The information in this thread might be outdated
If the solution did not help, please, check our Help Portal or contact Ecwid Team.
 
 
Thread Tools Display Modes
  #1  
Old 01-17-2010, 05:18 PM
Andrea M's Avatar
Andrea M is offline
Junior Member
 
Join Date: Jan 2010
Posts: 5
Default

Pay Pal username/passwords to ECWID


How can users on ECWID trust ECWID with all of our payment gateway secure account information including username's, passwords for our Pay Pal accounts, Google checkouts, etc, in order to setup our carts?
  #2  
Old 01-17-2010, 06:58 PM
Ecwid Made Easy.com's Avatar
Ecwid Made Easy.com Ecwid Made Easy.com is offline
Senior Member
 
Join Date: Oct 2009
Posts: 307
Default

One could say the same about why should people trust webhosting companies - they can see all of the user names and passwords for mysql databases, email accounts etc.

Why should anybody trust hotmail or google for email accounts?


The thing with paypal and google checkout passwords and usernames is that they are for interacting with your merchant account only. I don't think you can use them to access your actual paypal merchant account or google account that show all of your bank account details.
  #3  
Old 01-17-2010, 07:04 PM
Andrea M's Avatar
Andrea M Andrea M is offline
Junior Member
 
Join Date: Jan 2010
Posts: 5
Default

I found a solution within pay pal and that is to create another account for API access only. Thanks. To your point, these other companies have been established and do not have access to your Bank Accounts. I wasn't trying to offend you or the company. Was just trying to find an alternative since I'm not familiar with ECWID as a company.
  #4  
Old 01-17-2010, 08:17 PM
Ecwid Made Easy.com's Avatar
Ecwid Made Easy.com Ecwid Made Easy.com is offline
Senior Member
 
Join Date: Oct 2009
Posts: 307
Default

The solution you found is the correct way to do it.

Ecwid doesn't have access to your bank accounts. All it does is sends information to Google or Paypal and asks them to send back certain responses.

All the passwords for payment methods like Paypal and Google checkout are there to ensure that whoever is requesting to send information to paypal or google have your consent to do so.

P.S. I don't work for Ecwid.
  #5  
Old 01-18-2010, 11:32 AM
Qetzal's Avatar
Qetzal Qetzal is offline
Ecwid Team
 
Join Date: Sep 2009
Posts: 10,847
Default

Quote:
Originally Posted by Andrea M View Post
How can users on ECWID trust ECWID with all of our payment gateway secure account information including username's, passwords for our Pay Pal accounts, Google checkouts, etc, in order to setup our carts?
1. First I want to highlight that the information you enter to set up PayPal, Google Checkout, Authorize.net, etc is enough only to initiate and process an order.

It isn't possible to log into your payment backend (e.g. PayPal one) or your bank account using these credentials.


2. In the matter of trust, please let me quote myself:

---
In the matter of safety.
Is it safe to keep all your emails and documents on Google servers? Is it safe to store the list of your tasks on RememberToMilk's ones? Private photos on Flickr or FaceBook? Corporate sites with your company's secrets on hosting?
Millions people do it and they think that it is safe.

If you use a PHP or ASP based shopping cart, you trust all your information to your hosting provider. How do you know that they do not distribute it? The answer is clear: if they're so stupid to do it, they will be out of business very quickly.

Our company has been developing e-commerce software since 2001. We really understand how security and data protection is important in the e-commerce industry.
If you're successful and happy with our e-commerce solutions, we're happy and successful too. So we secure your data with all possible care.

BTW in the matter of security: for many reasons it is much more safe to use Ecwid on our managed servers, than an average PHP cart on any hosting.
__________________
Eugene K.
Ecwid Team

@ecwid | Facebook | Ecwid Knowledge Base
  #6  
Old 08-17-2014, 06:37 PM
Richard Cloutier's Avatar
Richard Cloutier Richard Cloutier is offline
Junior Member
 
Join Date: Aug 2014
Posts: 1
Default

One thing that concerns me about Ecwid is that when I click the forgotten password link, Ecwid does not send a randomly generated new password for the user to log into their profile, but sends the ACTUAL REGISTERED PASSWORD. This means that the password is not securely encrypted on Ecwid's servers.

