Solved

Does it matter if a hacker gains access to a Payment Express Account user id?

Posted on 2015-01-19
4
157 Views
Last Modified: 2015-01-31
A client of mine has had their website hacked. If the hacker now knows the users PxPayUserid (which is a big long random looking string), can they use it for malicious purposes? I couldn't find anything on the Payment Express website saying either way.
0
Comment
Question by:Terry Woods
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 37

Assisted Solution

by:Neil Russell
Neil Russell earned 250 total points
ID: 40558750
If a hacker has gained access to ANY part of any access token the you MUST assume that your security is compromised and takes steps to change all security information.
This should be done immediately .
0
 
LVL 35

Author Comment

by:Terry Woods
ID: 40558997
Thanks @Neilsr. I don't suppose you can provide a reference to that in their documentation somewhere?
0
 
LVL 35

Accepted Solution

by:
Terry Woods earned 0 total points
ID: 40560817
It sounds like payments received might be going directly into the client's bank account. I'll check with them to confirm that this is the case. When I enquired with Payment Express, their response was:

Hi Terry,

If this is a pxpay service being used then should be fine.

Everything is redirected to our secure server and there is no way that this can be compromised so should not need to worry. - Payline is updated in realtime so you should be fine to use this to monitor any online orders.

The PxPay userId directly links to your merchant bank account so there would be no use to it for the hackers as if they used this all they would do is direct payments in to your account.

With Kind Regards,

[name withheld]
Junior Technical Analyst
0
 
LVL 35

Author Closing Comment

by:Terry Woods
ID: 40581235
Though PaymentExpress gave a different answer to @Neilsr, I wouldn't like to assume that PaymentExpress was correct. What if the hacker replaced the user id value with their own? Would payments start going to their account? Maybe there are safeguards in place through the Payment Express API's but I wouldn't like to assume.
0

Featured Post

Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
Ransomware continues to grow in reach and sophistication, putting data everywhere at risk. Learn how to avoid being caught in its sinister clutches with these 11 key tips.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question