Announcement

Collapse
No announcement yet.

Paypal payments being received as £0.01??

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Paypal payments being received as £0.01??

    We had a nasty one this morning - a £22.27 PayPal order which was downloaded and classified by Actinic as "Paid", but on examination the email from PayPal confirms only £0.01 has been transferred into our account. Somehow the customer seems to have fooled Actinic into thinking they have paid the full amount, when in fact they haven't. The "Progress and Payments" Tab in Actinic shows an Order status of "Complete" and an Order total of £22.27, but also a Payment Status of "Error (PSP)" which seems to have been ignored.

    We use ordinary PayPal, not PayPal Pro.

    On checking back, we have found a similar order from the same customer last week.

    Is there a flag somewhere we should have set to prevent this? We do not want to have to check every single PayPal email to see if the amount paid matches the order.
    Many thanks.
    Andy Shercliff
    www.4children2enjoy.co.uk

    #2
    [this explanation of this exploitable problem was removed, because knowledge is power]

    Here it is encrypted:
    8e2839cbaea0a7af7e3c91571ba33018b2225d87c34a7681d806efed4486f4f0
    c96d005c6408c9df01a9e3af387a7f00e46bd93b75bb42c7ec1dcd9d1fd8b9cf
    43005514121ceaced787065b2aaa19ea5a313876a01ec6ed54bfdfea924bb4c
    3ada0873b419631623d2a33c782d9ad5010c9d5b5963b35261da2e18e38bf55
    7c78b52cb7d5d042077d1096c279dc80f1a38d5f801ab8b3487f9752f4a10215
    29b0de106ee28572b159678f832d636d31cfe549e14a756673771ed16fff9136
    3b10b8f6c0162bb4033a184afc329834341f5e312c851355a5a2069f6c7ed360
    dc1ab8dddc7d89c9f7b45646c72199154a6c132bf2957066a0bbf9d91e714faa
    3674c847580af37b5f16c3bdfd5b8768e761372085112503839342ee3a2298f0
    aff304a03a55c7b23ec1b65d96e13a74cac3a39f022404dac7e570252b7fe6cc
    27f0aef11c065352e56391a8e44d7a7763641cc1d836ca0c7e33bf8da5a0607d
    372d46d050e05df6177c06b80f7d4ef544166d8675c9de140bfa5dfd8b7cc1f42
    43fcd879c6cfcaf413db595e7a63dc3355c7d55d561134233ace8c46da70211d
    4bbd1099e862f03daca449213c9a6e8237a5f81c501d6b8495fc780e5693987d
    b771a65faf8a9674e8270cb5d66efcf81871be17c40fb1b6c5cd4611cc502746
    44e82cf2e1163b35ecb39ad1d8d811986ef69c5af7425baf3036528221825803
    27bf8a893d2bff5317804be170a680ab3c37a0231cddf2560f303036eb4ffaba9
    4df658017c87dda375de6e1c782d0d9be920a442a193bdad1efc9eb8cd44692
    ea43e73abc8dcf2c2d8e9f480e9f9fd3ccb08edaf887d6096e0ebad23f89c8b43
    1e0c6ca39cb272cd46e6ec96d69bd449d9cfa13605ed2da45570f65b4eff38d1
    b3d9618e0ae9fa724f017e241608bb6e135a3c91a36cc1c8a54741fc01efcbe6
    8d11c45237458f1eb3bd62e36006bc3027b897f411c38b949c1d1663c6fec55f
    c4f96301a3c0119126a8738b137ea0fc926557f4c1ff2821e75f645d777e011de
    c8489daea0327cfde109cc84dbd5328b25a8f11ece71370107ea2e4e0fc1c147
    18636e31cb2b6c52542edb5a4222cd7925f56dca5507ffdbabd21bad5df3249d
    0c97bcd85ba9cb16f1899c97f4e9beb237198d23151bdf670071f72e4b56919d
    808172ed0e33798a49609b20bc87c696b4598983338bb580358b011e59fd1d0
    3a1410d19a336460a63cbe3f39690de230b6bc723684b531d4b85e0040f8ab9
    1ddfe13171b3199b7f2fbde28cd043c66cb51fc9663965e8fc145a0d3db3f58b0
    3bb0f7d59693330a711b17905aed729b9d19365b43e1b926707f1f537ba16c3b
    0e1fae1815ebb46e82ca59e1eab65716c6c7f6f520345d2ac4b6b70c6d508bbe
    e45a9f9131363f4dad5c343f053e979d249f94a67f535e987f4cf15c6044dd355
    9bc72d73ecfdbe49b69d974686e85540d5b091f2318bada7416b11d17318560
    62dba55701e10ae4387c5bff5d7a33f3ed77b0407a84a06c9824232e8cb2c8a5
    807dc233df73eb96611d0902bd5d228a233d8b99865e596f7e98a18dc0b97c1
    b27e924e01ef54a91b2d46a7042e1aa9aed8dcb63ff567838bc1c596bba82142
    e39b3ad47b6f6694bebe9d05f3e466b66793bd3fb1da35c9c69806a5a269569b
    efd8a5aabf81450e289faad8590155ce12397fd2c4baf765798242b691552e563
    be6e51d77e4d9409b58d8d30bb0a9a9af77177c338e0c9ad9305a9e1c6011bc
    1c39abf05d03de4ee4ede21cdad45ca28085c19e0b82ebe3bd6dbc12fd913ad5
    f5db628f9230ef0b7041ad049

