- Hello! Gordon's pizza?
- No sir it's Google's pizza.
- So it's a wrong number?
- No sir, Google bought it.
- OK. Take my order please ..
- Well sir, you want the usual?
- The usual? You know me?
- According to our caller ID, in the last 12 times, you ordered pizza with cheeses, sausage, thick crust
- OK! This is it
- May I suggest to you this time ricotta, arugula with dry tomato?
- No, I hate vegetables
- But your cholesterol is not good
- How do you know?
- Through the subscribers guide. We have the result of your blood tests for the last 7 years
- Okay, but I do not want this pizza, I already take medicine
- You have not taken the medicine regularly, 4 months ago, you only purchased a box with 30 tablets at Drugsale Network
- I bought more from another drugstore
- It's not showing on your credit card
- I paid in cash
- But you did not withdraw that much cash according to your bank statement
- I have other source of cash
- This is not showing as per you last Tax form unless you got it from undeclared income source
-WHAT THE HELL? Enough! I'm sick of Google, Facebook, twitter, WhatsApp. I'm going to an Island without internet,where there is no cell phone line and no one to spy on me
- I understand sir, but you need to renew your passport as it has expired 5 weeks ago..

A HUGE FUCK YOU TO EVERY GODDAMN ONLINE STORE WHO NEEDS A CREDIT CARD NUMBER TO OBTAIN SOMETHING FREE.

(the following is a big fuck you)
______
| ___|
| |_
| _|
| |
\_|

_ _
| | | |
| | | |
| | | |
| |_| |
\___/

_____
/ __ \
| / \/
| |
| \__/\
\____/

_ __
| | / /
| |/ /
| \
| |\ \
\_| \_/

__ __
\ \ / /
\ V /
\ /
| |
\_/

_____
| _ |
| | | |
| | | |
\ \_/ /
\___/

_ _
| | | |
| | | |
| | | |
| |_| |
\___/

Hello! Is this Gordon’s Pizza?

No sir, it’s Google’s Pizza.

Did I dial the wrong number?

No sir, Google bought the pizza store.

Oh, alright - then I’d like to place an order please.

Okay sir, do you want the usual?

The usual? You know what my usual is?

According to the caller ID, the last 15 times you’ve ordered a 12-slice with double-cheese, sausage, and thick crust.

Okay - that’s what I want this time too.

May I suggest that this time you order an 8-slice with ricotta, arugula, and tomato instead?

No, I hate vegetables.

But your cholesterol is not good.

How do you know?

Through the subscribers guide. We have the results of your blood tests for the last 7 years.

Maybe so, but I don’t want the pizza you suggest – I already take medicine for high cholesterol.

But you haven’t taken the medicine regularly. 4 months ago you purchased from Drugsale Network a box of only 30 tablets.

I bought more from another drugstore.

It’s not showing on your credit card sir.

I paid in cash.

But according to your bank statement you did not withdraw that much cash.

I have another source of cash.

This is not showing on your last tax form, unless you got it from an undeclared income source.

WHAT THE HELL? ENOUGH! I’m sick of Google, Facebook, Twitter, and WhatsApp. I’m going to an island without internet, where there’s no cellphone line, and no one to spy on me …

I understand sir, but you’ll need to renew your passport … it expired 5 weeks ago.

Web developers - if you can write code to tell me that my phone number or credit card number shouldn't have spaces in it, just remove the #$!@$!* spaces for me FFS! You know very well people are going to put the spaces in there...

My sister lending me her credit card to buy something online.

S: "But don't store the number!"
me: "I would never."
S: "I know you can hack it, please don't!!"
me: "Haha okay.."
*cries inside... just because I make websites and 3D design*
me: "Thanks a lot, sis <3"

Dude
The client has a giant database with all credit and debit cards

ALL INFOS IN FUCKING PLAINTEXT
THE CARD NUMBER
THE CVV
THE EXPIRY DATE

I'M SHAKING AF

Ufffff thank god. My credit card number is not in their db, have checked that. Check yours too 😂

So, some time ago, I was working for a complete puckered anus of a cosmetics company on their ecommerce product. Won't name names, but they're shitty and known for MLM. If you're clever, go you ;)

Anyways, over the course of years they brought in a competent firm to implement their service layer. I'd even worked with them in the past and it was designed to handle a frankly ridiculous-scale load. After they got the 1.0 released, the manager was replaced with some absolutely talentless, chauvinist cuntrag from a phone company that is well known for having 99% indian devs and not being able to heard now. He of course brought in his number two, worked on making life miserable and running everyone on the team off; inside of a year the entire team was ex-said-phone-company.

