

Warn HN: Using CCAvenue (India) for net-banking? You may be losing money - niyazpk

(I don't know whether this is true for CCAvenue in other countries, but it will not hurt you to find out.)<p>I was analyzing the security of our startup's payment infrastructure when I found that CCAvenue is using a very poor error detecting code instead of a cryptographically secure hash to validate the payment from the bank.<p>As a merchant what this means to you is that even if CCAvenue[0] tells you that the payment is done, the money may never reach your account. Why? Because it is easy to forge a response from CCAvenue saying that the payment has been made.<p>There is nothing <i>you</i> can do to prevent this attack. To prevent these type of attacks, CCAvenue should switch to a better[2] hashing algorithm.<p>One thing you <i>can</i> do is to verify with your bank (after the fact) that you did indeed receive the money. But for many merchants like us, we would have already shipped the item to the customer before we even receive that data from our bank.<p>[0] May be CCAvenue is not the one telling you that the payment is done. But there is no way to find out.<p>[1] <i>Better</i> is a wrong word here. They are using a broken error detecting algorithm instead of a hash.
======
wladimir
_Because it is easy to forge a response from CCAvenue saying that the payment
has been made_

The IP from which this response comes should be an indication? Not 100%
secure, but a useful heuristic.

~~~
niyazpk
The IP will be the same. See my response here:
<http://hackerstreet.in/item?id=6737>

~~~
wladimir
Ouch. That indeed sounds terribly insecure. It saddens me that any
organization handling money (or any kind of user authentication) does it this
way. It relies 100% on "client-side" security. Even 15 years ago these kinds
of things were exploited.

I was thinking in terms of the Paypal API, they send an independent request
from their server to your website.

------
niyazpk
Few more details here: <http://hackerstreet.in/item?id=6727>

~~~
skrish
This link seems to be broken. Could you pls check?

~~~
niyazpk
It is working for me. I tried in Firefox4, Chrome11, IE7 and IE8.

