I am a customer of the Payflow Pro payment gateway. Originally I was a user of the Payflow Link gateway since 2002, but then in 2009 I upgraded to Payflow Pro, as I saw the Payflow Link gateway was very insecure and is too easy to exploit. The Payflow Pro gateway is a little better, as it incorporates a transaction password and some other security settings like allowed IP's etc. So I thought it would be a safe payment gateway to use.
Then last month I received over 21,000 fraudulent transactions through may Payflow Pro account. Someone was using my merchant account to test if credit cards were valid. But this shouldn't have been possible, as with the Payflow Pro gateway you need to have the transaction password and also the transaction can only originate from your own server (if you set the IP restrictions properly). For the 21,000 fraudulent transactions we ended up getting charged nearly $9,000 in transactions fees (usually around $0.35 per transaction, both valid and declined). In addition to this I could face $175,000 in charge back fees if every person filed a charge back (luckily my merchant account processor later agreed to wave chargeback fees).
What surprised me was that for the 7,000 successful transactions, I received 7,000 email receipts sent from the PayPal servers. The receipt was in the same format as the old PayFlow Link email receipts (Payflow Pro does not produce an email receipt of any kind when a transaction is completed). So immediately I knew there was someone using the Payflow Link gateway to submit these transactions, even though I wasn't a customer of the Payflow Link gateway. Also the return address of the email receipt was an old email I had not used in over 2 years, which I previously used in my old Payflow Link account.
I spent days and days trying to communicate with people at PayPal, and they all denied there was any problem. They said all the transactions had been done through my Payflow Pro account and I was to blame for not keeping my security up.
I did some more testing, and figured out that my old PayFlow Link account must still be in their systems, even though it didn't show up in my Payflow Manager control panel, and was supposed to have been deleted. The email receipt contained "from" and "cc" headers that could only have come from my old Payflow Link configuration data. So I logged into PayPal Manager, and then manually rewrote the URL in the address bar, pasting the old configuration page for PayPal Payflow Link (Breaking News: New Google Algo Change). As a former user of Payflow Link I knew the URL for the confiuguration page, even though it doesn't show up anywhere in my PayPal manager (as I am now only a Payflow Pro customer).
As I thought, it took me to a hidden configuration page for Payflow Link, even though I wasn't a customer of this payment gateway. I saw all the old configuration data I had used two years before when I was a Payflow Link customer. The from header, the email receipt text, the url to return POST variables to, everything was still there in their database and hadn't been deleted. I could even access this data despite the fact that I was no longer a customer of Payflow Link. Actually everything in the PayPal manager is not coded securely, so if you know the URL's to anything, you can access them just by pasting the URLS in the address bar, even if you are not subscribed to that feature. For example if you paste in the URL for the Recurring Payments, you will be taken to the control panel for that even if you aren't subscribed to that service. There were a lot of other security exploits I found in their system while I was investigating the source of these fraudulent transactions.
Looking at the fraudulent transactions in PayPal Manager, the Client IP showed that the IP address of all the transaction came from a PayPal server, not my own server as would be the case with Payflow Pro transactions. This is the same PayPal IP that is recorded for all Payflow Link gateway transactions. I pointed this out to the PayPal support, and rather than accept this, they replied that someone must have logged in to my PayPal manager and manually entered the 21,000 transactions in the transaction terminal. It was basically clear that the support staff wasn't even trying to listen to what I was saying or the evidence I was providing them. Most of the time I was communicating with someone named Lisa Saarela who is a "Strategic Account Manager" according to some webpages in google.
I sent them screen shots of me accessing the hidden Payflow Link configuration page, which I was not even a customer of. They just ignored it. I showed them copies of the 7,000 email receipts with full headers, and they replied that the emails didn't originate from a paypal server, but came from a yahoo server because the from address said [email protected]. I tried explaining to them that their system rewrites the from header so that it appears the email originates from the merchant, and not from PayPal, and if they looked at the full header they could see the IP address of PayPal's server (outbound1.den.paypal.com [216.113.188.96]) as the source. Again the support staff had no clue about their own system, nor of how their payment gateway functioned. There is a configuration setting in the Payflow Link configuration page where you enter the "from address" you want the email to appear to come from. Still these clueless PayPal staff insisted the emails were actually being sent from my yahoo account!
Finally I got to testing my Payflow Pro login ID with the old Payflow Link gateway (using a simple html "form" with my login ID). Surprisingly I was taken to a Payflow Link page to enter my credit card details, and at the top was my old business logo which I hadn't used in two years, and which was still being saved in the PayPal database even though I wasn't a customer of Payflow Link. I entered my credit card details to do a test transaction through the Payflow Link gateway and the transaction was successful. I then checked my Payflow Pro manager page and the transaction had been recorded in my PayFlow Pro account, but had been submitted through the insecure Payflow Link gateway, which I wasn't even a customer of.
