directly into our SQL database?

devshb
Senior Member

United Kingdom
1898 Posts

Posted - December 05 2006 :  15:42:17  Show Profile  Visit devshb's Homepage  Reply with Quote
yes, it's possible to do that with standard paypal (I won't explain how here for obvious reasons), and that order is almost certainly a hacker. if you use paypal ipn or paypal pro then it's not possible (as long as it's setup properly)

if you sell downloads on your site, then you need to use paypal pro or paypal ipn or some other gateway, otherwise people will be able to place invalid orders and still get the download links.

that's one of the reasons we don't use paypal anymore for our addon sales, as we sell downloads.

I discovered that gap with standard paypal when I was testing our own site long ago and I was trying to work out an easy way to flag the test order I was making as valid without having to go through admin or making a payment. I was a bit horrified to find that my first basic attempt to do that worked with no problems; at that point we immediately switched to a different gateway.

Note that this is a logical fault/gap with paypal, and not a vpasp bug/problem, and it's only relevant to basic paypal; paypal ipn+pro are fine.

Simon Barnaby
Developer
[email protected]
www.BigYellowZone.com
Web Design, Online Marketing and VPASP addons

Edited by - devshb on December 05 2006 16:13:28
Go to Top of Page

Modrnlifer
Starting Member

12 Posts

Posted - December 05 2006 :  19:02:46  Show Profile  Visit Modrnlifer's Homepage  Reply with Quote
Many, many thanks for this info - we are using the standard version & we did suspect it might be a dodgy order. However we're selling jewellery rather than downloads so it's not quite the problem it could have been. I'll pass this info on to the site owner.

Some good came out of it though - it made me review the site thoroughly and upgrade to v9.01.

Edited by - Modrnlifer on December 05 2006 19:09:15
Go to Top of Page

devshb
Senior Member

United Kingdom
1898 Posts

Posted - December 05 2006 :  19:23:54  Show Profile  Visit devshb's Homepage  Reply with Quote
true; yes, for physical products it's more of an annoyance than a real problem, as long as you double-check your orders against the paypal system then no real harm can come of it.

Simon Barnaby
Developer
[email protected]
www.BigYellowZone.com
Web Design, Online Marketing and VPASP addons
Go to Top of Page

Modrnlifer
Starting Member

12 Posts

Posted - December 06 2006 :  14:07:53  Show Profile  Visit Modrnlifer's Homepage  Reply with Quote
You're right it is an annoyance & I've now been looking into PayPal IPN - do you know if there's an additional cost attached to using it?

It seems like I can just enable it on the PayPal account but I don't want to give the site owner a nasty shock.

Edited by - Modrnlifer on December 06 2006 15:00:02
Go to Top of Page

jubjub
VP-ASP New User

110 Posts

Posted - December 06 2006 :  20:14:29  Show Profile  Reply with Quote
It's free, it'll just require a few configuration changes in Paypal and loading up another set of Paypal files on your server.
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Snitz Forums 2000