I already knew that I should not do this.
Still I did it.
Have I lost my mind?
No… It’s just that I love my profession. My only mistake was I could lower the intensity of the damage but I didn’t think about that, possibly I was completely lost in my task.
But last line I mentioned in my session report was “ …and I am screwed”.
You must be wondering what I am talking about.
Background:
Few days ago while testing an e-commerce application I had ordered some useless items of more than INR 13K using my credit card, payment made as guest user and items would be delivered on an address which doesn’t exist in the world.
I was on payment page of the application and I tried some fake Credit Card No. but they were not helping me with what I was testing. So I entered my Card No. without verification code or password. I was sure that it would ask me the verification code but guess what? Payment is accepted instantly and within a minute I received message from my bank that payment was approved. I was staring the screen like moron. It took me some time to come out in my senses.
You are definitely going to ask - Have I lost my mind?
Still my answer is No.
Why?
Because:
- My step was bold but not stupid (although it may seem stupid to many readers). The only problem was I have considered large amount. I should consider the lesser amount so that the impact is less.
- Now I know that I need to learn in detail how does payment processing works both from functional and security aspects.
- I learned a lesson – Never make assumptions while testing. Test and find the facts.
- I have found a very serious security from the end user’s perspective.
Truly speaking – I was upset because I had lost 13K in seconds and it was huge amount for me but I was not repenting on my deed. In life sometimes we need to think beyond monetary things and this incident was one of them.
Do you think this incident will stop me from doing testing like this? Think again - the defect I have found is really a good one. So I don’t think I have lost money. I have found a serious bug in payment gateway and I am happy about that.
There are few points I came to know after having discussion with Bank staff. You might found useful them:
- The payment once approved from the bank on your card can not be blocked although you can use Charge Dispute form against it to get your payment back later.
- For International transactions verification code is not mandatory. So, never share your credit card no. with anyone because once it is leaked, anybody can guess the Expiry Date on retrial basis and can use your card.
- The payment can roll back if merchant doesn’t claim the amount in specified period or order is cancelled.
BTW, I got my money back later. I sent some mails here and there and order was cancelled.
Overall this incident was not bad at all. What’s your point of view on this incident? Please share your views with me via comments or mails.
Special Thanks to Lakshminarasimha Manjunatha Mohan for guiding me whenever needed.
2 comments:
Hey Mohit, I have tested Flipkart several times this way. I ensure to consider small amounts while testing gateway flows. Some times, some ideas are so good that common sense hides in a corner. At such times, books got delivered home. Either way, I was benefited :)
Good post. Thx for sharing.
Rods,
Parimala shankaraiah
Hi Parimala,
Thanks for the comment. As you said, next time I will make sure to test with smaller amount. This incident was a lesson for me to keep my eyes open always and Test to trust.
Post a Comment