Changes between Initial Version and Version 1 of Ticket #1, comment 67


Ignore:
Timestamp:
14 Dec 2022, 12:28:58 (2 years ago)
Author:
benedict emenaogu
Comment:

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #1, comment 67

    initial v1  
    1 > However, the GET method below can be used by any person in the www.  So everybody can call the gettransaction function. The merchant code is public. The transaction id is computed by Kofa and is more or less a time stamp. Thus a bot can easily find out how much money has been transferred by Interswitch to the Big Tent Foundation. This is not secure at all.
     1"i can understand your issue with this although i am looking for an alternative"
     2response from the Implementation engineer.
    23
    3 "i can understand your issue with this although i am looking for an alternative"
    4 The Implementation engineers response.
    5  
     4He also went on to confirm that the "Confirm WebCheckout Transaction" is just to confirm transaction status and that it doesn't have any sensitive information that can be used against us and it should be called from backend.
     5He said the "Confirm WebCheckout Transaction" performs the same function the "Requery CollegePAY History" button does.
     6
     7and that our payment item id is not part of the request and without it no one can use our gateway.
     8he suggested that we don't make the call from the front end.
     9
     10I then made him to understand that it is visible to everyone and can be used by a BOT or other malicious intruders and also asked him the following questions ;
     111. What if the call is made from the front end ?
     12will it not spool amount and trans_ref from the customer's transaction ?
     132. what do you mean by "but your payment item id is not part of the request and without it no one can use your gateway"
     14
     15he answered by saying that "the only informations there would be merchant code and asked
     16what can a malicious entity use that for?
     17
     18answer 2. i mean that for someone to make a call to use your payment gateway they need payment item id and it is not a part of the get transactions call.
     19
     20however there is if i use your gateway to collect money elsewhere it will be settled to you.
     21your concern with the platform is safety and i am telling you that the information that is sent and received as the information therein are merchant code, transaction reference and amount
     22
     23I asked him if it is possible for this "GET transaction" to be secured with a keyed-hash message authentication code (MAC) as we earlier mentioned ?
     24He said it is not possible.
     25
     26i then inquired about the other alternative he said he is looking for,
     27"what i was looking into doesn't work this is the way that works today
     28if an update is made we will update you guys" his response .
     29
     30
    631 
    732Regards,