[thelist] authorize.net says md5 algorithm error prone

Erik Heerlein erik at erikheerlein.com
Sat Jun 4 15:47:26 CDT 2005

For a recent customer's transaction, there was not a match from the MD5 
hash that was returned from the gateway, signaling to me that the 
response was in reality, somehow forged and not from authorize.net and 
it appeared as if the customer was trying to falsify the response.  
However, authorize.net had authorized the transaction and said things 
were fine with the card and the customer is legit. I had implemented 
the MD5 hash about 5 months ago, this is the first problem.

I contacted authorize.net and they said that the MD5 hash is error 
prone, is optional and they recommended disabling it and not using it 
as a security feature. This goes against everything I have read about 
internet security and even contradicts authorize.net's own 
documentation. However, this belief was confirmed by a second tech 
support person at authorize.net.

Is the MD5hash worth using? Is it error prone or is authorize.net's 
implementation of it that is error prone? It just seems incredulous 
that to get my site to work correctly, they suggest that I make it less 

[>] Erik Heerlein
     Web Developer

     erik at erikheerlein.com

More information about the thelist mailing list