Warn HN: Using CCAvenue (India) for net-banking? You may be losing money

(I don't know whether this is true for CCAvenue in other countries, but it will not hurt you to find out.)<p>I was analyzing the security of our startup's payment infrastructure when I found that CCAvenue is using a very poor error detecting code instead of a cryptographically secure hash to validate the payment from the bank.<p>As a merchant what this means to you is that even if CCAvenue[0] tells you that the payment is done, the money may never reach your account. Why? Because it is easy to forge a response from CCAvenue saying that the payment has been made.<p>There is nothing <i>you</i> can do to prevent this attack. To prevent these type of attacks, CCAvenue should switch to a better[2] hashing algorithm.<p>One thing you <i>can</i> do is to verify with your bank (after the fact) that you did indeed receive the money. But for many merchants like us, we would have already shipped the item to the customer before we even receive that data from our bank.<p>[0] May be CCAvenue is not the one telling you that the payment is done. But there is no way to find out.<p>[1] <i>Better</i> is a wrong word here. They are using a broken error detecting algorithm instead of a hash.