ncyoung.com

Hotspots offers hotel reservations in the Santa Barbara area. I have long worked on and maintained an MS Access database application to help keep track of the reservations and commissions earned. (See hotspots project)

I recently added the ability to charge cancellation fees using Verisign's COM objects and VBS within the Access database.

An existing report showed canceled reservations, this project simply added the ability to charge the credit card by pushing a button on that report.

A client who uses Authorize.net started seeing a bunch of one cent transactions show up in their merchant interface. There's no way for someone to buy something for a penny at the site, so this was troubling.

We immediately changed the site passwords and the authorize.net account passwords. I audited the scripts to make sure that no-one had changed anything (made a bit harder to do by a recent design update of the site). I updated the scripts to use authorize.net's newer protocol which allows for an MD5 hash to be attached to the transaction as it is sent from our server to the authorize.net server.

I never did figure out exactly where the 1c transactions were coming from, which is a tiny bit troubling. But they have stopped.

As for the why, I can only think that someone had a big batch of stolen credit card numbers and was trying to figure out which ones were good accounts. We live in interesting times.

Authorize.net had stopped supporting an older version of their protocol which the site used. So I updated the site to use the then-current equivalent.

A short time later we began having problems with that equivalent (which authorize.net is now phasing out because of security problems). See The Mover's Friend Authorize.net Security Update