To make matters worse, they send the password to the user via plain email.

As others have stated, the information accessible to someone who gets access to a profile account does not include bank information, UNLESS the user felt secure enough to use the same password for their profile as they did for their bank or paypal account.

Still, what may be accessible to someone who breaks into a user profile are the following:

Full name
Street address
Phone number
Order history with the store in question

This is certainly enough information to establish "trust" in a scam or phishing attempt.

Above, Qetzal stated:

"BTW in the matter of security: for many reasons it is much more safe to use Ecwid on our managed servers, than an average PHP cart on any hosting."

While this is probably true, break-ins occur all the time on much more secure servers. When thieves get user records, they usually just get encrypted passwords. The only way they can crack these passwords is to "guess" the encryption method, any salt used, and encode commonly used passwords. Then they look for matches in the database. If a user has a secure password--one that the thieves would never guess--their account will never be accessible.

Because Ecwid can return the user's password via email, this says that either a) they have a non-secure method of encoding a user's password that allows it to be decoded programmatically, or worse, b) they store the passwords in plain text in the database.

If someone were to break into Ecwid's server, they would have a much better chance of recovering the users' passwords.

I wonder if there are any plans on Ecwid's part to remedy this glaring security hole?
  #7  
Old 08-25-2014, 03:01 PM
Viktor D.'s Avatar
Viktor D. Viktor D. is offline
 
Join Date: Nov 2013
Posts: 720
Default

Quote:
Originally Posted by Richard Cloutier View Post
One thing that concerns me about Ecwid is that when I click the forgotten password link, Ecwid does not send a randomly generated new password for the user to log into their profile, but sends the ACTUAL REGISTERED PASSWORD. This means that the password is not securely encrypted on Ecwid's servers.

To make matters worse, they send the password to the user via plain email.

As others have stated, the information accessible to someone who gets access to a profile account does not include bank information, UNLESS the user felt secure enough to use the same password for their profile as they did for their bank or paypal account.

Still, what may be accessible to someone who breaks into a user profile are the following:

Full name
Street address
Phone number
Order history with the store in question

This is certainly enough information to establish "trust" in a scam or phishing attempt.

Above, Qetzal stated:

"BTW in the matter of security: for many reasons it is much more safe to use Ecwid on our managed servers, than an average PHP cart on any hosting."

While this is probably true, break-ins occur all the time on much more secure servers. When thieves get user records, they usually just get encrypted passwords. The only way they can crack these passwords is to "guess" the encryption method, any salt used, and encode commonly used passwords. Then they look for matches in the database. If a user has a secure password--one that the thieves would never guess--their account will never be accessible.

Because Ecwid can return the user's password via email, this says that either a) they have a non-secure method of encoding a user's password that allows it to be decoded programmatically, or worse, b) they store the passwords in plain text in the database.

If someone were to break into Ecwid's server, they would have a much better chance of recovering the users' passwords.

I wonder if there are any plans on Ecwid's part to remedy this glaring security hole?
Thank you very much for the message, Richard.

We agree, it is not good to store the customer’s passwords within the restorable form. Only the hash/fingerprint part should be stored. Hashing converts a piece of data (either small or large), into a relatively short piece of data such as a string or an integer. This is accomplished by using a one-way hash function. "One-way" means that it is very difficult (or practically impossible) to reverse it. And it is better to send special password restoration link or to generate a new one. Indeed, such features will improve the security level of whole the system.

We already store merchant passwords this way. And good news, we are going to cover merchant’s customers passwords with this feature too. The work is already in progress and will be finished pretty soon. Currently, the improvement is on a testing stage.

We do absolutely understand the importance of security. It is one of our top priorities on par with the speed and convenience.

Ecwid is a PCI DSS service level 1 certified company(https://www.pcisecuritystandards.org...ity_standards/). That means that Ecwid and it’s infrastructure satisfies the top level of security standards.

The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data.

So, you can be sure, that your data is in a safe place.

Once again, thank you very much for your opinion, it is the great value for us.

Last edited by Viktor D.; 08-26-2014 at 08:15 AM.
 
The information in this thread might be outdated
If the solution did not help, please, check our Help Portal or contact Ecwid Team.

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 12:28 AM.
Powered by vBulletin® Version 3.8.11. Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.