Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Beware of some payment extensions
 
MathieuF
Sr. Member
 
Total Posts:  141
Joined:  2009-03-12
Montreal, Canada
 

I bought an extension in June 2009 to handle payments on my website. As no extension exists to handle payments with Chase Paymentech, I searched online and found only one developer selling the extension, which I bought.

I realized last week the extension was not coded properly and could not handle security verification, such as verifying the billing address and the CVV2 code! I realized this after I had 4 transactions that were in dispute with Visa were withdrawn from my bank account. All four of these transactions were made within a month time frame and were addressed to 2 different addresses.

The extension in question marks the transaction as successful when the credit card number exists. It is completely bypassing the address validation and CVV2 validation!

This resulted in a loss of 2000$ as we shipped the goods before the dispute was made to Visa.

Visa says it is our fault, which I can’t disagree completely, and the police says we will never see our money (or goods) again.

So, beware of the extensions you buy when it deals with such a critical component of your e-commerce platform. I will not recommend buying the extension from this vendor, I’m thinking about releasing the modified version of the extension myself.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Ebuntu
Sr. Member
 
Avatar
Total Posts:  245
Joined:  2010-06-16
Denver, CO
 
MathieuF - 13 November 2010 04:38 PM

I realized last week the extension was not coded properly

I am sorry to hear about your lose. $2000 is a lot of money, especially these days.

The fact of the matter is that the vast majority of commercial and free extensions are poorly coded and insecure. Yet, Magnto, Inc. promotes all these extensions.

I posted several postings telling Magento users to be aware of the fact that many extensions are poorly coded and insecure. I think many people will ignore these warnings and hope nothing will happen to their stores. But, when it does, it is too late.

 
Magento Community Magento Community
Magento Community
Magento Community
 
edmondscommerce
Guru
 
Avatar
Total Posts:  342
Joined:  2008-08-26
 

Please do highlight any extensions that you know to be insecure..

if they are currently in Connect and your security issue is verified then I am sure Varien will take that one down ASAP.

This is the benefit of open source code - we shoudl all be helping to verify the available code and improve upon it, fix bugs, highlight security issues etc.

As for the “vast majority” I’m not sure about that, but lets see - please can you name and shame some insecure extensions and lets take it from there.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top