[ic] authnet security risk?

Sach Jobb interchange-users@icdevgroup.org
Sat Feb 22 15:32:00 2003


> I have contacted Autnet about this. They said they ALWAYS only had ONE
> password, but I seem to remember there being two. Can someone confirm??

I implemented authorize.net in php on another site a year or two ago and
it only required one password (and of course the username) at that time,
so i think they are right about this. They have improved security a bit
with AIM by using a key/hash method, but that's just to verify the auth of
the transaction and i suppose does something against line sniffers too but
it's already SSL'd anyway.


> I am in the opinion my webserver should only have enough information to
> "send/clear" an order, and not the information to log into my merchant
> account and see/get everything, that could ruin a company (hold customer
> numbers for ransom like CDuniverse and egghead).

Hmm, well this is a HUGE discussion about the theory of web security in
relation to commerce, that could go on for a while and may or may not
belong here, but hey, here's my 2 cents:

I always thought the real solution here was a two login system. One login
that is only allowed from specified URL's on the webserver, and can do
nothing but POST the the request. These login credentials would be stored
on the webserver as they are now. This login CANNOT request information
from the payment gateway in anyway. It can only POST it's request, and
read the response code.

The second login you would use as an administrator to change
configurations, or rerun cards, etc. It would be an entirely different
login which could not post to the site at all, and of course, would not
exist in any form on the webserver.

This of course, in no way excuses administrators from not taking the
proper measures to ensure the security of their systems. You still store
lots of private information about your customers and have an obligation to
protect their privacy. This is not something you take care of once, and
then just forget about and move on. It is an ongoing process. Writing of
which, did you all notice that there was a new exploit found in SSL the
other day? Patchy patchy.


Cheers,
sach