During the recent months we have discovered,
- One of the most popular PCI DSS Level 1 certified payment gateways is leaking complete credit card details. The gateway claims to do more than 15,000,000 transactions on a monthly basis.
- Another popular payment gateway is leaking partial credit card and user personal information which can be used to engineer a variety of attacks.
- Yet another popular payment gateway has a request data integrity protection which can be cracked using a commodity grade gaming PC within a week (verified), thus allowing free access to virtually anything that is being sold online in India and the transaction history of users.
We have already intimated the respective payment gateways and they are working on the fix but, we are afraid we might not be the first to discover these vulnerabilities. As India still doesn’t have something similar to data breach intimation law in the US and based on our experiences from intimating severe data leaks to more than 15 companies, we do not think the companies will ever make this information known to their end users.
This is a general notice to the public to ensure that their cards are safe. Hackers generally do not attempt to use all the cards as soon as they get access to, so it is requested that you monitor your charges and statements or better disable current cards if possible. Domestic only debit cards which cannot ever work without CVV/ PIN and OTP can be assumed to be safe.
Some of the companies who use these vulnerable gateways include BookmyShow, Foodpanda, Freecharge, Mobikwik (not amongst the gateways referred to earlier), Uber, Ola, Snapdea, Makemytrip, Yatra, Swiggy, Redbus, Voonik (Although, These companies are not vulnerable by themselves).
We will come back with more information regarding these issues once the respective companies have fixed the bugs. We know that no company wants to leak their customer’s payment and personal data and it will be a difficult and time intensive task to fix some of these issues.
[About The Author: Abhishek Anand if cofounder of Fallible, a startup that builds products to secure large organisations and startups alike]