Payflow Pro requires a transaction password to submit any transaction, and also uses security settings so you can limit transactions to particular IP addresses. The Payflow Link gateway does not incorporate these security settings. So even though I was only a customer of the secure Payflow Pro gateway, anyone could bypass my Payflow Pro transaction password and IP security settings and submit transactions through the Payflow Link gateway.
This is what the fraudster had done when he submitted 21,000 transactions through the Payflow Link gateway, which got recorded on my Payflow Pro account.
Since I was a Payflow PRO customer this should be impossible. Transactions should require the transaction password, and the transactions should only be able to be submitted from our server (as we have added IP security in the configuration settings of paypal manager).
I again brought my findings to the attention of the PayPal representative (Lisa Saarela ), giving them the html code which I used to submit a transaction through the Payflow Link gateway, and showing a screen shot of my successful transaction. The following is the simple code to submit transactions:
The lady replied "This transaction is recorded in your PayPal Pro account, so it was submitted through the Payflow Pro gateway, not the Payflow Link gateway." I showed the screen shot and circled the parts of the page that said "payflowlink.paypal.com", etc., and she ignored everything and just denied that it was submitted through the Payflow Link gateway.
Lisa Saarela
"This account was activated in 2003 and is a Payflow Pro account. Your test transaction is on the Payflow Pro account. See below: So the account login xxxxxxxxxxx is a Payflow Pro account."
I replied to her:
"Thank you for writing. The transation shows up on the Payflow Pro manager, but I submitted it through the Payflow LINK gateway (and the recorded Client IP address also matches to Payflow LINK system). That is why I am saying there is an exploit in your Payment gateway. Attached is a simple Payflow Link HTML submit form (which if you are familiar with the Payflow Link system, doesn't use any transaction password or other security features of Payflow Pro). Just click the submit button and it takes you to the Payflow Link payment gateway using my login ID ("xxxxxxxxxx") and the payflow link transaction url ("https://payflowlink.paypal.com"). Even though I don't have a Payflow Link account, anyone can bypass the Payflow Pro security and submit transactions to my Payflow Pro account by using the Payflow Link payment gateway. This is exactly what the fraudster did to submit 21,000+ fraudulent transactions to my account. It is a security exploit in your payment gateway, not due to any negligience on our side. Please review this simple html file and test it yourself and see that transactions are processed by the Payflow LINK gateway (bypassing all security) and recorded in my Payflow Pro account."
Finally someone from the technical department informed her it had been submitted through the Payflow Link gateway, and she replied to me, in these exact words:
Lisa Saarela
"I am out of the office today. However- The Payflow Link code will work with Payflow Pro and the Payflow Pro API will work with Payflow Link."
Rather than admit it is a flaw in the Paypal Payflow payment gateway, she replies that it is an undocumented feature and is functioning as planned. She said both the Payflow Pro and Payflow Link accounts should be able to process through each other's payment gateways interchangeably. I replied quoting from the documentation of both gateways that make it clear the Payflow Pro account should only be able to process through the Payflow Pro gateway using the required API, and it will not work through the Payflow Link gateway using a simple html form submission. Further more, what would be the point of a transaction password in a payflow pro account if anyone could bypass it and submit transactions to the insecure Payflow link payment gateway?
Again I was ignored and then she tried passing the blame on to me asking how someone got my login username (the login ID is visible in the plain html of webpages, so anyone could have seen it):
Lisa Saarela
"The account was updated back on 2/23/09 from Link to Pro. It is currently a pro account. This is considered a legacy account since it comes from the old Verisign days. VeriSign owned the Gateway before PayPal purchased it. On legacy accounts – merchants who upgraded accounts from Link to Pro still have the ability to send a transaction through Link HTML coding. Your account is secure unless you were to share your login information with someone else etc. I also see you posted a blog on our x.com site. If you believe a fraudster accessed your account can you tell me how they obtained the Login ID and Partner information?"
I replied to her:
"Thank you for replying. The Log in ID and Partner ID for payflow link accounts are available in plain HTML code, viewable to anyone on the internet. Google and other sites such as Internet Archive: Wayback Machine archive many web pages with their original html code for years. It is very easy for someone to get these details as it is present in the plain html code. Up till 2/2009 we used Payflow Link, so anyone could have found the code directly from our site at that time as well.
