Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Strange Paypal payment - did customer change amount?


jeeper95

Recommended Posts

Hello,

I have the Paypal standard module installed for my website and have received correct payment and emails from Paypal previously. Recently, I received an email from Paypal that I have received payment of $0.02 USD, shipping included, from a buyer. The payment should have been closer to $115.00 USD. The customer account created, the verified address from Paypal, the ip address, phone number all checked out. After receiving this quirky payment I did another test purchase just to see how it went through to Paypal - the correct purchase and shipping amount was passed through on my test order. Anyone have any ideas how the purchase amount was possibly changed here?? <_<

Link to comment
Share on other sites

Hello,

I have the Paypal standard module installed for my website and have received correct payment and emails from Paypal previously. Recently, I received an email from Paypal that I have received payment of $0.02 USD, shipping included, from a buyer. The payment should have been closer to $115.00 USD. The customer account created, the verified address from Paypal, the ip address, phone number all checked out. After receiving this quirky payment I did another test purchase just to see how it went through to Paypal - the correct purchase and shipping amount was passed through on my test order. Anyone have any ideas how the purchase amount was possibly changed here?? <_<

 

Yes I have heared of this before I think hackers can change the end amount of payment using some JavaScript or something

Link to comment
Share on other sites

Hello,

I have the Paypal standard module installed for my website and have received correct payment and emails from Paypal previously. Recently, I received an email from Paypal that I have received payment of $0.02 USD, shipping included, from a buyer. The payment should have been closer to $115.00 USD. The customer account created, the verified address from Paypal, the ip address, phone number all checked out. After receiving this quirky payment I did another test purchase just to see how it went through to Paypal - the correct purchase and shipping amount was passed through on my test order. Anyone have any ideas how the purchase amount was possibly changed here?? <_<

 

Sounds to me like he might have spoofed the transaction. I'd contact paypal and have them trace everything. Verify that the transaction he completed (for $0.02) originated from the IP of your shop, and follow the trail from there. Assuming that they maintain accurate logs and have the ability to check everything, they should be able to shed some light on the issue. Please post a followup if you find out anything from them.

Link to comment
Share on other sites

Thanks for the info - was thinking along those lines too. I found this by doing a google search - how the form amount can be changed at - http://www.softcoded.com/paypal/secure_paypal_ipn.php. Will contact Paypal and see if they can dig up any details on the transaction. I will post a followup if I find out anything.

Link to comment
Share on other sites

Well, contacted Paypal and they were unable or (unwilling) to provide any details as to where the payment was initiated from. I've learned enough from Google searches that it was likely a querystring hack. I haven't been too concerned about Paypal since most our payments are from credit cards, but sounds like it's wise to update to the Paypal ipn version at least. Thanks for your responses!

Link to comment
Share on other sites

If Paypal IPN code has not been modified.

it check for the payment amount against order amount before setting order status for order paid.

 

 

Satish

Ask/Skype for Free osCommerce value addon/SEO suggestion tips for your site.

 

Check My About US For who am I and what My company does.

Link to comment
Share on other sites

If Paypal IPN code has not been modified.

it check for the payment amount against order amount before setting order status for order paid.

 

 

Satish

 

 

It is a hack and very easy to do. I had a developer friend show me how it's done. takes seconds. I simply suggest that you cancel the transaction and contact the buyer telling him that the transaction is suspicious and should they try to alter the amounts again you will contact their local law enforcement and report them for fraud

Link to comment
Share on other sites

  • 2 weeks later...
It is a hack and very easy to do. I had a developer friend show me how it's done. takes seconds.

http://www.youtube.com/watch?v=hTo-sX_qbi8...feature=related

*** Je suis plus souvent sur le forum français ***

ms2fr, Header Tags 2.5.5b, Order logging before payment, Better PayPal Description perso, Free shipping per product, Must agree to terms, Country State Selector, World Zones, Visible countries, Store Pick Up, several shipping modules, Personal Invoice Number, 'On the Fly' Auto Thumbnailer using GD Library, More_Pics_6 for 2.2 ms2, Ultimate SEO URLs 2-2.1d/e,Virement Bancaire, Estimated Shipping 1.5, xml_guide, SP+,Step By Step 1.8, Order Editor 2.6.3, Google Analytics, Dynamic Sitemap 2.0, OSC-Expeditor, Recover Cart Sales, Links Manager 1.15

local : linux 2.6 Fedora Core 3, server : APACHE 2.0.54, MySQL 4.1.18, php : 4.4.0 (on strike refuse to update)

remote : IcoOpenBSD 4.x, server : IcodiaSecureHttpd, MySQL 4.1.24, php : 4.4.9

 

You never get a second chance to make a first impression.

Link to comment
Share on other sites

*** Je suis plus souvent sur le forum français ***

ms2fr, Header Tags 2.5.5b, Order logging before payment, Better PayPal Description perso, Free shipping per product, Must agree to terms, Country State Selector, World Zones, Visible countries, Store Pick Up, several shipping modules, Personal Invoice Number, 'On the Fly' Auto Thumbnailer using GD Library, More_Pics_6 for 2.2 ms2, Ultimate SEO URLs 2-2.1d/e,Virement Bancaire, Estimated Shipping 1.5, xml_guide, SP+,Step By Step 1.8, Order Editor 2.6.3, Google Analytics, Dynamic Sitemap 2.0, OSC-Expeditor, Recover Cart Sales, Links Manager 1.15

local : linux 2.6 Fedora Core 3, server : APACHE 2.0.54, MySQL 4.1.18, php : 4.4.0 (on strike refuse to update)

remote : IcoOpenBSD 4.x, server : IcodiaSecureHttpd, MySQL 4.1.24, php : 4.4.9

 

You never get a second chance to make a first impression.

Link to comment
Share on other sites

  • 1 year later...
  • 1 month later...

It is a hack and very easy to do. I had a developer friend show me how it's done. takes seconds. I simply suggest that you cancel the transaction and contact the buyer telling him that the transaction is suspicious and should they try to alter the amounts again you will contact their local law enforcement and report them for fraud

 

I know a payment form canbe hacked.But IPN code checks for the invoice amount and the amount recd.I f there is a difference then the order status will not get updated.

 

To further safe guard use encrypted form so no one will be able to change the form details.

 

 

Satish

Ask/Skype for Free osCommerce value addon/SEO suggestion tips for your site.

 

Check My About US For who am I and what My company does.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...