Watching the decay of this product was a sheer joy. They cratered the database numerous times during peak-load periods, caused $20M in redis-cluster cost overrun, ended up submitting hundreds of erroneous and duplicate orders, and mailed almost $40K worth of product to a random guy in outer mongolia who is , we can only hope, now enjoying his new life as an instagram influencer. They even terminally broke the automatic metadata, and hired THIRTY PEOPLE to sit there and do nothing but edit swagger. And it was still both wrong and unusable.

Over the course of two years, I ended up rewriting large portions of their infra surrounding the centralized service cancer to do things like, "implement security," as well as cut memory usage and runtimes down by quite literally 100x in the worst cases.

It was during this time I discovered a rather critical flaw. This is the story of what, how and how can you fucking even be that stupid. The issue relates to users and their reports and their ability to order.

I first found this issue looking at some erroneous data for a low value order and went, "There's no fucking way, they're fucking stupid, but this is borderline criminal." It was easy to miss, but someone in a top down reporting chain had submitted an order for someone else in a different org. Shouldn't be possible, but here was that order staring me in the face.

So I set to work seeing if we'd pwned ourselves as an org. I spend a few hours poring over logs from the log service and dynatrace trying to recreate what happened. I first tested to see if I could get a user, not something that was usually done because auth identity was pervasive. I discover the users are INCREMENTAL int values they used for ids in the database when requesting from the API, so naturally I have a full list of users and their title and relative position, as well as reports and descendants in about 10 minutes.

I try the happy path of setting values for random, known payment methods and org structures similar to the impossible order, and submitting as a normal user, no dice. Several more tries and I'm confident this isn't the vector.

Exhausting that option, I look at the protocol for a type of order in the system that allowed higher level people to impersonate people below them and use their own payment info for descendant report orders. I see that all of the data for this transaction is stored in a cookie. Few tests later, I discover the UI has no forgery checks, hashing, etc, and just fucking trusts whatever is present in that cookie.

An hour of tweaking later, I'm impersonating a director as a bottom rung employee. Score. So I fill a cart with a bunch of test items and proceed to checkout. There, in all its glory are the director's payment options. I select one and am presented with:

"please reenter card number to validate."

Bupkiss. Dead end.

OR SO YOU WOULD THINK.

One unimportant detail I noticed during my log investigations that the shit slinging GUI monkeys who butchered the system didn't was, on a failed attempt to submit payment in the DB, the logs were filled with messages like:

"Failed to submit order for [userid] with credit card id [id], number [FULL CREDIT CARD NUMBER]"

One submit click later and the user's credit card number drops into lnav like a gatcha prize. I dutifully rerun the checkout and got an email send notification in the logs for successful transfer to fulfillment. Order placed. Some continued experimentation later and the truth is evident:

With an authenticated user or any privilege, you could place any order, as anyone, using anyon's payment methods and have it sent anywhere.

So naturally, I pack the crucifixion-worthy body of evidence up and walk it into the IT director's office. I show him the defect, and he turns sheet fucking white. He knows there's no recovering from it, and there's no way his shitstick service team can handle fixing it. Somewhere in his tiny little grinchly manager's heart he knew they'd caused it, and he was to blame for being a shit captain to the SS Failboat. He replies quietly, "You will never speak of this to anyone, fix this discretely." Straight up hitler's bunker meme rage.

- Hello! Gordon's pizza?
- No sir it's Google's pizza.
- So it's a wrong number?
- No sir, Google bought it.
- OK. Take my order please ..
- Well sir, you want the usual?
- The usual? You know me?
- According to our caller ID, in the last 12 times, you ordered pizza with cheeses, sausage, thick crust
- OK! This is it
- May I suggest to you this time ricotta, arugula with dry tomato?
- No, I hate vegetables
- But your cholesterol is not good
- How do you know?
- Through the subscribers guide. We have the result of your blood tests for the last 7 years
- Okay, but I do not want this pizza, I already take medicine
- You have not taken the medicine regularly, 4 months ago, you only purchased a box with 30 tablets at Drugsale Network
- I bought more from another drugstore
- It's not showing on your credit card
- I paid in cash
- But you did not withdraw that much cash according to your bank statement
- I have other source of cash
- This is not showing as per you last Tax form unless you got it from undeclared income source
-WHAT THE HELL? Enough! I'm sick of Google, Facebook, twitter, WhatsApp. I'm going to an Island without internet,where there is no cell phone line and no one to spy on me
- I understand sir, but you need to renew your passport as it has expired 5 weeks ago..

