Payment gateways, such as CCAvenue, and PayUbiz, facilitate payments on thousands of online portals. And customers implicitly trust them to secure their transactions. But, as reported by a security researcher, a flaw in the logical design of a previous version of a popular payment gateway put its customers at risk. This was because the payment gateway did not distinguish between transactions initiated within the same time frame.
Payment gateways serve as a channel of communication, between merchants and banks, to conduct secure transactions. The gateway encrypts the transaction information, which includes the credit/debit card number, CVV, expiry date, etc. And passes on the information to the payment processor, which acts as the link between the user bank and merchant bank. The gateway confirms the payment, unless the information is incorrect. Then, the processor settles the payment with the merchant’s bank.
One Time Passwords for gateways
In order to secure transactions, 3-dimensional payment gateways add time-based One Time Passwords (OTPs) as an additional layer of authentication. The payment gateway only accepts time-based OTPs submitted within the permitted time frame. After which the OTP is not valid. Even though this additional layer of authentication should secure transactions, a vulnerable gateway could reduce its efficacy. A payment gateway that is not able to distinguish between transactions, could permit unauthorized transactions.
The flaw in the design of popular payment provider Payment Gateway
- The payment provider fails to distinguish between transactions processed during a single 180-second time frame.
- So, the OTP generated for a transaction is valid for other transactions, in the same time period. Irrespective of the amount or geo-location.
- This vulnerability increases the possibilities of a man-in-the-middle attack (MITM) by which the attacker forges the request.
- And if the OTP remains unused for the first few seconds or minutes, it allows attackers to conduct fraudulent transactions within the validity period of the OTP.
Explaining the flaw through a scenario
- A user initiates a legitimate transaction for Re.1.
- They receive an OTP, on their registered mobile number, which is valid for 180 seconds.
- Before the user applies the OTP for that transaction, an attacker intercepts the OTP and uses it to process a transaction for Rs.1000. Irrespective of the attacker’s location, and transaction amount, the fraudulent transaction is considered legitimate. And the attacker successfully receives the amount.
Verification of the payment provider Payment Gateway flaw
CloudSEK’s research team tested payment provider with various banking systems to confirm the flaw. We found that the same OTP is valid for 180 seconds or more, for any transaction, provided the OTP has not been used already. The screenshots below prove the same:
With the increasing number of online transactions, flaws such as payment provider’s make users vulnerable to threat actors. Apart from financial losses, it could impact the reputation of the payment gateway, and the online portals using it.
Note: The Popular payment provider became aware of this flaw on the 3rd of August, 2019. The security team closed the issue and marked it as a known functionality on August 12, 2019. And publicly disclosed the flaw on August 25, 2019. They recommend that portals using its payment gateway should fix the vulnerability, to avoid security incidents.