Contract: Purdue Alumni Association Chrome Extension

Extensions.png

KISS (Keeping it stupid simple)

So the Purdue Alumni Association approached gnar.io for help with their payment system. In particular at events when they were signing up people for alumni membership, they needed to manually punch in their credit card info. This was clearly an error prone, time-consuming, and laborious task. They wanted swipe payments with a passion.

Gnar.io contacted me for help to scope, evaluate, design, and develop the solution. And after reviewing all the options, we settled on a Chrome Extension. The primary drivers to this decision were the restrictions to accessing their database which prevented a more integrated solution, and the limited ROI which restricted the budget.

Also the user flow of this solution is incredibly simple. The user will click on the extension icon to activate it, and then swipe the card in the credit card reader, which will auto-populates the webpage's payment fields. This works since the credit card reader acts as a usb keyboard which types in the raw credit card data, and the extension can autofocus the cursor into the extension upon activation. So it's literally just click and swipe.

Due diligence

But most importantly, a chrome extension can be very secure. Everyday millions of people use password managers like 1-Password to store and enter their user name, passwords, and credit card info. Luckily for us, we don't need to store anything, which removes a great deal of security risk. But that is not to say, we didn't stress the security.

The extension itself is completely self-contained written in vanilla javascript with no outside dependences, it works essentially offline. The credit card info is cleared from the extension immediately after it's sent to the webpage. It only stores the webpage's input field ids, and only enters the information into the input fields if it matches. We sanitize any user input to prevent entering/storing malicious code. And users can update the input field ids on their own using a simple built-in interface, so that the extension itself doesn't need to be updated.

The credit card reading hardware was purchased from a large payment hardware manufacture (MagTek), and these were purchased not online but from a brick and mortar retailer to help ensure they haven't been tampered with. Also the particular model was apparently accepted by the Department of Justice for payments as well.

In addition, users were advised to turn off other extensions while using their computer as point of sale system, since extensions commonly have overreaching permissions to "Read and change all your data on the websites you visit."

Finally, the Purdue Alumni Association was given ownership of the extension to prevent any tampering, and were advised to treat the Google account that owns that extension with care. Especially in light of recent phishing attacks specifically targeting chrome extensions.

At the end of the day, they were overjoyed with the simplicity and effectiveness of the solution we came up for them, and breathed a long sigh of relief.

purduechromeextension.gif