When developers can't use Regex:

'Your credit card number cannot contain spaces'

ಠ_ಠ

fuck code.org.

here are a few things that my teacher said last class.

"public keys are used because they are computationally hard to crack"

"when you connect to a website, your credit card number is encrypted with the public key"

"digital certificates contain all the keys"

"imagine you have a clock with x numbers on it. now, wrap a rope with the length of y around the clock until you run out of rope. where the rope runs out is x mod y"

bonus:

"crack the code" is a legitimate vocabulary words

we had to learn modulus in an extremely weird way before she told the class that is was just the remainder, but more importantly, we werent even told why we were learning mod. the only explanation is that "its used in cryptography"

i honestly doubt she knows what aes is.

to sum it up:

she thinks everything we send to a server is encrypted via the public key.

she thinks *every* public key is inherently hard to crack.

she doesnt know https uses symmetric encryption.

i think that she doesnt know that the authenticity of certificates must be checked.

Just submitted my first app to the Microsoft Store 🎉🎉

It's a simple offline password manager that also accepts other formats of data such as credit card and personal info.

Made it using WinUI 3. To prevent you from forgetting your master password, each "locker" accepts an unlimited number of passwords. If you forgot one, you can just use a different one. This is my idea to make offline password managers a little less of a hassle.

Can't wait for approval from the store!

Ordering a Pizza in 2022.

CALLER: Is this PizzaHut?

GOOGLE:No sir, it's Google Pizza

CALLER: Sorry, I have dialled wrong number.

GOOGLE: No sir, Google bought Pizza Hut last month.

CALLER:Ok, I would like to order a pizza.

Google:Do you want your usual, sir?

CALLER: My usual? You know me?

GOOGLE: your last 12 orders shows, extra-large pizza with cheeses, sausage on a thick crust

CALLER: Awesome! That's what I'll have.

GOOGLE: sir, we suggest you try our Gluten free veg pizza?

CALLER: What? I don't want a veg pizza.

GOOGLE: Your cholesterol is not good, sir

CALLER: How the hell do you know that?

GOOGLE: Well, we cross-referenced your home phone no. with your medical records

CALLER: Ok, but I don't want your rotten veg pizza! I have taken medication for my cholesterol.

GOOGLE: But your medication wasn't regular. you just bought 30 cholesterol tablets once,4 months ago from Loyd pharmacy.

CALLER: I bought more from another pharmacy.

GOOGLE: That doesn't show on your credit card statement.

CALLER: I paid in cash.

GOOGLE: But you did not withdraw enough cash according to your bank statement.

CALLER: WTH man! I'm going on island to live without internet & social media.

GOOGLE: I understand sir, but you need to renew your passport. It expired 6 weeks ago.

Security lifehacks 101

Why pay for password managers? Just use one secure password for every service you use! Password managers are really designed for fools who don’t know that you can just use one password for every service and who are ready to pay for that shit.

The best practice is to use your name starting with a capital letter + your main credit card number + CVC code from the back of that card as your go-to password. It’s long and hard to bruteforce and you can remember everything that way! You just need to remember that one password and you’ll always remember your payment info! No need for apple’s bad Apple Pay which is not so secure after all like everything else that Apple offers.

UX quiz:
a) trim whitespace characters from credit card or bank account input
b) refuse transaction, show error message: "no spaces are allowed in the card number"

Attention: incomming resentful boiled up for months rant.

Hands down G2APAY is the worst because:

Merchant account aproval takes fcking months. It starts with unreasonable delays in documents approval. I mean insane nitpicking. They want to see merchants name surname and address on every god damn document that you submit even if for example bank statement doesnt include these details. I had to manually edit pdf’s just so that they would fck off and approve the merchant application. Insane requirements for document check also combined with their email only support answering only once a week you will have to wait one month just to get your account approved.

