SourceForge.net Logo zAurum.org: zAurum PHP: mass payment software Sat, 22-Jul-2017 02:48:03

Security issues

There are always security issues when dealing with money. In this section I will cover most common traps and mistakes people do. Please visit this section often (it can grow) and pay attention to each issue mentioned. This IS important: you are transferring real money and every error, every neglecting obvious and simple precautions can result in money lost, ECP accounts seized by thrid party person, all kinds of unpleasant consequences. It is simple to stay out of troubles, but it requires discipline.

1. Insecure channels

1.1. Using insecure mass payment sites is one of the best way to get into troubles. There are many mass payment systems -- sites -- offering very moderate fees. However, if you choose to use these payment gateways, please think whether you can risk transmitting critical data (your ECP password) over insecure channel.

The autopayment sites themselves are all right (probably: in the absolute majority of cases you have no idea what security measures are taken to prevent leaking of the critical data). But the fact a lot of important information is routed to them via insecure channels makes it quite probable that these data are hunted for and can be intercepted

Think this: obtaining SSL certificate costs less than $50 a year. If mass autopayment site administrator does not consider using secure channels, your account and your business can be at risk.

1.2. Fake emails from ECP are very popular nowadays. They look very convincing and are at times alarming -- you are tempted to follow the link, thus compromising your account data, sending them to the scam artists who send these messages.

The resume is simple: NEVER trust messages (with HTML code or not) pretending to be from your ECP. NEVER follow ECP links in any messages you receive. ALWAYS type the ECP URLs manually, do not use any bookmarks. In case you suspect you could compromise your data, login to ECP site and change your credentials -- immediately!

2. Web hosting issues

2.1. Limited PHP security is what the absolute majority of Web hosting providers (WHP) are suffering from.

This is due to the fact that secure tools such as Apache suEXEC feature are rather resource-consuming. In most cases all PHP scripts on Un*x hosting sites must have «world read» attribute set in order to work.

That means that every co-hosted user on such WHP sites can gain access to your scripts, period.

Does that mean you should always select WHP providing maximal security? Of course not. Most Web content isn't that valuable to protect it -- it is placed to be shown to everyone. But if you are building ECP-related site, security must be paramount. Access to PHP scripts means all your data can be accessed and investigated. Think of your affiliate database being compromised and decide whether you could afford such a disaster.

2.2. Session data storage is what you should be aware when placing zAurum PHP on shared Web hosting sites.

All data submitted to zAurum are stored as session variables. That allows to increase productivity, diminish traffic exchange. In cases when only limited PHP security is provided, most sessions are stored in common -- for all users -- directory; on Un*x systems it's most probably /tmp directory.

If it's absolutely necessary to use zAurum in limited security environment, please use

    session_save_path()
call to select a temporary (session) path somewhere near your Web root directory. Please refer to PHP.net sources to learn more on this.

3. General ECP issues

3.1. Create separate ECP account to use for automated payments. Make sure the account you are receiving payments to and the one you are paying from are different. NEVER store on the account used for automated payments sums larger than those actually required to perform payments.

3.2. Change your passphrase often -- this is the rule that is easily forgotten. People do not change passwords until it is too late -- a common situation.

Create a technique to create and memorize passwords. It is unsafe to keep passwords recorded even on paper, let alone electronic media.

NEVER use the same password for both the ECP account and email box you are associating with it.