CODEWITHSUNDEEP
phpsecuritypayment-gateway
cappuccino
cappuccino

Reputation: 2185

Can You Securely Authenticate A Request Via IP?

I am currently integrating the NAB Transact payment gateway into a e-commerce shop. Once the payment has been processed the NAB Transact system sends a POST request to our endpoint for us to process the result.

The problem is that the POST request contains no secure hash / token that we can use to post back to the NAB Transact system to authenticate that the request is real and not spoofed. Even worse, the NAB Transact system does not even have a API for any authentication of any information, essentially, very bad security!

Is there a way to securely authenticate these requests? For example, checking that the requests come from a list of known IP addresses that the NAB transact system operates on? Or reverse lookup a IP? What options are there and how would you implement this in PHP?

Isn't relying on IP authentication not that secure since it can be spoofed?

Upvotes: 4

Views: 386

Answers (2)

paulsm4
paulsm4

Reputation: 121881

The problem is that the POST request contains no secure hash / token that we can use to post back to the NAB Transact system to authenticate that the request is real and not spoofed

Yup - that's a problem alright :)

Isn't relying on IP authentication not that secure since it can be spoofed?

It isn't at ALL secure!

Upvotes: 0

ThiefMaster
ThiefMaster

Reputation: 318808

Authentication based on IP addresses is fine if you:

  • know the list of IPs (i.e. the ones used by the payment provider)
  • the IPs are static (obviously, but if the request is actually sent by the provider and not e.g. through a hidden form on the "payment successful" page that's the case)
  • they immediately notify you of any changes (or your script might reject valid requests or accept requests from IPs not used by the provider anymore)
  • all systems which can use the IP address (i.e. the servers of the payment provider assuming the datacenter is not using some crappy network setup) is trusted enough not to send any false notifications.

Spoofing the source IP is not possible since TCP uses a three-way-handshake and with a spoofed IP the handshake would fail.

So basically: Authentication by IP is acceptable if some basic criteria are met (see above), but of course it would be more secure if they provided you with a way to validate the notification - either by calling an API on their side or by using a cryptographic signature (better since it cannot fail due to an unreachable remote server).

Upvotes: 1

Related Questions