It is unfortunate that rather than admitting it is a security flaw in your old "legacy" accounts, you want to pretend it is an undocumented "feature" of old accounts. Why is this not documented? Why were we never informed that this risk still existed. Why do we not have access to a LINK configuration page so we could update the configuration data in this account which contains outdated data from years ago? If it is really a feature then we should have access to configure it. You want to pretend this is an undocumented feature, when in fact it is just a security exploit.
It is defintely unfair how you are dealing with us, since we have been a good customer for 9 years, but paypal is a big company and won't care about a single customer regardless of how many years we have been with you."
In response to this she copied some text she obviously got from the tech department, which I had just told her as well, and which actually answers her own question:
Lisa Saarela
"Also note – if you are using the Link code on your sites then all someone would need to do is click the view source link on the site where the button is. The password is not required to create a Payflow link button."
So first she blames me for allowing someone to get my login ID, and then in the next email she warns me that anyone can find out my login ID by viewing the html of my website. These people are ridiculous.
Finally at this point someone from PayPal Merchant Technical Support replies confirming it was a bug in their system, so I send her another reply:
Merchant technical services admits this is a security exploit they are working to resolve (from my ticket to PayPal merchant services technical support):
Response Arthur 12/31/2010 10:34 AM
Thank you for contacting PayPal’s Merchant Technical Services.
This is a known issue that our developers are working to resolve. At this time, I unfortunately, do not have a timeframe as to when this issue will be resolved. You will be notified as soon as it is. I apologize for the inconvenience.
Merchant Technical Services
PayPal, an eBay Company
Now that it is known that it is a security exploit and they are "working to resolve it", my main concern is in regards to the $9,000 in transaction fees I will be charged for the 21,000+ fraudulent transactions which were submitted through this security exploit, bypassing my Payflow Pro transaction password and the IP security settings in PayPal manager. Also there are a potential $20,000 in chargeback fees that I will face, all because of a security exploit in your payment gateway. We are just a tiny one man company. These types of losses will put us out of business, for no fault on our part. We have been a faithful customer with you, using the Payflow gateway for nearly 10 years through your partner wells fargo bank. Even though wells fargo has been charging us 2.9% when all other merchant accounts have offered us 2.2%, we still stayed with them because we are faithful customers. We never even asked them to lower our rates. But when we are put into a serious problem because of a security exploit in your system, neither paypal nor wells fargo banks wants to admit it is their fault and help us like they should.
Just to get PayPal to admit this security exploit existed took 15 days of writing emails every single day to multiple departments. The right thing to do will be for PayPal and wells fargo bank to take responsibility for the losses and not charge us transaction fees for fraudulent transactions that exploited your payment gateways security flaws. For PayPal and Wells Fargo these expenses are nothing, but for a tiny one man business, it will put us out of business.
You should be happy that I spent so much time to identify this exploit, when your own technical staff was unaware of it and couldn't identify it. In addition to this exploit I found another 6 exploits which are unrelated, so I avoided bringing them up. The point is the Payflow "legacy" accounts are completely outdated, insecure, and not being maintained by your technical team.
It is not fair for PayPal and xxxxxxx to punish their loyal long term customers for security exploits in their own payment gateway, especially when that payment gateway is basically falling apart and no longer being maintained. Half the links in the PayPal manager go to page not found errors.
Sincerely,
After seeing their reply she says:
Lisa Saarela
"our billing department is reviewing the transactions now and determining how much to refund you. We always refund transaction fee’s for carding instances. I will pass more along when I have it."
But rather than admit it was a security exploit in their payment gateway, she tries to pretend it was just a common case of "carding", and they are doing me a favor by removing the few cents in gateway fees they charge. But the problem is the real transaction charges add up to around $9,000, and these are the fees charged for authorization, AVS, etc., not the few pennies that make up the gateway fees. So I write her again asking her to clarify what fees she will be refunding:
Thank you for replying. Our real concern is in regards to the complete transaction fees for processing the credit cards (around $0.35 per transaction), and not just the gateway fee that PayPal usually deals with, which is only a small portion of the fees. So could you be clear as to what PayPal is going to refund. If it is just the gateway fee then I will need to contact xxxxxxx to sort this out before the fees get levied on the 12th.
Again this isn't just a case of carding, where we would be responsible. This is a case of a security exploit in your payment gateway, which makes PayPal responsible for these transactions.
Thank you for your help.
In response she tells me I should contact Visa and Mastercard and ask them to refund the charges to me, as they took the money. In her view PayPal has no responsibility for this mess at all, even though it was all because of a security exploit in their Payment Gateway. In the entire correspondence which went over amonths span, she would not once admit any fault on the part of PayPal, or admit there was any mistake ontheir side.
