Why do we are getting multiple complaints from our customers that their credit card information is being stolen through our website?

Hello Dmitry,
We are using your extension on our website www.sanasafinaz.com and we are getting multiple complaints from our customers that their credit card information is being stolen through our website. Since your extension is the only method we are using to process Credit Card payments can you please check and revert back to us.

It would be great to hear back from you on this matter.

What proofs do the customers provide exactly?

Because we are getting multiple complaints from different customers. The moment they place an order on our website and pay through credit card. The next thing is their cards getting charged on different websites. We have numerous emails from different customers who have been shopping with us for quite some time. They are all loyal customers.

Dear Sir/ Madam

I would like to draw your attention to a matter of grave concern.

Recently I ordered some suits from Sana Safinaz ( order 000313706) and used my credit card to Check out.
I did so because I read from your website that your payment policy was very secure with 2checkout.
I always use PayPal for all my eshopping and used 2checkout only once before Sana Safinaz.
While checking out I was surprised that I was not made to go through the necessary security measures: a one time password is usually sent to my phone which is then used before payment is processed.
So after I typed in all my credit card information , I had some misgivings.
I was right because someone from your staff used my credit card info for a payment of 1349€ which is roughly 56000 Mauritian rupees and 150000 PKR.
Thankfully the payment was declined by my bank due to insufficient funds. I was immediately informed of this through sms by my bank.
I called my bank immediately and blocked my card.

Please do not dismiss this email and do carry some investigation regarding my order and payment.
I was lucky enough by the grace of God that the payment did not go through.
Someone next time may not be so lucky.

Also, I wrote several messages regarding another issue about my order but never got any responses. I ordered and paid for 5 suits but received only 4 which again says much about the professionalism of the staff.

I have been trying to get some top management contact information so my mail gets through to someone.

I sincerely hope you will look into this grave matter.

Nafeeza Maudarbocus

This is just one of an email sent to us by the customer.

It could be because such customers have installed some malicious extensions to their browsers.
A browser’s extension usually has the full access to a browsed web page, it could identify a bank card form on the page and collect the data.

Interestingly, Stripe provides an IFRAME defence from it:

Stripe Elements make collecting payment details more secure and help prevent malicious actors from stealing any sensitive information.
We generate a secure iframe and isolate sensitive information from your site—eliminating entire classes of attacks—while still giving you full visual control.

stripe.com/elements

04

2Checkout does not provide such defence for a customized bank card form placed on a Magento checkout page: 2checkout.com/documentation/payment-api

2Checkout provides other methods to defence from the malicious browser extensions:

1. Hosted Standard Checkout

It works with browser redirections (like old-way payment gateways):

2checkout_flowchart

2. Hosted Inline Checkout

It uses an IFRAME defence, but it is a composite IFRAME, it works in a popup and it is not customizable:

dc

I can implement any of methods 1 or 2 in my extension.
It will cost $490 and will take 3 days.

3. A custom solution

The both solutuon have own drawbacks, so I can integrate your website with another payment provider instead of 2Checkout.

A post was split to a new topic: Is any credit card information is being stored on our website using your extension or not?