[Editorial Notes: Indian payment gateways need to step up the game. Read this summarized version of the original article that guest author, Gaganpreet wrote a few days ago].
India has only a few payment gateways, and they are all complicated to use, partly due to government policies on accepting payments. They require a long list of documents, have different plans based on the merchant’s initial spending budget, charge a yearly/monthly maintenance fee and, in general, have difficult to integrate APIs.
What makes a gateway secure? I thought it best to pick some of the standard industry practices and check if the gateways are following them. The ones I chose were:
Secure login page for merchant – A login page transmitted in plain text over HTTP is vulnerable to being tampered with in transit.
HTTP Strict Transport Security (HSTS) – HSTS is a server header which tells the browser to permanently contact the site over a secure channel only. This is transparent to the user and even if he/she bookmarks an HTTP link, it’ll automatically be converted to the HTTPS link while opening. On the other hand, browser redirects are limited to a single link only and are stored in a browser’s cache.
Secure cookies – Cookies should be marked with the secure tag so they are transmitted only to the HTTPS site.
Non tamperable signature – While processing a transaction, the merchant redirects the user to the gateway, which then redirects to the bank. During these redirects, transaction data — such as transaction amount and status — is also transmitted. These redirects need to be made non-tamperable by creating a digital signature of the data, called the message authentication code (MAC).
Openly published security standards – The gateway’s security standards should be openly published for public scrutiny. Many gateways, for example, don’t publish the MAC algorithm they use and have been using a very weak algorithm for ensuring data integrity.
Here’s a matrix of my observations based on the above mentioned best practices:
I contacted the gateways to report my observations and asked about their plans for improvement, which are reflected in the “gateway response” row.
Some of the gateways are using very insecure MAC algorithms, with MD5 being the most popular for some reason. It’s hard to believe that gateways are still using it since it has been proven to be cryptographically broken for years now. Additionally, every gateway, except Zaakpay, have kept their MAC implementation secret. It took me a while to find which algorithm was being used by everyone. But existing and past merchants already have access to this knowledge, and by keeping their security practices secret they have escaped the public attention which could have brought these issues to light long ago.
Merchants’ account access is not properly secured either. Login pages available over HTTP, not using proper redirects, allowing cookies to be sent over clear text point to the one underlying problem common to many gateways — bad design decisions.
About the Author: Gaganpreet is a freelance software developer based in Bangalore.
If you have strong views on Indian payment gateways, take our Indian payment gateway survey.