Lisa Saarela
"Hello- the processor authed the transactions and is the one charging the .35 fee so they should credit you just as paypal will credit our fee's. Please note I am not your Account Manager but manage and work with xxxxxxxxxxx. xxxx or xxxxx can you please respond to the merchant. Thank you"
So basically she wants me to pay the $9,000 in transaction fees myself, and refuses to accept any responsibility for the security exploit in PayPal's payment gateway.
I reply one more time to her:
"Thank you for writing.
You seem to be overlooking the fact that these fraudulent transactions were only possible because of a security exploit in the PayFlow Pro Gateway. PayPal is liable for this, not myself, or wells fargo, or the merchant processor. The right thing to do would be for PayPal to admit these fraudulent transactions occured solely because of a security exploit in their payment gateway, and then accept responsibility for the losses. But after talking with PayPal for a month, I can see you will not admit any fault, even though your technical support has already confirmed it was a security exploit that they were working to fix."
At this point I got another reply from PayPal Merchant Technical Support (who seemed much more honest than these account manager types at PayPal):
Response Eric F 01/07/2011 09:11 AM
Hi,
In regards to this issue, it was bug on our end which we appreciate that you brought it to our attention, we have now resolved the bug and fixed this issue on our end.
Thank you for your patience.
Sincerely,
Eric F
Merchant Technical Services
PayPal, an eBay Company
So again the technical support admits it was a bug in their system which results in these 21,000 fraudulent credit card transactions. So I write once again to the lady at PayPal:
And here is the latest answer i just got from paypal merchant technical support, confirming it was a bug in your system. It was a security exploit which I helped you by identifying when your own staff couldn't identify it. But this entire time you pretended there was never a security fault in your payment gateway, and you want to pass all losses on to me. PayPal MTS Ticket number 101231-000050:
Response Eric F 01/07/2011 09:11 AM
Hi,
In regards to this issue, it was bug on our end which we appreciate that you brought it to our attention, we have now resolved the bug and fixed this issue on our end.
Thank you for your patience.
Sincerely,
Eric F
Merchant Technical Services
PayPal, an eBay Company
So because of a bug on PayPal's end which allowed a security exploit in your payment gatewat, I will now have to pay $9,000 in transaction fees. Rather than honestly passing this information up to your superiors (who could than sanction a credit), you withhold that information from them and pretend there was never a fault in your payment gateway.
She replies with a single line of text:
Lisa Saarela
"A bug is different than a security issue."
So again, she refuses to accept any responsibility for this security exploit which will cost us $9,000. To her it was only a bug, but that bug allowed someone to bypass my Payflow Pro transaction password and security settings, and submit transactions through a payment gateway (payflow link) I was not a customer of! But in her eyes it wasn't a security exploit, but only a "bug". At least at this stage they have admitted it was a bug in their system. That's what I get for one month of daily writting to multiple departments. But still they won't do anything about it.
At this point, again the technical team replied to assure me it wasn't a security exploit, it was just a bug:
"Response Eric F 01/07/2011 09:50 AM
Hi,
In regards to this issue thre was no security exploit, the issue is that when your account was upgraded from Payflow Link to Payflow Pro, there was bug which allowed your account to still process as Payflow Link and as stated we have since fixed this bug to not allow this to happen again.
Thank you for your patience.
Sincerely,
Eric F
Merchant Technical Services
PayPal, an eBay Company"
So in their eyes it was only a bug, not a security exploit. The fact that this bug allowed someone to completely bypass my PayFlow Pro security settings and transaction password, and submit transactions through a payment gateway I wasn't a customer of (the Payflow Link gateway), doesn't constitute a security exploit. How many other people's accounts also have this bug? While investigating this I located many other security exploits in the Payflow Pro and Payflow Link gateways, but there is no point in telling them, as they aren't even serious about listening when you talk. I took a lot of trouble to identify this exploit, when they couldn't identify it themselves. Rather than thank me, they want to put me out of business by passing all these charges on to me. I am sure they pay testers much more than what I will lose due to this fraud. Those testers couldn't find this exploit. Rather than do the right thing and absorb the losses they caused, they want me to go bankrupt adn out of business. That's after I have been their customer for nearly 10 years.
As a side note, if you are using either of these two payment gateways, change quickly. I haven't mentioned the other exploits I found, but the fact is these two payment gateways are so insecure, any competitor can put you out of business in a few days by racking up tens of thousands of dollars in transactions charges on your merchant accounts. They don't even need valid credit card numbers to hurt you. They can use 41111111111111, and put through 20,0000 transactions and you will be out $9,000. They can completely bypass your security settings and PayPal will just blame you, even though it is because of their own bad programming. They don't even need to access your server to do any of this.