Then you get to the fun part, approval proccess for vendor gateway and webhook integration. They are nitpicking everything you can imagine: about website not having https, website forum missing some icons, merchants phone number being from another country then he is, and bunch of other hundreds of problems imagined only by them. Again combined with their one email reply per week policy you will waste atleast one month to finish up your integration.

Now finally you are their client and you think you can chill and go back to focusing on your business? Nope bro. Prepare for threatening emails. Last time I got a request to install https or my merchant application will be shut down. I was given 3 days notice on a fcking friday and had to do it.

Then g2a backend is crashing quite often. Combined with their one email per week policy you are fcked in the ass if your users were not able to pay through g2a and you will get no compensation.

Their backend documentation is shiet. Not clear how to integrate everything and after you integrate they make changes without publishing any changesets. Your integration is working? Good luck if it will still be working tomorrow.

And the very worst part is that they stopped proccessing credit cards like month ago with zero notice. Its been weeks and still zero news about bringing card proccessing back. They sad that they were acquired by some other company so shitty support got even shittier now while they are in a proccess of handover.

So yeah thats the worst vendor I have ever seen in my life. For example integrating paypal took me 30 minutes. Integrating stripe and getting all documents reviewed took me one business day. Same with paymentwall integration and document approval took 1 business day. Support is amazing and even have a phone number that I can reach if urgent problems arise. Thats how it should be. Thats why I can pay percentage of my transactions with a smile for them.

Sorry for the typos since im typing on my shiet phone while driving.

Eat a bag of dicks g2apay. I hope you go bankrupt and shutdown.

lol

I had weird apple charges on my credit card so I called the bank and told them I didn't do them and own nothing apple.
they cancelled my card and sent me a new one.
the new one came with a paper saying I need to activate it and the first time I use it I might need to type in the pin.

credit cards typically worked if you insert or swipe you have to type in pin,
and you can wave it over the machine for small charges and that won't ask for pin, which is probably what they're saying is I can't wave until I pin.

so I go to the nearby grocery store so I can activate the card with the pin and order online groceries later, and coincidentally they have a new payment machine (why?), one of those without buttons that just looks like a phone.
I insert it, expecting it to ask me a pin... it beeps saying approved

so

I got credit card fraud and they sent me a new card
and the new card is literally less secure

it's like banks want fraud

when I was calling in or being re-routed with the bank the messages were always "higher number of calls than expected"

how bad is financial fraud rn. why are they making it worse

I don't think my card was leaked due to pinning though. when you order stuff online there should be an approval process on your end to confirm but it just doesn't exist. so if anyone gets your credit card info they can just sell that. I had to order a very hard to find drug from one sketchy (to me) website and after I did so that email got signed up to a weird newsletter and I harassed the shit out of that newsletter company for contacting me. I would assume they also sold my credit card details, or it "leaked" in a hack, whatever. this whole damned circus. I have 4 months of the drug but at some point I'll need more and they're the only ones that have it... so I guess I'll get to find out

Sus!
yesterday I bought a cool domain in namecheap, I was very lucky to find short and good one for my case.

Today (at weekends!!!!) I receive a letter:
>Hello **redacted name**,
>
>We are contacting you from the Namecheap Risk Management Team regarding your '**redacted name account**' account.
>
>Unfortunately, your Namecheap account was flagged by our fraud screening system as requiring verification and was locked.
>
>Please follow the instructions below to get your account verified:
>
>- take a color photo of the credit card used for the payment at **redacted link**
>
>Please make sure all of the edges of the credit card are visible, and that we can clearly see the card holder's name, expiration, and last four digits of the card number. The screenshots or images of the card cannot be accepted for verification. >If the submission does not meet these requirements, we can either request to submit the details again or permanently suspend your account.
>
>- provide a valid phone number and the best time to call you (within normal business hours, US Pacific time).
>
>If we do not hear back from you within 24 hours, we will be forced to cancel your orders.
>
>We apologize for any inconvenience that may result from this process. This extra verification is done for your security and to ensure that orders are legitimate. This industry, unfortunately, has a high rate of fraudulent orders, and this sort of >verification helps us drastically reduce fraud and ensure our customers remain secure. Such documents are used for verification only and are not provided to third parties in any way. Account verification is a one-time procedure, after your account >is verified, you will never face this issue again.
>
>Looking forward to your reply.
>
>---------------
>Dmitriy K.
>Risk Management
> Namecheap, Inc.

what if I did not notice it in 24 hours? It is the weekend for god's sake! People usually rest until monday.
They would what, cancel order and scalpel it to super high price?!
I have some doubts if the request is trully having anti fraudulent origins.

