Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Everyone can see your credit card details. Seriously.

Arnav Gupta
January 25, 2017

Everyone can see your credit card details. Seriously.

The security vulnerabilities that exist in mobile payment systems.

Arnav Gupta

January 25, 2017
Tweet

More Decks by Arnav Gupta

Other Decks in Technology

Transcript

  1. DISCLAIMER : 1. Some popular companies have been named and

    their apps/websites used in screenshots. They are just examples, and have not been picked because they are any more (or less) vulnerable than their competitors. 2. Logos of companies used, are obviously, the registered trademarks of respected companies. 3. Vulnerabilities discussed here are technical in nature. All entities and organizations discussed here have legal and regulatory overwatch. Gaps in regulation/legislation/policy is not covered here. 4. Negligence is not criminal intent. Oversight is not same as a malpractice. I aim to point out possible points of failures and data leakage. 5. I am not making accusations against any given entity to the degree that they are stealing/hoarding/selling your personal data and payment details, but they could, if they want to
  2. My bank’s payment gateway So I am paying 191 rupees

    to Snapdeal on a page powered by Wibmo
  3. I ordered food worth Rs. 191 on Faasos and paid

    using Freecharge via Juspay’s gateway
  4. I ordered food worth Rs. 191 on Faasos and paid

    using Freecharge via Juspay’s gateway on Wibmo’s card processing page
  5. I ordered food worth Rs. 191 on Faasos and paid

    using Freecharge via Juspay’s gateway on Wibmo’s card processing page on a Xiaomi smartphone
  6. I ordered food worth Rs. 191 on Faasos and paid

    using Freecharge via Juspay’s gateway on Wibmo’s card processing page on a Xiaomi smartphone while typing on Swiftkey keyboard
  7. Bonus gifts 3 messages from Axis Bank 2 messages from

    Freecharge 4 messages from Faasos
  8. ” “ Only the paranoid survive - ANDREW S GROVE,

    COFOUNDER/CEO INTEL Let us assume, everyone is evil and wants to steal your card
  9. So how exposed are we LET US TRACK OUR PATH,

    FROM OUTSIDE INWARDS AND SEE WHO GOT ACCESS TO WHAT
  10. The smartphone manufacturer u Has access to all data entered

    and all OTPs received u Can access all network data u Can siphon E2E encrypted data at presentation layer
  11. Custom keyboard apps u Can log your keystrokes, virtually giving

    access to all personal / payment details typed u Can ask for access to mails / SMS to “learn your words”
  12. The merchant app u The app on which you are

    buying the product, is the one inside which you are entering your payment details u Such apps mostly have SMS reading permission (to auto retrieve OTP)
  13. The payment SDK u Could be provided by Freecharge /

    Juspay / Paytm / Mobikwik / PayUMoney / Razorpay etc. u Works as a WebView inside the app u You type your card details into this WebView u App developer implements this like a black box
  14. The payment gateway u May or may not be same

    as the payment SDK provider. Eg. Paytm is both. Freecharge has SDK, but gateway is Juspay u Loaded inside the WebView of the payment SDK u Gets card details, as well as SMS reading permissions via the SDK, via the parent app
  15. The card authentication system u Implemented by the bank, but

    usually using off-the- shelf solutions u Generate OTP and/or verifiy password u Providers like Wibmo, who are independent entities from banks
  16. Are underlying layers targeted ? You bet. YOUR CARD DETAILS

    ARE NOT HACKED SPECIFICALLY, BUT A BACKDOOR IN XYZ PHONE BRAND LEAKS 100000 CARD DETAILS.
  17. ” “ 3.2 million debit card details are compromised HITACHI

    HACK, INDIA, 2016 Hitachi Payment systems servers hacked, which powers ATMs and POS machines. Over a million debit card PINs feared compromised.
  18. ” “ Deliberately installed spyware by Adups and Baidu found

    in BLU, Lenovo, ZTE and Xiaomi phones. REPEATEDLY IN 2014, 2015, 2016 Call-home spywares, which read texts, MAC/IMEI numbers, call logs repeatedly found in multiple Chinese phones and laptops.
  19. Web is more secure than mobile WEB MOBILE Merchant App

    Payment SDK Gateway | Settler Bank Browser Merchant Gateway Bank
  20. Web is more secure than mobile WEB u Hardware keyboard

    – safe unless PC has malware u Easy to make sure HTTPS connection and TLS certificate MOBILE u 3rd party Software keyboard – easily logged u No idea about underlying network characteristics
  21. Use virtual credit cards u Most banks allow creating them

    u Upside : Limited exposure u Downside : Tedious process to create, and valid only for few days usually
  22. Create an “e-spending” account u NOTE: Credit card payments are

    easier to stop than debit cards. Once paid, money gone u Create a bank account dedicated for eCommerce u Keep an amount that is acceptable loss u Top it up every month u BONUS: Helps curb spending
  23. Judiciously give app permissions u Keyboard wants to learn your

    writing style from mails and SMS ? How about NO. u Do not give SMS reading rights to all and sundry. Read them and manually enter the OTP. u Do not give notification service permissions. Full SMS data is present in notification. u Watch out for apps asking accessibility permission.
  24. Do not use random phone brands I am no “Make

    In India” promoter or Apple fanboy, but seriously, stay away from Chinese manufacturers.
  25. Provide in-app keyboard u For entering sensitive data, provide in-app

    keyboard layout. Educate users why. u Most banks have on-page keyboards for passwords already
  26. Chrome custom-tabs u Instead of internal WebView, use Chrome custom

    tabs to go to gateway u Remove need of mobile payment SDK. Reuse your own web payment interface u The onus of security shifts to Google
  27. Prefer all-in-one vendors u Payment gateway cum merchant settlers are

    better – fewer players involved u Settlement and refund process are faster u Avoid losing user trust by showing multiple payment portals u Get billed on your name
  28. Use dynamic non-sniffable secrets u Passwords are static – hack

    once, profit multiple times. u OTPs travel over unencrypted layers – can be sniffed. u ICICI Debit Card 16-box-letter code design is an efficient solution
  29. A few more perilous cases Freecharge in OS • Deep

    integration of into OnePlus and Indus OS • One touch recharge/balance from dialer • “one click” transactions are always security nightmare Paytm Money Request • Verification is based on OTP. • OTP can be seen on locked phone’s lockscreen. • I can steal your money if I know your number and see your mobile lying on the table Tapzo / Haptik • A super aggregator of apps is just another layer of nesting of people who handle your card details • Keeping your card on tab of a chatbot is not too smart.
  30. ” “Which would be worse: To live as a monster,

    or to die as a good man? - TEDDY, SHUTTER ISLAND The onus of informing the world about a security breach in a firm lies with them. Do companies try suppressing facts, until they are compelled to admit ? (Case in point = Yahoo! )
  31. ” “ So who takes the fall that covers it

    all again ? - YURI KANE (RIGHT BACK, 2010) When your refund is late, who is in possession of the money? If it is a fraudulent transaction, who covers what amount of liability ?