Updates To Centra's Adyen Plugin - Sent Mar 30, 2017
Updates to Centra's Adyen plugin
Estimated Reading Time: 3 Min
Last week, we saw a few occurrences of suspicious activity with some of our clients, involving their customers trying to ‘trick’ the Centra system while placing orders with Adyen.
Because of the sequence in which orders are processed through Adyen, we saw that a few end users have attempted to place orders (and in some cases succeeded) for items more expensive than what they paid for. We have been investigating this together with Adyen, and have discovered 10 specific occasions since last September.
It does not appear to be systematic, and we have added a fix and are continuing our investigations.
You don’t need to do anything, and we will keep you updated with any important developments.
Details of the issue
When doing our investigation together with Adyen, we noticed the specific scenario that was happening:
- Customer adds products to their cart.
- Customer goes to checkout and selects Adyen.
- Customer gets transferred to Adyen Hosted Payment window.
- Customer simultaneously modifies the cart to add more products.
- Customer finalizes the payment in Adyen with the lower amount and order is placed.
This scenario is not unlikely and is logically hard to mitigate completely. However, all our other payment methods, except Adyen, were secured in the way that we could verify the proper currency and amount when the customer finalizes the order.
In the case of Adyen, the flow works differently:
When a customer comes back from Adyen, they have information about the order they placed in the URL. This information is then used to finalize the proper order. The problem was that this information did not contain the currency and amount for some reason. And due to this, we actually did not validate the proper amounts that was being authorized.
The fix will change a bit how orders from Adyen come into Centra. First, the customer will always see their receipt when they come back from Adyen.
But, behind the scenes, the order will come into Centra with a status called "Waiting for Payment":
This is a sort of "Hold" that makes the order invisible to any integration and will wait further instructions from the payment provider--in this case, Adyen.
Adyen sends us notifications on what has happened with payments. As soon as Adyen sends us a notification about an order, we do get the currency and amount from the order. So as soon as we get a notification that the amount has been authorized, we change the status of the order to "Processing" as it would normally look. We also trigger the event to make the order visible for integrations again.
Also, if you use "Direct Capture", we will at this point call Adyen and tell them to capture the amount as well. We will also wait until they send us a "Capture Complete"-call to mark it as captured.
You might not even see our changes according to the flow above. It usually moves very quickly, but in some cases these steps might take a minute or two, so we wanted you to know what's going on. We will be rolling out these changes during the day.
1. Is any other payment plugin we use affected?
No, only Adyen was affected.
2. How do I know if this happened to us?
We are doing our own investigation currently and will contact individually the clients we find who have been affected. What’s important to know is that this doesn't seem to be a structured method or anything from these customers. They have most likely "tried it to see what happens". We noticed 10 occasions spanning from September last year up to now.
3. We're using the Client Side Encryption method from Adyen. Is that one also affected?
No, the flow of that method is different and will sign the amount and currency directly when adding the credit card details.