Then last month I received over 21,000 fraudulent transactions through may Payflow Pro account. Someone was using my merchant account to test if credit cards were valid. But this shouldn't have been possible, as with the Payflow Pro gateway you need to have the transaction password and also the transaction can only originate from your own server (if you set the IP restrictions properly). For the 21,000 fraudulent transactions we ended up getting charged nearly $9,000 in transactions fees (usually around $0.35 per transaction, both valid and declined). In addition to this I could face $175,000 in charge back fees if every person filed a charge back (luckily my merchant account processor later agreed to wave chargeback fees).
What surprised me was that for the 7,000 successful transactions, I received 7,000 email receipts sent from the PayPal servers. The receipt was in the same format as the old PayFlow Link email receipts (Payflow Pro does not produce an email receipt of any kind when a transaction is completed). So immediately I knew there was someone using the Payflow Link gateway to submit these transactions, even though I wasn't a customer of the Payflow Link gateway. Also the return address of the email receipt was an old email I had not used in over 2 years, which I previously used in my old Payflow Link account.
I spent days and days trying to communicate with people at PayPal, and they all denied there was any problem. They said all the transactions had been done through my Payflow Pro account and I was to blame for not keeping my security up.
I did some more testing, and figured out that my old PayFlow Link account must still be in their systems, even though it didn't show up in my Payflow Manager control panel, and was supposed to have been deleted. The email receipt contained "from" and "cc" headers that could only have come from my old Payflow Link configuration data. So I logged into PayPal Manager, and then manually rewrote the URL in the address bar, pasting the old configuration page for PayPal Payflow Link (Breaking News: New Google Algo Change). As a former user of Payflow Link I knew the URL for the confiuguration page, even though it doesn't show up anywhere in my PayPal manager (as I am now only a Payflow Pro customer).
As I thought, it took me to a hidden configuration page for Payflow Link, even though I wasn't a customer of this payment gateway. I saw all the old configuration data I had used two years before when I was a Payflow Link customer. The from header, the email receipt text, the url to return POST variables to, everything was still there in their database and hadn't been deleted. I could even access this data despite the fact that I was no longer a customer of Payflow Link. Actually everything in the PayPal manager is not coded securely, so if you know the URL's to anything, you can access them just by pasting the URLS in the address bar, even if you are not subscribed to that feature. For example if you paste in the URL for the Recurring Payments, you will be taken to the control panel for that even if you aren't subscribed to that service. There were a lot of other security exploits I found in their system while I was investigating the source of these fraudulent transactions.
Looking at the fraudulent transactions in PayPal Manager, the Client IP showed that the IP address of all the transaction came from a PayPal server, not my own server as would be the case with Payflow Pro transactions. This is the same PayPal IP that is recorded for all Payflow Link gateway transactions. I pointed this out to the PayPal support, and rather than accept this, they replied that someone must have logged in to my PayPal manager and manually entered the 21,000 transactions in the transaction terminal. It was basically clear that the support staff wasn't even trying to listen to what I was saying or the evidence I was providing them. Most of the time I was communicating with someone named Lisa Saarela who is a "Strategic Account Manager" according to some webpages in google.
I sent them screen shots of me accessing the hidden Payflow Link configuration page, which I was not even a customer of. They just ignored it. I showed them copies of the 7,000 email receipts with full headers, and they replied that the emails didn't originate from a paypal server, but came from a yahoo server because the from address said [email protected]. I tried explaining to them that their system rewrites the from header so that it appears the email originates from the merchant, and not from PayPal, and if they looked at the full header they could see the IP address of PayPal's server (outbound1.den.paypal.com [216.113.188.96]) as the source. Again the support staff had no clue about their own system, nor of how their payment gateway functioned. There is a configuration setting in the Payflow Link configuration page where you enter the "from address" you want the email to appear to come from. Still these clueless PayPal staff insisted the emails were actually being sent from my yahoo account!
Finally I got to testing my Payflow Pro login ID with the old Payflow Link gateway (using a simple html "form" with my login ID). Surprisingly I was taken to a Payflow Link page to enter my credit card details, and at the top was my old business logo which I hadn't used in two years, and which was still being saved in the PayPal database even though I wasn't a customer of Payflow Link. I entered my credit card details to do a test transaction through the Payflow Link gateway and the transaction was successful. I then checked my Payflow Pro manager page and the transaction had been recorded in my PayFlow Pro account, but had been submitted through the insecure Payflow Link gateway, which I wasn't even a customer of.
