As a payment technology company, we process millions of transactions daily, and many transactions are processed over the web. Therefore, It is fair to mention that web browsers may be vulnerable to attacks as there are several tools which can be used to manipulate information on the browser, and such tools can also be used by attackers to intercept and manipulate payments data before being passed to the processor.
Case study: A common example of payment data manipulation is when a NGN1000 payment generated by merchant X for an item is intercepted on the browser and the amount manipulated to NGN100. The attacker can pay less but still receive the item’s full value (N1000). This is possible because the merchant failed to verify the amount received before giving value
What does Web Parameter Tampering mean?
The Web Parameter Tampering attack is based on manipulating parameters exchanged between client and server to modify application data, such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields, or URL Query Strings and is used to increase application functionality and control.
This attack can be performed by a malicious user who wants to exploit the application for their benefit or an attacker who wishes to attack a third person. If you are a Flutterwave merchant with API integrations on your website, it is essential to understand what this means.
What can I do as a Merchant?
You may have little control over your browser; however, you have full control over what you receive as payment. Let’s look at the possible ways of validating payment information and ensuring data integrity.
- Verify transactions: After completing a transaction, you must validate the transaction using our verify service before giving value. Validating a transaction should be appropriately done, and confirmation of the transaction amount, currency, transaction reference and transaction status should be done before the value is applied. Completing these checks will completely mitigate this kind of attack.
- Checksum service: Checksum service involves passing a payload hash in the request sent to Flutterwave. The payload hash is a security hash that verifies the data in the hash against what was passed in the request. If the data was tampered with, the data in the payload hash would not match. Refer to our documentation on the steps required in generating the payload_hash.
- Check your integration, and check again. See our Integration Recommendations for guidelines and best practices.
We hope this article explains how you can fully control what you receive as payment as an online business. If you have any questions or concerns, please send us an email
Great! Now you’re good to go.