1. Home
  2. Point-Of-Sale Software
  3. Beware: Nitrosell webstore hacked with no support

Beware: Nitrosell webstore hacked with no support

If you have Nitrosell, beware.

My shopping cart has been hacked, and it was being used to test stolen credit cards to see if they would be accepted or declined. My merchant account had hundreds of transactions with a charge, then a void, then a charge, then a void. I only found out because the thieves made a mistake and one transaction actually went through. My processor disabled my account until Nitrosell and I could show them the security measures taken to prevent this.

Nitrosell's response was that it wasn't hacked, that someone had created an account or multiple accounts and was using the front end to test the credit card charges. I notified them that it wasn't possible, because how would they be able to void the charge? There is no void function on the site. I even sent them the report of all the charges and voids. They had no response, and then they LEFT FOR THE WEEKEND. My card processing is disabled, and I am stuck.

What kind of customer service is this? How can they possibly say that someone wasn't hacking, and when presented with evidence HOURS before they closed, they do nothing? I called them at 4:00 p.m. their time, there was no answer, and I left a message to call me back. Nothing. No update to my ticket, no response, and I am out of online processing for the foreseeable future.

To make matters worse, when I told them that my processor required us to update our security credentials, they didn't even know what that meant! I have a separate merchant account for in-store transactions, so it has to be Nitrosell with the issue, and not my system.

If you process with Nitrosell, take care to review your credit card transactions daily on your merchant site, and look for voids. None of these show up in RMS, nor will they appear on your regular statement.

I cannot believe that Nitrosell is doing this, and that they have the audacity to say that their system is secure when all evidence points otherwise.

Reply to
Julie
Loading thread data ...

I don't understand. I still use Nitrosell for one of my sites and when the customer puts in their credit card info and hits submit, the transaction is complete and you get an email with the order. The customer cannot log into their account and cancel the transaction. We have to do that. I do not think you can void one from the cart. Were you not getting all these emails with orders?

With Authorize.net, the only way you can VOID a credit card transaction is to log into the card processor and void it yourself.

How?

mickie

Julie wrote:

Reply to
Mickie

I received a call from a Nitrosell developer on Monday morning.

The way MPS (Mercury Payment Systems) works, is that a pass/fail is returned along with codes for AVS match and CCV match. If there is an AVS mismatch, Nitrosell uses fuzzy logic to determine whether to send the order through or to void it. In this case, the cards were either being approved and then voided by Nitrosell due to the AVS error, or they were outright declined by the processor.

Nitrosell upgraded me to a newer, early-adopter version of the software which has an additional security feature that disables an account after X number of failed credit card transactions.

They also looked at the rest of their base and found a couple other carts with the same issue as me, although with different payment gateways. They did an emergency code fix for all of their customers that will block an I.P. Address for a certain time period after X number of failed purchase attempts. The nice benefit of this is that it monitors all of Nitrosell's hosted carts instead of just one, so we have a group benefit of blocking fraudsters.

Nitrosell has apologized for the failure in their internal procedures which allowed my problem to remain unsolved over the weekend. They have promised to remedy the problem.

I can safely say that the site was NOT hacked -- but it did have some security vulnerabilities which have now been fixed. I am, once again, a happy customer.

Now, if I could only get the ability to assign an item to more than one department (for website navigation). Oh, and the ability to offer free shipping with minimum order...

Reply to
Julie

Hi Julie, good to hear you worked out your security issues. As far as assigning items to multiple categories that's a standard feature of x- cart:

formatting link
With our RMS integrated software you can also assign an item to multiple categories notating this within an RMS field that you're not using say sub description 3 in RMS, thus automating the transfer of data to the website and not touch the admin area of the cart.

Example sites:

formatting link
This sites brakes or other parts can be assigned to Multiple Models of Cars. In RMS you can only assign to one model.

Example:

formatting link
can search products by category, activity or gender. Free shipping with a minimum order is also supported with a simple $150 module:
formatting link
Alex

Reply to
Kosmos

Oh, and the ability to offer free

Hi Julie..Free Shipping based on Order Subtotals is a standard feature of the shipping rules configuration. Check out Knowledge base Articles 135 and 289. You can also do a search for 'shipping' there are a ton of features in this area available to you.

Regards, Todd Jensen

formatting link

Reply to
Todd

I sort of agreed with Mark about the way Alex always chimes in with "Kosmos is Better" whenever someone has issues with another cart, particularly Nitrosell. He very rarely adds anything beneficial to help with the current problem except "change to Kosmos". This has been going on for a long time(years)between Todd and Alex, and THAT does not add anything beneficial to the group. As far as an apology from Nitrosell, that does little good to help her cover her losses and pay her bills. The least they could do is provide her with a free months service for her troubles, and should go even further and give her 3 months service for free. The problem she encountered was serious, and they did nothing to help until after the weekend selling period was over. That would be unacceptable to me. I understand the difficulties with implementing upgrades to patch problems on the server, among other issues, but that is their business. They should be prepared if a glitch happens. And if that glitch harms any of their customers they should make it right, which they didn't.

As to the second part of his comment "Julie...in between the verbal volleys of these two RMS integrated shopping cart sellers...you may lost track of your actual issue. Let me tell you something...the weather will be good in 2010...so before you gear up for the coming hectic days of more business, re-evaluate your shopping cart and make it at least bug-free to SOME EXTENT!"

I do think he lost his point there. The weather will be good in 2010? What the.....? Bug-free to some extent? No help in either of those comments.

Craig

Mark, I liked the positive comments that answered her questions. You for one must be having a bad day. Bashing is not positive at all. What are you offering? To state that she should go with a cart that is "at least bug-free to SOME EXTENT" without informing the community of your solution isn't offering ANYTHING to this group at all. What is your recommendation? Do you have an integrated RMS software solution that is BUG FREE? Is there such a thing as bug-free to SOME EXTENT? What happens when PHP and ASP upgrades are made to a server to prevent hacking vulnerabilities? Is that software still bug FREE? Please let us know. I?m very curious, that?s why I recommended Hacker SAFE as an option to potential vulnerabilities that arise from new technologies. Bug FREE?

J
Reply to
Craig

I've been using Kosmos for years and this is news to me "With our RMS integrated software you can also assign an item to multiple categories notating this within an RMS field that you're not using say sub description 3 in RMS, thus automating the transfer of data to the website and not touch the admin area of the cart."

Walter specifically told me that I could not assign an item to two X-Cart categories. I use the extra sub-decription to add additional sub-categories beyond the one allowed in RMS. In other words using the RMS fields Dept and Cat, you will get a Cat and sub-cat in X-cart for the item and you can add a sub-sub-cat, but not put one item into two different categories in X-Cart.

Free shipping is available in X-Cart without any add-on modules.

Bill Hobby Central

"JT" wrote:

untilNitroselland I could show them the security measures taken to prevent this.

beNitrosellwith the issue, and not my system.

Reply to
Hobby Central

Hi Bill,

Many thanks for the informative post.

What is the URL of your web store?

Based on what the postings you have been doing on this topic I would love to see your webstore, and I'm sure other readers would also.

Cheers

Mark

"Hobby Central" wrote:

Reply to
Mark Westin

BeanSmart website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.