TriniTronic's Nice Community

[nolik]

I’d like to find out the level of security connection to PayPal servers.

1. Is it https protocol?
2. Is it possible for hackers to substitute ID of my PayPal account with they PayPal ID, so my customers will pay to a different PayPal account?

I appreciate your comments.
Thanks.

[Michael]

HI,

Thanks for the inquiry. I appreciate it.

1. Is it https protocol?

All monetary transactions take place on PayPal's secure checkout server. So, there is no need to worry about https or an SSL Certificate. PayPal takes care of all the security for you.

2. Is it possible for hackers to substitute ID of my PayPal account with they PayPal ID, so my customers will pay to a different PayPal account?

This is not possible unless a hacker gains administrative access to your Joomla website. In which case, you have much bigger problems to worry about, like regaining control of your Joomla website. I have never heard of something like this happening. The best defense is to use a strong username and password for your Joomla administrative page.

~ Best regards

[nolik]

1. Is it https protocol?
All monetary transactions take place on PayPal's secure checkout server. So, there is no need to worry about https or an SSL Certificate. PayPal takes care of all the security for you.

Thank you for the comment. It helped a lot. I appreciate if you clear the last point for me:

I checked html code of PayPal buttons available from PayPal directly. It use https addresses.

1. If I installed “Nice PayPal Downloads Extension”, then PayPal button still use https address? If not, can I correct HTML code to https?

I’m opinionated, sorry for that.
Thanks

[Michael]

Hi,

Yes, the extension creates buttons that send the buyer to this URL https://www.paypal.com/cgi-bin/webscr. You will see that the URL is indeed a https based URL. So, the buyer's transaction will be secure.

~ All the best

[nolik]

Well Michael,
I just purchased and installed “Nice PayPal Downloads”.
I did everything by the book.

Now I got this message from PayPal:


What is wrong?
Thanks for the support.

[nolik]

I’ve studied PayPal documentation and discovered that I have to encrypt buttons I use on my website by myself. They commented that original PayPal buttons already encrypted:
https://www.paypal.com/us/cgi-bin/websc ... /ewp-intro

But if I use my custom buttons, then I have to download a certificate and encrypt my buttons. Then I got link to a developers corner:
https://cms.paypal.com/us/cgi-bin/marke ... nload_sdks

Thus, is there a chance to send ENCRYPTED data from my site (Nice PayPal Download Button) to PayPal site?
Thanks

[Michael]

Hi nolik,

This is not a problem. There is a setting in your PayPal account that you need to change to disable the error message. Follow the steps below.

1. Log in to your PayPal account
2. Go to Profile>>My selling tools
3. Find "Website preferences" and click the "Update" link
4. On the Website Payment Preferences page find the section for Encrypted Website Payments
5. Select Off for the "Block Non-encrypted Website Payments" setting
6. Click the Save button at the bottom of the page
7. Done!

After you have changed your settings, encrypted payments will still work, but they will not be required.

Let me know if you need additional assistance.

~ Best regards

[nolik]

Hi nolik,
Let me know if you need additional assistance.
~ Best regards

Michael, Thank you for support.
I solved the issue by lowering security settings as you mentioned.

I appreciate your comments on:
1. The encryption of PayPal.Button on my side does not exist. So, as far as I understand it, the data from my site to PayPal site goes opened without encryption?
2. As far as PayPal.Button does not encrypted, how it could affect the security of transaction in general?
3. Which folders involved in “Nice PayPal Downloads” activity I have to secure with server based security methods (password, IP or smth.) in order to prevent PayPal e-mail login substitution?

Thank you for the support.
Ilya.

[Michael]

Hi Ilya,

It is interesting to see someone so concerned about security. PayPal has a pretty good system and most folks don't give it a second thought. One vote of confidence for the Nice PayPal Downloads security is that I have been using it on my site for the over two years or so. I have not had any security issues to my knowledge.

1. The encryption of PayPal.Button on my side does not exist. So, as far as I understand it, the data from my site to PayPal site goes opened without encryption?
2. As far as PayPal.Button does not encrypted, how it could affect the security of transaction in general?

The Nice PayPal Downloads does not generate encrypted buttons. It uses the PayPal Standard HTML method for generating its buttons. This method has been used by PayPal for many years without to many problems. The one issue with this method is that all of the purchase information is available to the site visitor in the HTML code. For example here is the button form code for the Nice PayPal Button plugin on my site.

