Security Advisory

Posted by on Nov 21, 2006 in Notifications | 0 comments

Sample Letter to advise resellers of a security threat to the system.

Dear [Reseller Name],

Over the past few weeks, a few of our Resellers have reported an upsurge in fraudulent transactions which have lead to significant losses for them.

We have spent considerable time investigating these reports, and have determined that this is primarily due to loosely configured Payment Gateway Preferences. Detailed below is the general mode of operation followed by the fraudsters in these cases:

      

  1.   

    Customers/Sub-Resellers would sign up with the Reseller and place bulk orders.

      

    2.   

  2.   

    Payments for these bulk orders were made through Unverified PayPal accounts and were processed immediately, since the Resellers were accepting funds from Unverified PayPal accounts.

      

    3.   

  3.   

    Once the Money Back period for these orders had elapsed, the orders were moved out by those Customers/Sub-Resellers to another account having absolutely no connection with the original Reseller.

      

    4.   

  4.   

    Finally, the PayPal transactions were charged back, leaving the Resellers to face considerable losses and no means to recoup them.

      

To prevent issues like these from occurring with your own Reseller Account, we urge you to take few steps to review and update your Payment Gateway settings and security policies. We recommend the following basic settings for your Payment Gateway:

      

  1.   

    Avoid accepting funds from Unverified/Unregistered PayPal accounts as far as possible.

      

    2.   

  2.   

    Should you choose to receive funds from such accounts, you can manually review the transactions and decide to approve them. To change the settings of your PayPal Payment Gateway you can refer to this support knowledge base article.

      

    3.   

  3.   

    If you have integrated more than one Payment Gateway, we would suggest that you enable the option to ‘Allow only explicitly Authorized Customers/Sub-Resellers to pay via the Payment Gateway. This would ensure that your genuine Customers/Sub-Resellers can keep on transacting using all the Payment Gateways enabled for them; while a new Customer/Sub-Reseller would first have to prove they are genuine and before they can use the Payment Gateways. To learn how to change the current access level for the integrated Payment Gateways, you can refer to this support knowledge base article.

      

For any doubts or clarifications please contact us at [URL]

Regards,
[Department] Support Team