Do you know, when was the first time mobile was used to make a payment? In 1997, Coca-Cola introduces SMS purchasing, same year Exxon Mobile begins accepting contactless payment using Speedpass. Since then, there has been a great evolution of mobile payments, and the today the payments are done even via Bluetooth and NFC.
5 types of Mobile Payments are:
1) The Mobile Wallet - using NFC & Bluetooth.
2) Mobile as a point of Sale - a mobile device to process payment just like other PoS devices.
3) The Mobile Payment Platform - for Peer-to-Peer payments.
4) Direct Billing Carrier - When the charge is put on your cell phone Bill.
5) Closed Loop Payments - payment via mobile apps created by the company.
Most of the companies are coming up with their own mobile apps and integrating the payment feature to ease the transaction process for the consumers. Whether it’s an E-commerce App, Travel App or Food App, mobile payment plays a significant role in boosting the sales of the company. Apart from getting attention from the users, it also brings many malicious users to exploit the system.
Payment Bypass is a type of parameter tampering attack where the manipulation of parameters exchanged between client and server is done in order to modify application data, such as user price, the quantity of product, etc. Imagine, you could buy a “Biryani” of Rs.200 by just paying Rs 2, what if, you can do a mobile recharge worth Rs.349 by just paying Re.1 or what if you can buy all your cosmetic products for free. Mind boggling right? But these are all possible with just a few steps. It’s a fortunate stroke of serendipity for the user but a huge financial loss for the business owners.
We thought of checking out the issue in 10 E-commerce apps of India and it was shocking to see that 8 of them were vulnerable to payment bypass attack.
How to check if your mobile app can be exploited by Payment Bypass in 3 simple steps?
There are many ways of doing it but one of the most commonly used methods is tampering the request/response from the app/server using any proxy tool (BurpSuite, Tamperdata, etc)
1) Configure the BurpSuite with your system and install the mobile app where you want to test it. You may follow this link to set up.
2) Log in to the mobile app and select your products and add it to the cart.
3) Before you check out is where the magic begins. We need to turn the “intercept on” in the Burpsuite and we can see the price is being sent as a query string in the request. All we need to do is to change the Rs.400 to Rs.10. The server relies on the input provided by the user and accepts the value of 10 for the products. The query gets processed and the success message is displayed to the user.
Most of the developers mainly focus on features and functionalities while they completely lack the security aspects. They generally think that payment gateways take care of the security but if a proper implementation is not done, it’s not secure, period!. Most of the payment gateways are secure and handle multiple levels of checks but without proper integration, with the mobile app, it’s as useless as the fifth wheel.
This is probably one of the most critical issues since it directly impacts the revenue of the company and leads to financial loss. Few of the companies even had to remove the online payment integration feature and convert it to only “cash on delivery”
How to prevent parameter tampering?
Well, it’s not as difficult as it seems, to protect the system from payment bypass. All you need to do is to follow few simple guidelines and implement it properly.
Level 1 - It is recommended to remove parameters which are sensitive or not necessary.
Level 2 - The price (parameters) should be validated on the server side. It also should use protections like cryptographic checksums. When tampered, the server should not process the request. To know more about checksums, you may follow this link
Level 3 - Apart from this you may build a system with anomalies to detect these unusual transactions automatically. At least, such orders are not processed even after successful payment.
There are almost 4-5 modes of payment in any mobile app like a credit card, debit card, net-banking, wallets, UPI, etc. As we know, the payment gateway already takes care of the security at certain levels, but out of all the above Payment modes, net-banking is the most favorite attack vector for hackers. This is because checksum is handled by the payment gateway and the merchant and not by VISA or MasterCard.
A credit card is more matured towards merchant payments. Banks are more towards account beneficiary transfers. With net-banking mode, different banks have a different mode of checks, there is no unified standard. UPI, on the other hand, is something revolutionary, as it follows one standard across all the bank. Since the difference of standard for each bank to integrate net-banking option across all the bank requires a lot of work from the developer side, which gives the attacker a surface large enough to explore upon.
Mobile payments are steering us towards a cashless economy where payments can be done in a blink of an eye. But, before that can happen, these basic security issues talked about above needs to be addressed.
We are witnessing an exponential growth of the mobile payments across the globe. People don’t think much of making an expensive purchase like flight tickets or even paying bills via mobile payments. But Security is something which always has to run parallel with Innovation.
“There are two types of companies: those that have been hacked, and those who don't know they have been hacked.” - John Chambers, Chief Executive Officer of CISCO