    Comment


      #3
      I suggest that you remove paypal from your site, forthwith.

      Comment


        #4
        and report the transaction to paypal

        Comment


          #5
          Paypal

          Very many thanks for the time you have taken to look into this, and for your good advice.

          Might it be a good idea to remove the exact details of how you achieved it from your post, Gabriel, else everyone will be doing it!
          Andy Shercliff
          www.4children2enjoy.co.uk

          Comment


            #6
            There has to be an actinic bug as well that doesn't pick up that 'full payment' hasn't been received.

            Normally, if the payment received doesn't match the order total then actinic won't display 'full payment received' against the order and won't let you print out the invoice.

            Why isn't that happening here?

            Mike
            -----------------------------------------

            First Tackle - Fly Fishing and Game Angling

            -----------------------------------------

            Comment


              #7
              Originally posted by 4children2enjoy View Post
              Might it be a good idea to remove the exact details of how you achieved it from your post, Gabriel, else everyone will be doing it!
              Sadly, i disagree.

              With full disclosure, you can be sure that anyone reading this will be taking action.

              Brushing it under the carpet, is a sure fire way to get it ignored.

              Comment


                #8
                Hi,

                I've passed this over to our development team, although I may not get a quick reply as most of them are travelling across to the UK for the conference. Gabe, I suggest you do remove the details of how you have done this as I've passed that information across too.
                ********************
                Tracey
                SellerDeck

                Comment


                  #9
                  Can I ask for an update on this, it affects a lot of people.

                  Comment


                    #10
                    I would be interested to know aswell.

                    Gabe a quick Q for you, would it still be possible if you were using an ssl on checkout. Actually i tell you what, let me know when you have a few mins as i have some spare sites using my shared ssl server i can set something up. I just need to know how you did it

                    D

                    Comment


                      #11
                      Zoltan is investigating this. I will update you as soon as I have something.
                      ********************
                      Tracey
                      SellerDeck

                      Comment


                        #12
                        The attack, encrypted above, does not care one jot what security you use.

                        Comment


                          #13
                          Hi,

                          The way the integration with Paypal works is that they take a payment for whatever is in the bounce page and tells the merchant's server how much was taken (they don't verify the amount with the Merchant as some other PSPs do). Actinic receives the amount actually taken by the PSP and passes the amount back to the desktop where the PSP Error message is
                          shown if the amount has been hacked. In the case of DD products Actinic
                          will not show the DD links unless the correct amount was taken by the PSP.

                          I think the main problem here is that the 'Error (PSP)' status was ignored.
                          ********************
                          Tracey
                          SellerDeck

                          Comment


                            #14
                            I think the main problem here is that the 'Error (PSP)' status was ignored.
                            It seems to have been ignored by actinic as well:

                            The "Progress and Payments" Tab in Actinic shows an Order status of "Complete" and an Order total of £22.27, but also a Payment Status of "Error (PSP)" which seems to have been ignored.
                            Presumably this is a bug?

                            Mike
                            -----------------------------------------

                            First Tackle - Fly Fishing and Game Angling

                            -----------------------------------------

                            Comment


                              #15
                              The "Progress and Payments" Tab in Actinic shows an Order status of "Complete" and an Order total of £22.27, but also a Payment Status of "Error (PSP)" which seems to have been ignored.
                              The problem is not what the 'order total' shows, but what the 'outstanding balance' shows. Our tests show that the whole amount is outstanding. Therefore, the merchant needs to check all orders with a 'payment status' of 'Error (PSP)' before sending the goods out. Having the 'Order Status' show as complete is a bug and has been reported.
                              ********************
                              Tracey
                              SellerDeck

                              Comment

                              Working...
                              X