What if I used digital visa card? How was I supposed to photo it?

And the service they provided for photoing accepts only photos from web camera. I was lucky that I bought recently web camera with high enough amount of pixel power and manual focus. What if I did not?

That's all really SUS!
The person can not notice the letter within 24 hours time frame until the morning, when it would be already too late.

Legal Question regarding E-Commerce / Credit Card Payments.

The User sends his Credit Card Information (number/expiration Date/Safety Number) over email to vendor. Vendor types this info from the email into a Credit Card Terminal.

Is this even legal? I thought when listing Credit Card Payment you have to use a PSP (Payment Service Provider) that conforms to the security regulations etc.

Symfony's book tutorials starts out way too invasive. For example:

Their CLI has a specific command for you to clone the book project's repository. This command won't run unless you have all their dependencies installed (including docker and yarn). In the end a good old fashioned git clone does the trick.

Next, before even writing a single loc, the book urges you to create a symfonycloud account and give them your credit card number.

Seriously what the hell.

Should I mail you a drop of my blood as well so you can check out my ancestry while I'm at it?

The only thing worse than client QA is client vendor QA.

I do QA for a company that does custom implementations of a major e-commerce platform. On one of my current projects, the customer has elected to outsource their UAT, and isn't willing to wait for the site (or even individual features) to be complete before starting testing, so I've been triaging a lot of silly tickets. But today took the cake.

This system allows users to save their credit card info. The vendor QA guy filed a ticket "reporting" that if he saved a cc with a given number, then created a new cc record with the same number but a different expiration date, the original record was overwritten, rather than a new record being created.

I just stared at the thing for like five minutes, gathering the mental strength to reply with something other than "you're an idiot."

cbc vs gcm vs ... for my app?

currently ive get ecb 256 bit already implemented and working well, but i want an extra layer of privacy. if you had to send your ssn or credit card number over a vulnerable network, would you be more comfortable encrypting it with cbc or gcm?

Am I in developer hell already? A shitty project is about to come to an end (hopefully), or should I rather say: It needs to come to an end. But I am still quite lost in how to deal with it, hence procrastinating on it - making the deadline come closer and with it the realization that I'll probably have to rewrite almost everything. I'm not sure how, but I do know that the current code is a dumpster fire.

Basically what I need to do is dealing with the APIs of different payment providers/gateways (like PayPal, AmazonPay). For most cases I'll get a payment ID from the shop and need to act on it later, e.g. capture the authorized money in the case of a credit card transaction or do refunds (without user interaction, unless there is an error). Now at first I put something together where I try to abstract the payment information into two tables:
orders{1}<->{0..n}payments
payments{1}<->{1..n}paymentDetails

Unfortunately trying to abstract the different payment methods and to squeeze them (and their different possible stati and functions) in these tables was not very successful, it's a total mess with magic numbers, half-broken behavior and without any consideration for partial payments/captures or unfinished requests (i.e. if there is an exception before the response is dealt with, there is no indication that anything has ever been sent). Also the current amount is calculated through the history of the paymentDetails table, which basically works differently for each payment type.

How to fix this mess in a way that I'll still have a job by next week?

I'm trying to improve the db schema first, as I think my biggest problems are lying there. Through some research I've come across a recommendation for making payment type specific subtables (with a magic number/string in the main table to prevent having to look up all subtables). That way I can record what I send and receive without having to abstract it too much, so I'll have an acceptable transaction log. The paymentDetails table can be removed (necessary fields go to the payments table). The payments table gets multiple fields for the amount (differentiating between open, authorized, captured, processing and refunded values) and always reflects the current status.

Tables:
payments
paymentRequestsPaypal
paymentRequestsAmazonpay
paymentRequestsXyz

I think I'm going in the right direction here. hm. Maybe there's some light at the end of this long, dark tunnel. Or a train. I'll have two days to find out.