Payflow Pro requires a transaction password to submit any transaction, and also uses security settings so you can limit transactions to particular IP addresses. The Payflow Link gateway does not incorporate these security settings. So even though I was only a customer of the secure Payflow Pro gateway, anyone could bypass my Payflow Pro transaction password and IP security settings and submit transactions through the Payflow Link gateway.
This is what the fraudster had done when he submitted 21,000 transactions through the Payflow Link gateway, which got recorded on my Payflow Pro account.
Since I was a Payflow PRO customer this should be impossible. Transactions should require the transaction password, and the transactions should only be able to be submitted from our server (as we have added IP security in the configuration settings of paypal manager).
I again brought my findings to the attention of the PayPal representative (Lisa Saarela ), giving them the html code which I used to submit a transaction through the Payflow Link gateway, and showing a screen shot of my successful transaction. The following is the simple code to submit transactions:
Code:
[/PHP]The lady replied "This transaction is recorded in your PayPal Pro account, so it was submitted through the Payflow Pro gateway, not the Payflow Link gateway." I showed the screen shot and circled the parts of the page that said "payflowlink.paypal.com", etc., and she ignored everything and just denied that it was submitted through the Payflow Link gateway.
Lisa Saarela
"This account was activated in 2003 and is a Payflow Pro account. Your test transaction is on the Payflow Pro account. See below: So the account login xxxxxxxxxxx is a Payflow Pro account."
I replied to her:
"Thank you for writing. The transation shows up on the Payflow Pro manager, but I submitted it through the Payflow LINK gateway (and the recorded Client IP address also matches to Payflow LINK system). That is why I am saying there is an exploit in your Payment gateway. Attached is a simple Payflow Link HTML submit form (which if you are familiar with the Payflow Link system, doesn't use any transaction password or other security features of Payflow Pro). Just click the submit button and it takes you to the Payflow Link payment gateway using my login ID ("xxxxxxxxxx") and the payflow link transaction url ("https://payflowlink.paypal.com"). Even though I don't have a Payflow Link account, anyone can bypass the Payflow Pro security and submit transactions to my Payflow Pro account by using the Payflow Link payment gateway. This is exactly what the fraudster did to submit 21,000+ fraudulent transactions to my account. It is a security exploit in your payment gateway, not due to any negligience on our side. Please review this simple html file and test it yourself and see that transactions are processed by the Payflow LINK gateway (bypassing all security) and recorded in my Payflow Pro account."
Finally someone from the technical department informed her it had been submitted through the Payflow Link gateway, and she replied to me, in these exact words:
Lisa Saarela
"I am out of the office today. However- The Payflow Link code will work with Payflow Pro and the Payflow Pro API will work with Payflow Link."
Rather than admit it is a flaw in the Paypal Payflow payment gateway, she replies that it is an undocumented feature and is functioning as planned. She said both the Payflow Pro and Payflow Link accounts should be able to process through each other's payment gateways interchangeably. I replied quoting from the documentation of both gateways that make it clear the Payflow Pro account should only be able to process through the Payflow Pro gateway using the required API, and it will not work through the Payflow Link gateway using a simple html form submission. Further more, what would be the point of a transaction password in a payflow pro account if anyone could bypass it and submit transactions to the insecure Payflow link payment gateway?
Again I was ignored and then she tried passing the blame on to me asking how someone got my login username (the login ID is visible in the plain html of webpages, so anyone could have seen it):
Lisa Saarela
"The account was updated back on 2/23/09 from Link to Pro. It is currently a pro account. This is considered a legacy account since it comes from the old Verisign days. VeriSign owned the Gateway before PayPal purchased it. On legacy accounts – merchants who upgraded accounts from Link to Pro still have the ability to send a transaction through Link HTML coding. Your account is secure unless you were to share your login information with someone else etc. I also see you posted a blog on our x.com site. If you believe a fraudster accessed your account can you tell me how they obtained the Login ID and Partner information?"
I replied to her:
"Thank you for replying. The Log in ID and Partner ID for payflow link accounts are available in plain HTML code, viewable to anyone on the internet. Google and other sites such as Internet Archive: Wayback Machine archive many web pages with their original html code for years. It is very easy for someone to get these details as it is present in the plain html code. Up till 2/2009 we used Payflow Link, so anyone could have found the code directly from our site at that time as well.
It is unfortunate that rather than admitting it is a security flaw in your old "legacy" accounts, you want to pretend it is an undocumented "feature" of old accounts. Why is this not documented? Why were we never informed that this risk still existed. Why do we not have access to a LINK configuration page so we could update the configuration data in this account which contains outdated data from years ago? If it is really a feature then we should have access to configure it. You want to pretend this is an undocumented feature, when in fact it is just a security exploit.
