[BUG] Possible duplicated payments on https://emask.taiwan.gov.tw/ ===== # 說明 由於[eMask口罩預購系統](https://emask.taiwan.gov.tw/)上的錯誤操作，同一用戶可從銀行轉帳和信用卡付款中進行重複付款。 # 重現步驟 > 此範例是導致問題發生的可能情況之一。可能存在其他得到相同結果的方法。 1. **用戶A** 登錄系統，並使用其健保卡完成口罩預購。 2. **用戶B** 登錄系統，並使用其健保卡完成口罩預購。 3. 在正常付款期間，**用戶A** 使用付款查詢功能取得ATM轉帳帳戶。（即 *004-3909120081017521*） 4. **用戶A** 使用ATM轉帳方式完成了付款。 5. 在正常付款期間，**用戶B** 通過其健保卡登錄系統，選擇**信用卡付款**作為付款方式。 6. 在正常付款期間，**用戶B** 加入 **用戶A** 的 **身份證字號** 作為合併付款用戶。 7. **用戶B** 使用信用卡付款方式完成了付款。 # 預期結果 系統應警告用戶已重複付款，或在**用戶B**完成付款過程前阻止**用戶B**針對**用戶A**進行付款。 # 實際結果 **用戶A**成功完成了自己的銀行轉帳付款和另一位用戶**用戶B**對**用戶A**的信用卡付款。 # 問題帳戶資訊資料 已知受影響的帳戶資訊： ## **用戶A** | 類型 | 內容 | | ------------ | -------------------- | | 身份證字號 | H1XXXXXX64 | | 轉出帳戶 | 822-00009015XXXXX603 | | 存款賬戶 | 004-3909120081017521 | | 口罩預訂編號 | 0100026975 | | 交易時間 | 2020.03.19 | | 金額 | NTD $ 22 | ## **用戶B** | 類型 | 內容 | | -------------- | ----------------------------- | | 身份證字號 | H1XXXXXX28 | | 口罩預訂編號 | 0100091917 | | 信用卡交易序號 | 090615 | | 交易時間 | 2020.03.19 23:46（GMT +0800） | | 金額 | NTD $ 44 | # 建議 可能存在另一種可以避免重複付款的方式。 其中一種是UI的改進，阻止用戶直接取得ATM轉帳帳戶，並且提示用戶若選擇顯示ATM轉帳帳號，該次付款將僅限ATM轉帳可用。流程的改變將提供eMask系統紀錄用戶選擇的機會；使信用卡合併付款流程可以進行重複付款的驗證。 # 附件 1. **用戶A** ATM轉帳結果畫面：[https://imgur.com/PsJLGOE](https://imgur.com/PsJLGOE) 2. **用戶B** 信用卡付款確認畫面：[https://imgur.com/RhddGAC](https://imgur.com/RhddGAC) 3. eMask線上文字客服內容：[2020/03/20 10:00 AM](https://imgur.com/F7LKmsG)、[2020/03/23 12:11 PM](https://imgur.com/Raodnlh) ------- # Summary With the error operations on [eMask 口罩預購系統](https://emask.taiwan.gov.tw/), it exists to change to receive duplicated payment from both bank transfer and credit card payment. # Steps to Reproduce > This example is one of the possible situations to make this problem occurred. There may exist other ways to get the same result. 1. **User A** login system and complete mask register with its health ID card. 2. **User B** login system and complete mask register with its health ID card. 3. During the regular payment period, **User A** gets its deposit account via the payment query feature.(i.e., *004-3909120081017521*) 4. **User A** completed its payment with described transfer information. 5. During the regular payment period, **User B** login system via its health ID card, select "Pay by credit card" as payment method. 6. During the payment, **User B** add **User A**'s ID as integrated payment users. 7. **User B** completed the credit card payment process. # Expected Results The system should warn users about possible duplicate payments or block users perform another transfer once the user has finished the payment process. # Actual Results **User A** has successfully finished payment by both bank transfer itself and the credit card payment by another user **User B**. # Additional Information Known influenced account information: ## **User A** | Type | Data | | ---------------------- | -------------------- | | User ID | H1XXXXXX64 | | Transfer account | 822-00009015XXXXX603 | | Deposit account | 004-3909120081017521 | | EMask Pre-order number | 0100026975 | | Transfer time | 2020.03.19 | | Amount | NTD$ 22 | ## **User B** | Type | Data | | ------------------------ | ---------------------------- | | User ID | H1XXXXXX28 | | EMask Pre-order number | 0100091917 | | Credit card transfer No. | 090615 | | Transfer time | 2020.03.19 23:46 (GMT +0800) | | Amount | NTD$ 44 | # Suggestions It may exist another way can avoid duplicated payment. One is the UI improvement, block the user to retrieve the deposit account directly, and warning user payment will limit to bank transfer only when the user decides to reclaim its deposit account. It will give eMask system record possibility for this user; make duplicated payment verify via pay by credit cards become possible. # Attachments 1. **User A** bank transfer log screenshot: [https://imgur.com/PsJLGOE](https://imgur.com/PsJLGOE) 2. **User B** credit card payment confirm screenshot: [https://imgur.com/RhddGAC](https://imgur.com/RhddGAC) 3. eMask online text service screenshot: [2020/03/20 10:00AM](https://imgur.com/F7LKmsG) & [2020/03/23 12:11PM](https://imgur.com/Raodnlh)