Something strange happened on my store and I really have no clue about what it was or even how it could happen ! I’ve already seen fraud or bugs but today, I have no idea about what happened! I'll try to make it simple and clear and I wish someone can give me an opinion about all that.
- A customer placed an order at 21h50 with a credit card payment method. When clicking "Place Order" on the checkout, customer was redirected to the payment gateway but never returned to the Magento store.
- As a result, an Order #10009001 was created with a "Waiting validation" status, because it wasn't paid. That order has two different product items.
### At this point nothing strange, it happens all the time and it's related to my CC module which create the order before the redirection (not great I know). But here come the weird part … ###
- At 22h05, a PayPal payment was received on my PayPal account. It refers to the order #10009001 and it has a transaction number. But unlike the real order #10009001 saved in my Magento store, it has only one product and the total is equal to the #10009001 total minus that missing product.
- There is not trace of the transaction in Magento. No error/exception log. Order #10009001 is still in the "Waiting validation" status. No new order was created at this time.
Here is what feels strange for me and why nothing makes sense at this point:
- How can the PayPal transaction point to an existing order ID placed 15 minutes before ?
- How did one item got removed when redirected to PayPal ?
- Could it be just a bug without report or error or exception log ?
- I was not able to reproduce it, I've tried placing two order simultaneously with 2 browsers, doing dumb stuff like going back and forward to change payment method and order items, ...
- How such a fraud would even be possible if data sent from Magento to PayPal are encrypted with my PayPal private credential.
So here I am, left with more question than answers. It’s the first time it happens to me and I don't really know what to think or where to search now.
Good news is, if the customer was trying a hack, it didn't succeed. Order status was not validated but he got the money taken from his account. If it’s a bug, why is there nothing in the log ? Why the payment was accepted by PayPal. Normaly the IPN call on the Magento store return false if the same order was already placed before and PayPal stop the transaction.
So does it seems familiar to anyone ? Any ideas ?
Thanks for reading all of this already and for all the help you could give.
Could it be that somehow the customer managed to go back to your site and they still had access to their basket (which had the order ID reserved on it), they removed one item, then they proceed to PayPal again, Magento couldn't place the order properly because one already existed but somehow they managed to get through to PayPal who accepted the transaction and money? Sounds strange though!
Yes I also thought about something like that but there are many "if" in that solution And I couldn't reproduce something even a bit similar. But bugs can happens and I've already seen worst, so why not.