It is defintely unfair how you are dealing with us, since we have been a good customer for 9 years, but paypal is a big company and won't care about a single customer regardless of how many years we have been with you."
In response to this she copied some text she obviously got from the tech department, which I had just told her as well, and which actually answers her own question:
Lisa Saarela
"Also note – if you are using the Link code on your sites then all someone would need to do is click the view source link on the site where the button is. The password is not required to create a Payflow link button."
So first she blames me for allowing someone to get my login ID, and then in the next email she warns me that anyone can find out my login ID by viewing the html of my website. These people are ridiculous.
Finally at this point someone from PayPal Merchant Technical Support replies confirming it was a bug in their system, so I send her another reply:
Merchant technical services admits this is a security exploit they are working to resolve (from my ticket to PayPal merchant services technical support):
Response Arthur 12/31/2010 10:34 AM
Thank you for contacting PayPal’s Merchant Technical Services.
This is a known issue that our developers are working to resolve. At this time, I unfortunately, do not have a timeframe as to when this issue will be resolved. You will be notified as soon as it is. I apologize for the inconvenience.
Merchant Technical Services
PayPal, an eBay Company
Now that it is known that it is a security exploit and they are "working to resolve it", my main concern is in regards to the $9,000 in transaction fees I will be charged for the 21,000+ fraudulent transactions which were submitted through this security exploit, bypassing my Payflow Pro transaction password and the IP security settings in PayPal manager. Also there are a potential $20,000 in chargeback fees that I will face, all because of a security exploit in your payment gateway. We are just a tiny one man company. These types of losses will put us out of business, for no fault on our part. We have been a faithful customer with you, using the Payflow gateway for nearly 10 years through your partner wells fargo bank. Even though wells fargo has been charging us 2.9% when all other merchant accounts have offered us 2.2%, we still stayed with them because we are faithful customers. We never even asked them to lower our rates. But when we are put into a serious problem because of a security exploit in your system, neither paypal nor wells fargo banks wants to admit it is their fault and help us like they should.
Just to get PayPal to admit this security exploit existed took 15 days of writing emails every single day to multiple departments. The right thing to do will be for PayPal and wells fargo bank to take responsibility for the losses and not charge us transaction fees for fraudulent transactions that exploited your payment gateways security flaws. For PayPal and Wells Fargo these expenses are nothing, but for a tiny one man business, it will put us out of business.
You should be happy that I spent so much time to identify this exploit, when your own technical staff was unaware of it and couldn't identify it. In addition to this exploit I found another 6 exploits which are unrelated, so I avoided bringing them up. The point is the Payflow "legacy" accounts are completely outdated, insecure, and not being maintained by your technical team.
It is not fair for PayPal and xxxxxxx to punish their loyal long term customers for security exploits in their own payment gateway, especially when that payment gateway is basically falling apart and no longer being maintained. Half the links in the PayPal manager go to page not found errors.
Sincerely,
After seeing their reply she says:
Lisa Saarela
"our billing department is reviewing the transactions now and determining how much to refund you. We always refund transaction fee’s for carding instances. I will pass more along when I have it."
But rather than admit it was a security exploit in their payment gateway, she tries to pretend it was just a common case of "carding", and they are doing me a favor by removing the few cents in gateway fees they charge. But the problem is the real transaction charges add up to around $9,000, and these are the fees charged for authorization, AVS, etc., not the few pennies that make up the gateway fees. So I write her again asking her to clarify what fees she will be refunding:
Thank you for replying. Our real concern is in regards to the complete transaction fees for processing the credit cards (around $0.35 per transaction), and not just the gateway fee that PayPal usually deals with, which is only a small portion of the fees. So could you be clear as to what PayPal is going to refund. If it is just the gateway fee then I will need to contact xxxxxxx to sort this out before the fees get levied on the 12th.
Again this isn't just a case of carding, where we would be responsible. This is a case of a security exploit in your payment gateway, which makes PayPal responsible for these transactions.
Thank you for your help.
In response she tells me I should contact Visa and Mastercard and ask them to refund the charges to me, as they took the money. In her view PayPal has no responsibility for this mess at all, even though it was all because of a security exploit in their Payment Gateway. In the entire correspondence which went over amonths span, she would not once admit any fault on the part of PayPal, or admit there was any mistake ontheir side.
