[Andrea M]

How can users on ECWID trust ECWID with all of our payment gateway secure account information including username's, passwords for our Pay Pal accounts, Google checkouts, etc, in order to setup our carts?

[Ecwid Made Easy.com]

One could say the same about why should people trust webhosting companies - they can see all of the user names and passwords for mysql databases, email accounts etc.

Why should anybody trust hotmail or google for email accounts?


The thing with paypal and google checkout passwords and usernames is that they are for interacting with your merchant account only. I don't think you can use them to access your actual paypal merchant account or google account that show all of your bank account details.

[Andrea M]

I found a solution within pay pal and that is to create another account for API access only. Thanks. To your point, these other companies have been established and do not have access to your Bank Accounts. I wasn't trying to offend you or the company. Was just trying to find an alternative since I'm not familiar with ECWID as a company.

[Ecwid Made Easy.com]

The solution you found is the correct way to do it.

Ecwid doesn't have access to your bank accounts. All it does is sends information to Google or Paypal and asks them to send back certain responses.

All the passwords for payment methods like Paypal and Google checkout are there to ensure that whoever is requesting to send information to paypal or google have your consent to do so.

P.S. I don't work for Ecwid.

[Qetzal]

Quote:

Originally Posted by Andrea M

How can users on ECWID trust ECWID with all of our payment gateway secure account information including username's, passwords for our Pay Pal accounts, Google checkouts, etc, in order to setup our carts?

1. First I want to highlight that the information you enter to set up PayPal, Google Checkout, Authorize.net, etc is enough only to initiate and process an order.

It isn't possible to log into your payment backend (e.g. PayPal one) or your bank account using these credentials.


2. In the matter of trust, please let me quote myself:

---
In the matter of safety.
Is it safe to keep all your emails and documents on Google servers? Is it safe to store the list of your tasks on RememberToMilk's ones? Private photos on Flickr or FaceBook? Corporate sites with your company's secrets on hosting?
Millions people do it and they think that it is safe.

If you use a PHP or ASP based shopping cart, you trust all your information to your hosting provider. How do you know that they do not distribute it? The answer is clear: if they're so stupid to do it, they will be out of business very quickly.

Our company has been developing e-commerce software since 2001. We really understand how security and data protection is important in the e-commerce industry.
If you're successful and happy with our e-commerce solutions, we're happy and successful too. So we secure your data with all possible care.

BTW in the matter of security: for many reasons it is much more safe to use Ecwid on our managed servers, than an average PHP cart on any hosting.

[Richard Cloutier]

One thing that concerns me about Ecwid is that when I click the forgotten password link, Ecwid does not send a randomly generated new password for the user to log into their profile, but sends the ACTUAL REGISTERED PASSWORD. This means that the password is not securely encrypted on Ecwid's servers.

To make matters worse, they send the password to the user via plain email.

As others have stated, the information accessible to someone who gets access to a profile account does not include bank information, UNLESS the user felt secure enough to use the same password for their profile as they did for their bank or paypal account.

Still, what may be accessible to someone who breaks into a user profile are the following:

Full name
Street address
Phone number
Order history with the store in question

This is certainly enough information to establish "trust" in a scam or phishing attempt.

Above, Qetzal stated:

"BTW in the matter of security: for many reasons it is much more safe to use Ecwid on our managed servers, than an average PHP cart on any hosting."

While this is probably true, break-ins occur all the time on much more secure servers. When thieves get user records, they usually just get encrypted passwords. The only way they can crack these passwords is to "guess" the encryption method, any salt used, and encode commonly used passwords. Then they look for matches in the database. If a user has a secure password--one that the thieves would never guess--their account will never be accessible.

Because Ecwid can return the user's password via email, this says that either a) they have a non-secure method of encoding a user's password that allows it to be decoded programmatically, or worse, b) they store the passwords in plain text in the database.

If someone were to break into Ecwid's server, they would have a much better chance of recovering the users' passwords.

I wonder if there are any plans on Ecwid's part to remedy this glaring security hole?

[Viktor D.]

Quote:

Originally Posted by Richard Cloutier

One thing that concerns me about Ecwid is that when I click the forgotten password link, Ecwid does not send a randomly generated new password for the user to log into their profile, but sends the ACTUAL REGISTERED PASSWORD. This means that the password is not securely encrypted on Ecwid's servers.

To make matters worse, they send the password to the user via plain email.

As others have stated, the information accessible to someone who gets access to a profile account does not include bank information, UNLESS the user felt secure enough to use the same password for their profile as they did for their bank or paypal account.

Still, what may be accessible to someone who breaks into a user profile are the following:

Full name
Street address
Phone number
Order history with the store in question

This is certainly enough information to establish "trust" in a scam or phishing attempt.

Above, Qetzal stated:

"BTW in the matter of security: for many reasons it is much more safe to use Ecwid on our managed servers, than an average PHP cart on any hosting."

While this is probably true, break-ins occur all the time on much more secure servers. When thieves get user records, they usually just get encrypted passwords. The only way they can crack these passwords is to "guess" the encryption method, any salt used, and encode commonly used passwords. Then they look for matches in the database. If a user has a secure password--one that the thieves would never guess--their account will never be accessible.

Because Ecwid can return the user's password via email, this says that either a) they have a non-secure method of encoding a user's password that allows it to be decoded programmatically, or worse, b) they store the passwords in plain text in the database.

If someone were to break into Ecwid's server, they would have a much better chance of recovering the users' passwords.

I wonder if there are any plans on Ecwid's part to remedy this glaring security hole?

Thank you very much for the message, Richard.

We agree, it is not good to store the customer’s passwords within the restorable form. Only the hash/fingerprint part should be stored. Hashing converts a piece of data (either small or large), into a relatively short piece of data such as a string or an integer. This is accomplished by using a one-way hash function. "One-way" means that it is very difficult (or practically impossible) to reverse it. And it is better to send special password restoration link or to generate a new one. Indeed, such features will improve the security level of whole the system.

We already store merchant passwords this way. And good news, we are going to cover merchant’s customers passwords with this feature too. The work is already in progress and will be finished pretty soon. Currently, the improvement is on a testing stage.

We do absolutely understand the importance of security. It is one of our top priorities on par with the speed and convenience.

Ecwid is a PCI DSS service level 1 certified company(https://www.pcisecuritystandards.org...ity_standards/). That means that Ecwid and it’s infrastructure satisfies the top level of security standards.

The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data.

So, you can be sure, that your data is in a safe place.

Once again, thank you very much for your opinion, it is the great value for us.