Code: Select all

<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
  <input type="hidden" name="cmd" value="_xclick"> 
  <input type="hidden" name="business" value="xxxxx@trinitronic.com"> 
  <input type="hidden" name="item_name" value="Nice PayPal Button Plugin"> 
  <input type="hidden" name="item_number" value="3">
  <input type="hidden" name="quantity" value="1">
  <input type="hidden" name="amount" value="15.00">
  <input type="hidden" name="tax" value="0">
  <input type="hidden" name="shipping" value="0">
  <input type="hidden" name="currency_code" value="USD">
  <input type="hidden" name="lc" value="US">
  <input type="hidden" name="return" value="http://trinitronic.com/index.php?option=com_nicepaypaldownloadsxxxxxx">   
  <input type="hidden" name="cancel_return" value="http://trinitronic.com/index.php?option=com_nicepaypaldownloadsxxxxxx">   
  <input type="hidden" name="notify_url" value="http://trinitronic.com/index.php?option=com_nicepaypaldownloadsxxxxxx"> 
  <input type="image" border="0" name="submit" src="http://trinitronic.com/images/btn-buynow.png" alt="PayPal - The safer, easier way to pay online">
</form>


As you can see all of the purchase information is available. Criminal minded individuals could use this information to try and illicitly purchase one of your download files for less than the sales price. One method a criminal might do this is to copy the button code to a new page on a server or web space that the criminal controls. Then the hacker simply replaces the purchase price value in the code. They can then click the buy button on their site and purchase the item for their price.

Example of tampered button code.

Code: Select all

<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
  <input type="hidden" name="cmd" value="_xclick"> 
  <input type="hidden" name="business" value="xxxxx@trinitronic.com"> 
  <input type="hidden" name="item_name" value="Nice PayPal Button Plugin"> 
  <input type="hidden" name="item_number" value="3">
  <input type="hidden" name="quantity" value="1">
  <input type="hidden" name="amount" value="0.01">
  <input type="hidden" name="tax" value="0">
  <input type="hidden" name="shipping" value="0">
  <input type="hidden" name="currency_code" value="USD">
  <input type="hidden" name="lc" value="US">
  <input type="hidden" name="return" value="http://trinitronic.com/index.php?option=com_nicepaypaldownloadsxxxxxx">   
  <input type="hidden" name="cancel_return" value="http://trinitronic.com/index.php?option=com_nicepaypaldownloadsxxxxxx">   
  <input type="hidden" name="notify_url" value="http://trinitronic.com/index.php?option=com_nicepaypaldownloadsxxxxx"> 
  <input type="image" border="0" name="submit" src="http://trinitronic.com/images/btn-buynow.png" alt="PayPal - The safer, easier way to pay online">
</form>


The example above shows how I changed the "amount" field to equal 0.01. This is well below the $15 sale price of my item. All I would have to do is publish the above altered form code to a web space and click the button, I could then make a purchase of the Nice PayPal Button plugin for $0.01. This strategy has outwitted many a web master's security efforts. And is the primary reason (in my opinion) that PayPal offers encrypted buttons now.

However, the design of the Nice PayPal Downloads takes the above security issue into account. When PayPal sends the IPN message to the Nice PayPal Downloads extension (NPD), the extension validates the purchase information against it's own records in the Joomla Database. If the IPN message says that the buyer purchased the Nice PayPal Button plugin for 0.01, then the purchase amount would not match the listing price of $15 in my website's database. The IPN message would be rejected as fraudulent. And the would-be fraudster would not receive a download link from my site.

This actually happened to me several weeks ago. Multiple transaction attempts from the same buyer came in for $0.01. I could see their purchases in my PayPal history, but there were no records of this in the Nice PayPal Downloads Transactions history. So, the illicit buyer was not able to obtain anything from my site.

If you are still very concerned about encrypted buttons, then you can generate encrypted buttons on PayPal and use them on your site instead of the extension's payment buttons. You just need to make sure that all of the information in the encrypted button record on PayPal matches the information in the Nice PayPal Downloads Item record. Otherwise, any payments made with the encrypted buttons will be rejected as fraudulent.

3. Which folders involved in “Nice PayPal Downloads” activity I have to secure with server based security methods (password, IP or smth.) in order to prevent PayPal e-mail login substitution?

The only folder you should have to secure is the Download File folder. This is to prevent direct access to the folder that contains the files you are selling. Please see the documentation here http://trinitronic.com/index.php/Downlo ... ecurefiles

~ Best regards

[nolik]

Well Mike,
I’m impressed! Thank you very much. It is clear for me now.

[Michael]

You are welcome!