Jump to content


  • Content count

  • Joined

  • Last visited

Profile Information

  • Real Name
    Steve Lim
  1. stevie0027

    Fraud Charge Attempts on Virtual Merchant

    Thanks Chris for your reply. Wow, that would be great if all we had to do is add SSL. We already have the standard 256 bit SSL cert installed in the webhosting server. The secure lock comes up on all of the sensitive pages (e.g. login, credit card entry, etc.). Is this the SSL you are talking about? Is there ANOTHER SSL that I need to look at that may block POST method data? Basically, the fraudulent person is creating a normal customer account in our system. He goes through the normal order checkout process and enters a credit card number. But instead of purchasing, he just grabs the critical merchant account info and then uses it in his own automated app to make repeated POST calls to Elavon website ( Virtual Merchant ). In fact, I just did a mock order and I am embarrassed to say that all sensitive data is there in the HTML source code even without having to make an order. Here is part of the code: <form name="checkout_confirmation" action="https://www.myvirtualmerchant.com/VirtualMerchant/process.do" method="post"><input type="hidden" name="ssl_merchant_id" value="987654"><input type="hidden" name="ssl_user_id" value="myuserid"><input type="hidden" name="ssl_pin" value="123456"><input type="hidden" name="ssl_amount" value="10.54"><input type="hidden" name="ssl_salestax" value="0.15"><input type="hidden" name="ssl_show_form" value="FALSE"><input type="hidden" name="ssl_card_number" value="4266000000000000"><input type="hidden" name="ssl_transaction_type" value="ccsale"><input type="hidden" name="ssl_exp_date" value="0216"><input type="hidden" name="ssl_invoice_number" value="29132"><input type="hidden" name="ssl_cvv2cvc2_indicator" value="Present"><input type="hidden" name="ssl_cvv2cvc2" value="000"> ....</form> I of course modified some of the data for this posting. So the three bolded parameters is all a perp needs to programatically make calls to the merchant processor server and see if the credit card numbers are valid or not. It just doesn't seem right that all of this data is made available in the html code. There has to be another way to hide this data. Of course the API docs from the merchant processor only mentions making this Post call. Aaargh! Steve
  2. I've had a merchant account fraud issue for a while now. I believe it is one individual or single organization due to similar fake accounts created in OSC. I believe the perp is in Malaysia. Two months ago, he would create a fake customer account (using our OSCommerce platform), then create a trial order with a real credit card number, then intercept it (or SNOOP) our merchant id and PIN info while our transaction page submits an HTTP POST to our merchant provider. He then used that info to make hundreds of automated stolen credit card number transactions of $1 or $0.01 each to determine if he can later use those numbers for fraud orders. It didn't matter that we changed the merchant id, PIN combo frequently as he would just create another online order and plug in those values in his routine. He would continue to do this on his own app since once he has the acct/PIN combo, no need to be on our site. I actually caught him in the act in real time I then decided to block all of Malaysia using DENY FROM statements in the .htaccess file. That worked for a couple of months. Now he has come back with a vengeance, with some sort of Spoofing tool to disguise the real IP address he is coming from with USA IP addresses. Everytime we add the address to .htaccess, he would instantly spoof to another IP address. Some friends suggested we look into Zen Cart as a possible remedy, but I'm not sure if that will solve the Snooping problem because Elavon (merchant processor) requires the following post url in every transaction: https://www.myvirtualmerchant.com/VirtualMerchant/process.do I have used Viaklix in the past and simply changed the post url to https://www.myvirtualmerchant.com/VirtualMerchant/process.do and it has worked. I was not able to successfully integrate ChargeIt. Would ChargeIt do a better job of hiding merchant info? Doesn't it also have the same post url that can be snooped? I have slowed him down by occasional changes to the Terminal PIN, deleting his OSC accts, etc but that doesn't help much. Has anyone experienced anything like this, and what was the resolution? I am considering having the customer go to myvirtualmerchant.com website to fill out credit card info but I'd rather keep them on my site. Advanced thanks for any help with this issue.
  3. I had the same issue so I called VM tech support. He said that even he was not able to change the CVV2 field to Required. Thus, he said that actually means that CVV2 IS ALWAYS REQUIRED. You can't turn it on or off. But my problem is I am still getting CVV2:N errors. I know the CVV2 is correct as I used it to manually enter in VM Credit Card Sale screen. I am using the Virtual_Merchant_Charge_It_1_2_3 package. In the osc admin screen, I tried with both True and False for the "Set CVV2 to Required" field. Any help would be appreciated.
  4. stevie0027

    viaKLIX and VirtualMerchant

    Clint, I just got off the phone with Nova and Costco Exec member services. You'll need to sign up for a new software account. Nova wants to charge existing viaklix users another up front fee to switch you over to MyVirtualMerchant. I was IRATE. I paid $179 exactly 1 year ago to sign up for viaKlix. Now, they want to charge more? Nova says they will likely offer a discount to existing members. I guess they don't understand keeping existing customers happy. I don't want to pay a DIME to change over. I am having some problems with viaklix and other users are too. That's why they are upgrading to the new site. But of course they want to pass the cost to current members. So I complained to the Costco member services. I say, the more complaints there are, the better chance we'll have a free upgrade. They are not even offering Viaklix to new users anymore. You're right, it looks like the post for the Myvirtualmerchant will be the same as viaklix (same parameter names, etc), but with a few different values like the Account ID and user key. Again, call Costco member services 800-220-6000 and let your voice be heard for a free upgrade! Thanks, Steve Lim promoframes.com