Common Security Risks and Protection Measures for Duplicate Callbacks and Forged Requests
The most common security issues in a payment system are not always direct attacks; they are often “normal-looking requests” that become dangerous inside a business flow. Examples include duplicate callbacks, forged requests, amount mismatches, address tampering, and state bypasses. These problems can lead to duplicate crediting, incorrect settlement, or reconciliation failures.
To avoid these problems, the system must address four areas at the same time: request authentication, state management, amount validation, and callback processing. If any one of these is missing, the payment flow will create operational risk.
Duplicate Callbacks
Duplicate callbacks often happen after timeouts, client retries, server retries, or asynchronous notification failures. Without idempotency controls, the merchant can process the same order multiple times and credit funds more than once. The fix is to track the merchant order number or platform order number and skip requests that have already been handled.
Forged Requests
Forged requests may imitate legitimate payment flows or simulate a valid callback to trigger crediting. The main defenses are HMAC signatures, timestamp validation, nonce validation, IP whitelists, and callback URL whitelists. Signatures are not optional; they are a core part of the interface contract.
Amount Mismatches
Amount mismatches often happen because of precision issues, currency confusion, partial state changes, or missing fields. The recommended solution is to use a consistent amount format, clearly define the currency field, validate the callback amount against the original order amount, and reconcile the totals during settlement.
Address Tampering
In payout scenarios, a tampered withdrawal address or payment address can send funds to the wrong destination. It is advisable to whitelist payout addresses, require extra approval for new addresses, and bind the address directly to the order or merchant account.
Recommended Protection Measures
- Validate every external request with a signature.
- Record every critical state transition in a traceable log.
- Deduplicate retries and callbacks using idempotency keys.
- Add manual review for high-risk transactions.
Security is not just about adding one firewall. It is about making the full payment flow verifiable, auditable, and recoverable. That is the only way for merchants to rely on payment services as stable business infrastructure.