Lisa Saarela
"Hello- the processor authed the transactions and is the one charging the .35 fee so they should credit you just as paypal will credit our fee's. Please note I am not your Account Manager but manage and work with xxxxxxxxxxx. xxxx or xxxxx can you please respond to the merchant. Thank you"
So basically she wants me to pay the $9,000 in transaction fees myself, and refuses to accept any responsibility for the security exploit in PayPal's payment gateway.
I reply one more time to her:
"Thank you for writing.
You seem to be overlooking the fact that these fraudulent transactions were only possible because of a security exploit in the PayFlow Pro Gateway. PayPal is liable for this, not myself, or wells fargo, or the merchant processor. The right thing to do would be for PayPal to admit these fraudulent transactions occured solely because of a security exploit in their payment gateway, and then accept responsibility for the losses. But after talking with PayPal for a month, I can see you will not admit any fault, even though your technical support has already confirmed it was a security exploit that they were working to fix."
At this point I got another reply from PayPal Merchant Technical Support (who seemed much more honest than these account manager types at PayPal):
Response Eric F 01/07/2011 09:11 AM
Hi,
In regards to this issue, it was bug on our end which we appreciate that you brought it to our attention, we have now resolved the bug and fixed this issue on our end.
Thank you for your patience.
Sincerely,
Eric F
Merchant Technical Services
PayPal, an eBay Company
So again the technical support admits it was a bug in their system which results in these 21,000 fraudulent credit card transactions. So I write once again to the lady at PayPal:
And here is the latest answer i just got from paypal merchant technical support, confirming it was a bug in your system. It was a security exploit which I helped you by identifying when your own staff couldn't identify it. But this entire time you pretended there was never a security fault in your payment gateway, and you want to pass all losses on to me. PayPal MTS Ticket number 101231-000050:
Response Eric F 01/07/2011 09:11 AM
Hi,
In regards to this issue, it was bug on our end which we appreciate that you brought it to our attention, we have now resolved the bug and fixed this issue on our end.
Thank you for your patience.
Sincerely,
Eric F
Merchant Technical Services
PayPal, an eBay Company
So because of a bug on PayPal's end which allowed a security exploit in your payment gatewat, I will now have to pay $9,000 in transaction fees. Rather than honestly passing this information up to your superiors (who could than sanction a credit), you withhold that information from them and pretend there was never a fault in your payment gateway.
She replies with a single line of text:
Lisa Saarela
"A bug is different than a security issue."
So again, she refuses to accept any responsibility for this security exploit which will cost us $9,000. To her it was only a bug, but that bug allowed someone to bypass my Payflow Pro transaction password and security settings, and submit transactions through a payment gateway (payflow link) I was not a customer of! But in her eyes it wasn't a security exploit, but only a "bug". At least at this stage they have admitted it was a bug in their system. That's what I get for one month of daily writting to multiple departments. But still they won't do anything about it.
At this point, again the technical team replied to assure me it wasn't a security exploit, it was just a bug:
"Response Eric F 01/07/2011 09:50 AM
Hi,
In regards to this issue thre was no security exploit, the issue is that when your account was upgraded from Payflow Link to Payflow Pro, there was bug which allowed your account to still process as Payflow Link and as stated we have since fixed this bug to not allow this to happen again.
Thank you for your patience.
Sincerely,
Eric F
Merchant Technical Services
PayPal, an eBay Company"
So in their eyes it was only a bug, not a security exploit. The fact that this bug allowed someone to completely bypass my PayFlow Pro security settings and transaction password, and submit transactions through a payment gateway I wasn't a customer of (the Payflow Link gateway), doesn't constitute a security exploit. How many other people's accounts also have this bug? While investigating this I located many other security exploits in the Payflow Pro and Payflow Link gateways, but there is no point in telling them, as they aren't even serious about listening when you talk. I took a lot of trouble to identify this exploit, when they couldn't identify it themselves. Rather than thank me, they want to put me out of business by passing all these charges on to me. I am sure they pay testers much more than what I will lose due to this fraud. Those testers couldn't find this exploit. Rather than do the right thing and absorb the losses they caused, they want me to go bankrupt adn out of business. That's after I have been their customer for nearly 10 years.
As a side note, if you are using either of these two payment gateways, change quickly. I haven't mentioned the other exploits I found, but the fact is these two payment gateways are so insecure, any competitor can put you out of business in a few days by racking up tens of thousands of dollars in transactions charges on your merchant accounts. They don't even need valid credit card numbers to hurt you. They can use 41111111111111, and put through 20,0000 transactions and you will be out $9,000. They can completely bypass your security settings and PayPal will just blame you, even though it is because of their own bad programming. They don't even need to access your server to do any of this.
