Re: Vuln in Verisign PayFlow Link payment service

["Megan McRee" <meganmc () mail ru>]

Looks like it might be a little difficult to totally secure from my end. I
would go for PayFlow Pro, but I cater to smaller sites that don't want to
fork out the big bucks and don't want things any more difficult than it has
to be. I don't want things anymore difficult than it has to be because I
have to answer the support e-mails too :)

At this point, if VeriSign won't correct the problem, I think the best thing
is to make sure everyone knows that they need to have confirmation e-mails
sent from verisign. They are already sent an e-mail from the site, so if
they don't see 2 e-mails come in they should know something is definitely
wrong....

That would probably work for most sites using the PayFlow system as they are
probably small enough to catch that if they know what to look for.

----- Original Message -----
From: Keith Royster <keith () homebrew com>
To: Megan McRee <meganmc () mail ru>; <vuln-dev () securityfocus com>
Cc: <pdoru () kappa ro>
Sent: Saturday, January 05, 2002 7:40 PM
Subject: Re: Vuln in Verisign PayFlow Link payment service


> Most, if not all, of the info you are checking against (http_referer, IP,
> etc) can be spoofed.  I know I could use a local proxy like Proxomitron
> (www.proxomitron.org) to do a search-n-replace on my http_referrer.  The
IP
> address would be more difficult, but still doable.
>
> ----- Original Message -----
> From: "Megan McRee" <meganmc () mail ru>
> To: <vuln-dev () securityfocus com>
> Cc: <pdoru () kappa ro>
> Sent: Saturday, January 05, 2002 3:51 AM
> Subject: Re: Vuln in Verisign PayFlow Link payment service
>
>
> > How about not submitting the credit card from the site...let PayFlow
Link
> > order form gather that information. Set the Pay Flow Link to "Return
Post"
> > and in the scripts from which the order is placed do some http_referer
> > checking (along with logging the IP and domain and sending the admin
> > notification)
> >
> >
> > ----- Original Message -----
> > From: Doru Petrescu <pdoru () kappa ro>
> > To: <vuln-dev () securityfocus com>
> > Sent: Friday, January 04, 2002 12:38 PM
> > Subject: Re: Vuln in Verisign PayFlow Link payment service
> >
> >
> > > > Perhaps a fix for VeriSign would be to passback a secret code
> > (configurable
> > > > through the PayFlow Link admin panel) that does not originate from a
> > cart
> > > > input value, but is stored and sent from PayFlow. Then a simple 'if'
> > > > statement in the cart software could weed out the bad along with an
> > e-mail
> > > > sent to the admin. That would surely slow someone down if they have
to
> > guess
> > > > the secret code's input value.
> > >
> > >
> > > THIS IS WRONG!!!
> > >
> > > the "secret code" can be hijacked as well if you can afford to make a
> > > valid payment FIRST. That will require a valid creditcard something
that
> I
> > > don't have so will reduce a little the nr of people that can attempt
to
> > > crackin.
> > >
> > > The SAFE WAY is to have a SECRET PASSPHRASE shared between you and
> > > VeriSign and use it to ENCODE THE DATA or at least to SIGN THEM.
> > >
> > > You can use a simetric encoding scheme or a generate a MD5 signature
> that
> > > can be used to verify that the response came from verisign and not
> someone
> > > else. also some random data need to be inserted (like the current
> > > timestamp cancat with a random 10 digits number) to shield from
"reply"
> > > attacks that reuse the same signature.
> > >
> > > YES this will require some basic crypto functions to be included in
the
> > > libs they supply, but since this is pure math it is system
independent,
> so
> > > it should not introduce any problemes.
> > >
> > >
> > > just my 2c ...
> > >
> > > A HAPPY NEW YEAR TO ALL OF YOU,
> > > ------
> > > Doru Petrescu
> > > KappaNet - Senior Software Engineer
> > > E-mail: pdoru () kappa ro LINUX - the choice of the GNU generation